ࡱ> FYT\rwSͿJFIFHHPhotoshop 3.08BIMHH8BIM x8BIM8BIM 8BIM' 8BIMH/fflff/ff2Z5-8BIMp8BIM@@8BIM8BIM =paPP!JFIFHH&File written by Adobe Photoshop 5.0Adobed            ap"?   3!1AQa"q2B#$Rb34rC%Scs5&DTdE£t6UeuF'Vfv7GWgw5!1AQaq"2B#R3$brCScs4%&5DTdEU6teuFVfv'7GWgw ?I%)$IJE&U= %tSz^.P* ='ָ8]Zִ@%<7sC_2oԎʬ?  I%>_LeRQp@mh׫!8x8?&덻v)t֜6u[[CYdX8IJI$SI%)$p3s,mxԾ< RSJgHu@}&zI$$I)TFmFaU̮M31.cA$J?qp`GdI%?I%'f=t~2hmz/IwrĒSDIf]ǝ ,'ZI)I$JRI$&te.mO92ݰ,=ʧUx5 )psIԤMmn9. $SI%)$IO]/3ivh_I9]bq\Wa+$I)I$g5Xk$wUnnKQp~{ $RI$I%)$hƺEm$L$Ap7K<}W/ZH.;1xs o;5IIxs@h-?HΣ>̈́KNˇfƺ׽ ۪[z5lpS;7`lO m62&5U۷@i\Vg\,&=SE$IJI$Sٽf>*gHLi+rCC{at+V)kvGJx02X 5k.kOArˤђeN%< o\hs Cs^q."Zc+WKln9))zB5WY {$O_sFVo VftS))󺨺mcIbdRbo};=mJGr՛CavIO?rwOɦ=~ ?U[+MohݰwPcsX\[dǎ~J|ى1+SP[O4U.:]Ua쟏S`)igS߫o]7֯O$'<DU$֓w/&I%>uO/ $~3o,/.J}fπ^hJ{_+^Ĥ8BIM XICC_PROFILE HLinomntrRGB XYZ  1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@dmndTpdmddvuedLview$lumimeas $tech0 rTRC< gTRC< bTRC< textCopyright (c) 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ QXYZ XYZ o8XYZ bXYZ $descIEC http://www.iec.chIEC http://www.iec.chdesc.IEC 61966-2.1 Default RGB colour space - sRGB.IEC 61966-2.1 Default RGB colour space - sRGBdesc,Reference Viewing Condition in IEC61966-2.1,Reference Viewing Condition in IEC61966-2.1view_. \XYZ L VPWmeassig CRT curv #(-27;@EJOTY^chmrw| %+28>ELRY`gnu| &/8AKT]gqz !-8COZfr~ -;HUcq~ +:IXgw'7HYj{+=Oat 2FZn  % : O d y  ' = T j " 9 Q i  * C \ u & @ Z t .Id %A^z &Ca~1Om&Ed#Cc'Ij4Vx&IlAe@e Ek*Qw;c*R{Gp@j>i  A l !!H!u!!!"'"U"""# #8#f###$$M$|$$% %8%h%%%&'&W&&&''I'z''( (?(q(())8)k))**5*h**++6+i++,,9,n,,- -A-v--..L.../$/Z///050l0011J1112*2c223 3F3334+4e4455M555676r667$7`7788P8899B999:6:t::;-;k;;<' >`>>?!?a??@#@d@@A)AjAAB0BrBBC:C}CDDGDDEEUEEF"FgFFG5G{GHHKHHIIcIIJ7J}JK KSKKL*LrLMMJMMN%NnNOOIOOP'PqPQQPQQR1R|RSS_SSTBTTU(UuUVV\VVWDWWX/X}XYYiYZZVZZ[E[[\5\\]']x]^^l^__a_``W``aOaabIbbcCccd@dde=eef=ffg=ggh?hhiCiijHjjkOkklWlmm`mnnknooxop+ppq:qqrKrss]sttptu(uuv>vvwVwxxnxy*yyzFz{{c{|!||}A}~~b~#G k͂0WGrׇ;iΉ3dʋ0cʍ1fΏ6n֑?zM _ɖ4 uL$h՛BdҞ@iءG&vVǥ8nRĩ7u\ЭD-u`ֲK³8%yhYѹJº;.! zpg_XQKFAǿ=ȼ:ɹ8ʷ6˶5̵5͵6ζ7ϸ9к<Ѿ?DINU\dlvۀ܊ݖޢ)߯6DScs 2F[p(@Xr4Pm8Ww)Km&File written by Adobe Photoshop 5.0!Adobed            "0@ 1pP!3!1AQ0@aq"2 #PBp @ODBݺQҪ<0~n-<컂V#8^tF[* Txݞ7 }"Vz*{hTwZS4r:. >q# H=Tm t<{168IyvMrz.LB(-?*{\9)O>d1>9lKyקZ[< . ɨ4\t<8Ӛ6Kz+%>yF᧷|ŘDEH}p82A+2mɐrkxu lXܜu%iGZrQ~Q֜u]lt\t_ut3nF뒏``eeO^(%J4|GZûE;~LY@LR"BC=c8ؿUp X4"#XP|ADx*_E\ډ'o(m[A+@ xv+t<6/\ /GwT" KOUwF "7oT :v7t̅EFOW0b\{{P-߻Gw+N:C޴MeYKwzhB7y}:SUvVƭkf՞n*+;;̕B{4]. 2܂{ VzN19jzLO˿' 4,#9Dzbᶛ9iuDz4caU JbLd@,úU2r]\&'Yk-O LO2&L<#Vy+1eG%= GJ,G+A<:fburL kqs'RS;}u~=2KB)`lŒYCӯcְJ^[qUjPl቉M4o#̨aFƑǪCGBSN7m=lˠ,4~N_2ap" |56 1,!D0.> يnlr23q}r$5Q4سr=?n13Gs)PNG  IHDRsRGB pHYs.>1PIDATx^ ܶE7;83hF")^IMt Q}O߿j߷o>W{nɇ #ONrSwIn_#[x @T?>o#oo66V0 K|eKƀXHԅfa @@qqa7t˾  %kgHlZg w֗i^*ޒejdY"uگ?=u'$Wdhٛ?Tp- D$"XLxi.BKArslGZ۹$It-qdh?qmSGH~mP!P牖 /$Pp߱Q)po" K Zԉea@\%!;b=MYfwA`mv L\W2Bt?<qC"9JBiS`f5*ּ D%()UqHYa+yYQQEsDž^/iwbH`kXZ0jLynǝ B uĞiP{ګTԅū]V>zs5!0"\J;3y,t,`u׋~D]P{-^XB L =X2D(SK(HQ@ix ~ &ԍ]0K>Er![)*8_TSf˷o2+ &VOEcx̥5KaD{\)U Jؐ@[.f ; lG IVsH/)tbZ4據>`t}G="T=ڌxtJx]zw Г &pĥtx V@& u!7OVn͍ݟ:vۯ@]V@@LYgzYoA %!"B;R#&jֱ^B5]Ԫkov2Y^4pMU}(yLA@,nl`bNJNEOv?K<%jY^A3A Tr0O Pm""Tԧc^xK" 6<_۴W%†ڹdQ0:] ({Wyzwq\DR^ls-fUl=GvWGۮń]B^ tdb=WԱgOyik*mvN[ J33+a+XVΦ0U)aG@`1\vhk@S0BMr`"oZWV) 5P~juռs-@:mgB; ڃE E:Lw귎}qow855.\>NzgG;r`?=u*zCj_2,Ax-r}i֫ѵDīf?p_E XȒڔg<-ėbG{țn`LPPr`c3tU3~6JKxwwUTn#?]d#OGt'z@QqŠf^+<  @Ȟ#QYG?<C n|%F aֱм+ )Q>׊5z vŽW5Tk@BA|p܄@kHիw$deОxT##-^k$.ZC;[͹5ϒK79w3 譸bN'8'tS`5Y~cz9.re8."tihfp= r![Ovy}=;:vzd7q[Z{[ۿ jUT֍c~V'v "`~8-}VϨ(h  p \vhz'S:Yvզor`=ؽm@n@@G9=G=Wp@(\Uln~:LTP(Y}]Ԯ型f U}ij71[leW=8}dy_Htx5h,{.j#}d?13 =<nbPb`mE)mQ1oŶi l+7+h+ $x@|x1", p:j`@7eL@>%_SRe?( @>p2@?~?w*28/_k5].4%aͫy59 x0ovE ݟgw@C$@D;N@ zxrY|&"BdI4{gAڿ+zr/a @I۸pb) NEj8W;@̃~5 {UR.iiN=v`F11"O48F ̣7܈@IȎXOVkfLn~OͩkZ˚ tRP;؜%,`7y}?di:M:Vƞ( sy<ȭrth @Iȶ*EOmnjՈQuKTM*/Qj:-Tgh6%3%F([_A&z}*{coooqܳs`\   z:OhX=;4?:wyvR?ڱ/?|w޵ޘ-l"pO & 7$i  p7{6x4G/R#pul+Vj{U;يF95{Y ZS-|?i}?&߾#pWSA`5Hz7U7[tƍkƼ/!Ye>; 4d(֮=qϛa8< .~iU\Z},$pMMg*q@\x6 :ԬD& TK NqиBjc;}5M޾]XN&۟y,{zL?\,ұf 쨊$fMiLIk3egyV]uVs*;7~*ei;ow垅!_YyrJlg6 H$dۼ+EOmG\U'.KЯ`ZHχUv2|`J"@wG-PИ>e+xBټZכ.=SjL5խg*}3%\ӱ}"/BxN׸vUUG˒D<Fd8Пb'~_Oē8Q6M+ZnҰ# .M.% *R;ٗ(D}_\J0ʪ l#C lmWW6R.I]|-%kIO] F BbӁo;S_@aGc SWZOcD"̿ I`>x-9ej8c.퍼} ˋ=ӟqť|`RuJ:kQqk毜q% o: "Y̓/;~ !@"d_J1SE9iE;mAN# o+m `ڲ AL;|p lm6j~1 hBT Ǐ\T>5Kyg)17)ik}vCɓJ\@ҭC$,]x5tͻaR0O"P[ziBK'>t+YlU_6^x▴b/>"Grxj +B3[ܞ~sAQwo9 2T@ޫYc,j8Wi@4C%-kf+'V撩ͷ&g . NxNjҠZ5[e?sB<b![ U^*_6TDiEOJaS?b뫀Who/Uy գqA=;q2t'ה}~)s+X`cMܟPýSiϻ'@J$dc*SW# dH+Ѡ)uQ,,f@㱗)TWe=̹> з.޷blK5OTZؑ `F \) Wo|*צ>=akzA_lSrTJk>QOJhnOcAGG AtL׳Z*Fᄚ-~_\tlVRΨ|j(*(.4ݛaf?$q!g=uAn>H$ɣ lGd^*mտdEHtףp<6t' e&GT2 C<;7ޅHv+̅SJpԟ^V^[~M@DhuϒVw[Lڷ&C..yJ&!Sj_BSCjx`L J:7Rw\uXe @Vq)֎*Ѳ͖XX#ğQ#QDFz @.d*6>\kt>Ň3إb)/T͞Oy!f}dy5/$ju>qA{/'-ce _Mg6R}d&<[kQ`YoWcmrz?HK鿜=O[y\T7`t&dϢ<Γ- 7A8 !{3"Fy5mԲbvKȫZw<]֑ m[Zx\sk,Ƴ3+XƝ'] 4E`&4~!_=_n?7qit>p|N:!h  D|nsSnl!xЈ&ƪWn#v 㒎m-ox_mwq;x1M;3,3%|2_}+W_yˡƽcRUo]:aflXWܱίxiɵ8%(ԳwT~x7nݟ>@ߐǽ_]"[MvŇD$dGUiXus*;{__%=>\]5@Ů:7`Ru-nsқWe \5-E?}/yM;i/ԝ~UWڡ %!<avҘnNn'TZvwۋQـ)C{J~7>}MGD% DWt^=U0^F`"4KQE݂? 6\j5krTt$@g=e2e2fXG2/a@.&Pc*i;jD<\ ~INUv.>0<<UGʷ@Aֽ &F!)+[  p \ӱ}"/…9E}G ϲĉWBPWQ55FO& gMǍSZ\OqTw\uohy%@] 9F|-71O% JQAN]/,S[Lo]i_!ZfO.0ya@U#5y0l +j6[{fu c8@{ >kCqC# j @%! &T+}t*4`4:rvhd`@@ddColmsUj[َ{){#|\a+H(웣K*f!;<'uљaA & jV x’߿IC z@TZ@Bl'^BK˳C>,< ⾰SJztG0t[N !Ϻ˻A;>z h?r>5@rY/q`\V["z(Ϭޙ_g7g܁~zN*ix! orq>w0M8N$dGUe sFᦉҵjR`jO|./~~-Pv^`质!%/yK٧\pM; vnD[Я??I UrkOki;Zrn=\0 lYy,B%êxQ5?c)WtϬ%F)Uf>#%› Pe(y X`^I}AIbPSkJc;z%XX#zv8,qѥb^\_Χrm"6䲒>AI_!(=KW{Cs <r r7gkE/3w rA3\E+"c:RvF}SCQAq^4Cľ漢!H}Br{0ۃ(~,zy,jb-I%<@.d۬*L|WEΪQ,P2UnIēD:vIqi=楣qnkT"؞)5eьY* _/I"4{\Ul /MTD:ATf0'EuWGˋ5*Gr|9_sUAX -a^<4t<#~j^Uj;b>|ESr|[S@7z9'wl*Mq o&'{y1w:x7g    7 I    6kP| ktWP o DWs.85̉5ԤVjmq x5r"} L @DY 7;N` ;M^HŊF򻀽}^'1F|ɉɀ Ǔ}>'w^ 0KZZC}<֑UM"54}lm-X\#F_x&U^F 5kup*v zXyV564񫨥ϻ*z@8m*U2k=T9yޔ %GBO VTw])KJdFƠ  Bˉˌ΢:6jdsX=-? fbJAMJr:CCOw  ȅl^If=w[̶֭UZ G౎~ke#ˋ̠LV$ r=gG~ =& LU3{"dE,e *4@ @%Z\o1I /-8  [ }xdd\p@@@@-5͸Kr.^ֽ jai5/[X#G{ꍴ͹D#{tLV#ͦ##:\D *-{)4DN:4̭n8ϢD&\]V° *wtem*v C%|7IENDB`n 7;7kcs[PNG  IHDRP sRGB pHYsj ZIDATx^ۙ6 F$4Nmox%a, p(/|q׿a@ Vr@8%i @Z9@u ߅wι.tOX?8 uE(Ƿǟr<|'pƫ麥o h+}D"{NgԲtT8p.{I]׈[KaZP3yDCԑvzY#F}*֩_N0>*K+˧P7%1&JiV=IST6ҞXGqu'v)]&~blNb+K:%.8vOȔgx!v‘Eii$c)ISSY_$+-Ch"Q+S$gjy(RՙTnu'CC-bgcNpM9.LzJ%!{[Q5Bc2{gOλQGoO}|) HfR ͫC)jpo\1ZR}FcL[ʻ25SkX*)lJrgu&x򳉄no-=F+[[߷^~n)) ;5ϱM"6kyt(zЖy+=~n)|FySwdEECJN>S"/! |}ȫqּ2z\kYge9T1O};i:z5ӄNPoC&I_|)`Xh˧VS42m_2eI$zk7?ȚsJ^)%R}+GK8ם?j ]nrC;@ !` &L@ZمK7U^1 lE`Vn<@0 &VϨ P<9HbJ` 1*!<yh 99\ <1kM}>=܂Wfv7! 7G^ِ*ַiMD2:( N6SWl4kVD*@ XǮi&u[ EDP)b!]LVM1 #mՀ:0\FE+#g˂i8䏇? #(A)z2ryPqh$Тxە6v σ?5/ /SөCy]OcC+V)*Nh?-L@`-c ~ Sz8OyeiftvV ǟk;xV޹؁cz A;9Jswr=sZh.hւIENDB`nKqdzPNG  IHDR`}sRGB pHYsj-IDATx^ (FSYJ{iRf'5(:ur*~ o߾>.|A``h@@c@@LK 1?+k$6Lkoi??>?DZ),1B5LChjwBr -=cFm60]wg+LKXQnSJRviO_w~EDН !#FxDiSf~1 ˞u7&\toz{m`>O@!/˖< \C>nPݎĜ` ev{"} ry[(NyW7894hy.zHY 2J?@,qJ>nKs͟aty&)#&AONJڅg{OdS]."zKޢ_@۟% sA%f!\Uaa.A/11 #"hkÈIᾃ"8(!2 RXba6pAp( @?"Ʒ%AI Bvn;*=9z=o=X zh>hdy;Uֲr@`HA N%yOOR&Xbk4Ih2T.: |X⢟/.$>ҫҽ6FaFFYܗ Ӎ:YNߘ`D-ݛ5Jc @M<"7 (pNlB3DDނ LK gD_Tk%"}0`xwW*gAJ3; |UNwaJw/(p#DMק2_^Wo5 AqOSI%gḓ/K۽ƀ-{8ftJw*U۽M`piN!J);{ tǸ|k۽#E% ]{~.![~>7//{x=t,qJ=^бk<"۽w]'QCG-{[uZ}wx%oRT3!t?/90LE%uR9$$fNW3+ UAnѣ=+#vo+QAD  `SD!'$1Jz~p1hG'89AWISk8{ .}bf(coS1E/g'`A4Ӣ{ -{O \aŖFs5,s%inO 7'` e(- ݐ=t, V 0:hKv\/Nޗ Gyuyҽn)X_7:Akr"$ mt96t}cR0 !‘mhM;IP+D ] 08@ 0@Așb^ӡ04 4-,6S),1LB8M `JvqBp:m5mŵ>/Ժ.#V~ H_#L'.2k2$6J,kFImRa\g޲ )g^䛷A-\C&\WL)e9_^'6ᤡY?@lV7tSθ^Nn5Eo~{/Ss!(p5X]MK= :\|ř_lLNJNbMڅDКbyq1U_OSZX^^ ?S)L1VuRkjϑQ9ߙ9ʈYߨRtaXWޚ?Zp8-1$"X_%\^)BN&+$c)Fw(MRjG a9mbDj0^J"{Uh~zbYn]ro%_/c4FKJA([ڈz'o!B18.,108@ 0@Έ ?;(' p(-l7)iy*gHI}x)>(0ZE?8Og-[.&Tb'{j S-"uH%hb9࿔w(! l}!T{N1.; paM#pN7ܵ >CHxl0Ovq_?HHFhC|>yˣ$L Zbmw7Ҡperi"P&>XDM ?5ayBy )}-b!([W{ޛoi7/L]瓒Q=ɋ GS+|mPC6KSP>e qZLu1^ڃ fl- 0}Ӊ:{ yŘd9MUzN+-hwG"%E4wh/b̓ ;'rQj44&@OG. GK ?h #. G5Z_bJ ?kw~GbጁB@rG@j/]C`##NEpvEr! APAyqۨ G͜Nu^-לO =DP~0wlE@>'0wGu̴ҽGbuv) ` ֝GJ;[nN5)/Bwss=Hwcs뻐7O16-U]xD+OlA<Zצ3^ '%_;FKJ @2ļ{0P XbO@;3AO?Ok}cBIENDB`nh>D"'PNG  IHDRpr%3sRGB pHYsodIDATx^m'FݳYJv2Yg'YJvCLJ (>îtEg}}ޟ?SoZ &T D?NZ@@ԧz@gsq"<$}2q Z^^Ee&UQM2M y?*5zR/:d(uOOZ󍔿iu7gaZ5˙F- kU "PEoe;[J?{薡v?rn0zNz$[&M}nDS  ʏPfȜ!+𑇛 pP}xk6O>`Q^ Ca-+6c=77+&?Yu aԻ|Nzr7 ̟I,dv(lX9]Bspӝƶz%n^^X[,/zOƨX?o@RYnwFӳc+ձ!d4(YN){3)y c7s.4wy_ժ}: ;c5Q_ 2<`` 宨@pކ_Zުғ*1 +_Љ&ϟ(XY"4DjWpeqDK"tNhvPn%)UeP\|[u54׃kCQҒ>Ah=֠w:T-GOtp(*#o&BNtеt<;i7B+wv7% ba\WKUO㖍l0ᦂ|mak]A<_.+GWۈiZJT T^JɬO2XԨ""Ouf)YSx2E:[+vP8 M~n(J.(kȽ˝t' FM P@yGN9 `pMpѻc9±m@:a*=7_0o2 dF~F:ۯmJ4 [Tb؁2 ./فl"D'^kNg˳v.rgzSPLq.uT0nedп?i"ZxpN@\Ds] @ra.$.de<&^U 2.TŷӟC$[TD C!C~>c `'M;?XG!CI4OձTUzˣbwyU)>,sS5)/'lfC™ʱ/@s\{7PV,P {) |w}t)^4@ۂN,\@Q HZg_i! h:G,hiS1v2H^V0pEu,%Tzn8gٹbt>.$}Y4peڢpc:ލ܄WQ 4~qɧHè-;%'75&0E<х pd(9JPV҅Tǃw&%,r?վAL*yMtqfZm2,.!_j(61-ik}Gy}Xhr !Cy5GH>ZyǑgUR HTRZWXP> s (.Uj?o]7X/(ȭs/Kb{@?u`IhVJ߮9V[IJFm>"ֵW[}MhMɱvFepǮxmʹGZł'>uơjo=#2zYyw,7M{KߡU uRPrLŭCOnȳ"ߜ* 'J8P݋飫S].Uȱ<44G}9\Ь-||SXElcSJ3 a^atѓU4uc ^b-aCrh  ' E w0P4&*ʖ8aXn'oVM'l:~g_/*(0I$n7#"m4!CXZ^Gⴁzz@'2Az-= d!\QoIvR n S+4ek{j( 5=b?W1M4P̋[@28Z=KU І!ۥN B+[2&bUS_Y 3";l2n@:6迠 rU*Sz$n.A3˯\~  ",cχ:jh]*2Rc$<~eD*!Q7ַ[؅z]!v69mAu ^-$igi1X|{j t"/  >֟hjݐoFx`?,>ҡA֎)#v(WA&{{ƕ,8KN%e}8f,I}d[zԧ/0TJQA5}*@}RZ㳟F|'sn0& ж_[n?i>Savd?O9_ܢ)5T{9oAN / 3^Dq}jxHk<ga" > = ɟ"yv ytɭGsTqUɦn`ѮJ)ԏf%v_.=Uu׵^JoǦ Է6'ՅE,yi\Qsr5Lj _B1kd{% >OK~6(w=Jv1 [F=?S眘)מv/:ν[3ڛ7d5}oȷ-y܎| o[l5 >נ6@ 3-[P0V#~n=*jv'C+T[,YC`ʣBH+c}H:xa=LaMl]Oޞ_[.ꣿfeu|fүl: S'Ɠ8Wsi&cf9rinfoK5R _Q_rٵuָw֫[.5~ZB |>ϙGK;9F7ַS Y9x,|Nց RU+Wbx\I>ŸH@`^0?#ȷ݋|ZN0-J @@ g11Xb onr{@M'#uʏx߿63Aj'@M'Mi=;+=j'hqݤ't0f֫5u8_x e*H.δ8U9'PR 1sn r|ګZMς>@9f3qin|wK0O0n;2sr޿^$je{I`y%ϲxb~Y{!Z a+r/]Nt/wA>9q!Mzҙh)iþŠ(5iR{|ꗯoL\je>r! ?wM^IrcҳB;nOK x. WIz_XW[L"D3 5OyN>y̏l=ֱ4sբ^O s%Ph@N@(4 >?;i|Ehf >@2,Â55Nv`<{j`"3+|\Kƫ̚ruβrqNp~SB~ǃD}s_/ߐv&*)S߬W#>FI˗!`?>/:gu.B@v7(EPAm @|ƴv@e懽S|L}^0_0?8BsG-&ٲaz@̓v9rQ퓃Rc-j9>ߐ8h~ 8MWp:D~ЩX3Ꞝٱ4̈́Ij:*nsz'2Wj(nsk+lt[-|3:Ө)X:#!|ԷУ#ՙ}߸4){'W'5 ,Q<60Aܒo媂̚>k"x%tEyWZ@1 Ќs3d">u SYw:[QIENDB`nCq]~>hg朳PNG  IHDRqn2}sRGB pHYs.>IDATx^흍u:F׉g+tdN^'t A( ^ҟ0/ (򯯯ΎiA5*ykL\Ŝ @'?bǃ=; >>n.O=sr0@ 0Kۿv}<ܣ m 4cB㗗iח"**wNd(tBMC5\3-"@.^C:>t0$s1@2*O$L3· >+u]"z_q z_ FO6!! 8]U7DUIAB}w:.1ps5HF9/ޘp^ #A*6L8ɓN@"nt^^b.i#}AC4e}VQ?K+j˯R^+t2U+ "z=8|3XWԻCoEbDGv$xBfZ\v5o@=J*m @`&iC| \Ɔ} f&ϼ:@`+T~+AC*? L*}i`S)w|=giqGǵ[l8c@>;wʖGSQrayf#lͲuPB @`6uwK<6}%ly}fvMei s6RWAˡ"A4PVїJ$N$ͪa23ʓi܊@]9iE%p$0'~.ET믚\&*~EV,19Ɖ}%ݓ[mJ&  $PWy //h\LHlj`*&pRTߛn-[H,S,0z݉N B*]*Un #ƯBC@c U*&h8rD~$ՌJ]@,tܙs TNK\.]Ÿa6;,/jWT=+zKb0m=eewK@MܙTuQ|}5/ ^ 791  U>yGlǍ80[f"b@`;Q? mH Mݽ%T~\@У- qgvo˿7AS@a^C%*UgƚۛD$/ p%Rlfloݕˠ(/?  WZ}%?6CA`0-]^坘?]J  x&xݠθB2 ]̨DU|-@e XͤU^$5Vս ^N$/d8@J@$*iO&Ums*5`o|q/ ! sIJ^T>~APjΚ0* q/%'Ry=@I^~5&=A6Py0po B= A&͈n @7jRh7PFT#*ؿ կp/ &oMҚ|7!CpgT@/BZdJ|I(b+|G(﫦nW[oeN7! <추)z]}T_NZ|cre)xJ;MC\') ] ,~`#}Vk;_UY+s%[eW}fTyb;\sU2ۇ $cةϹW2j ,LTpfZi {_Lq ,7}6WR(z}?~/[]a$ 6`iO&EUpF]w}_>UsWP9鯱i!MUtu2>Qft16 VfkkC 2!2c" |pө|kh/QԭA)4Ǔ8W28F^bnYOU^b_'/_%WW@x,V00Z[:Wyi;j%$f3u%PVn m |Ie(.cM!p M<E&'\yr@m4ͬ;'csښ10 ;:zK26vXB8@ċO^9 `!08/]6gs&2>Ŗg-I;/Lr}«$^?+>rZ`'Bw,_،* rV?Ƶ+SUL> _2~R4ٹ6~O@N~tB44 ^-׺Iy\?ɄO`,@8__', v[Kfo ],M`|,VeԸɐ1B; ==>CK`X)6$jT ~F5Լͨ1lV%K=Uu\&uX>]|Xf59z; KCE;V $Mr\|?[@yyذ @ahw vHPyMT nh/.PfRo-ˣր 4/NX~Օe^˳ L;IJ0\tG ױMTwCsIqЋ.(nC`nٮCQ rOa6cE*wòBnCD+UU΃ ~(ݛn+|!@^~+gJm%Xl l<+|:_.|k阳/xfVdoEv^Nr}k:)MƮ)S`P%sVAvȡD;:q3gYsVφ;ks}ೠ1c ו*^u}0,\g^,|@yy*OtrOڟ6mT+<<:ԋyd(j9,܅|BRg.Xnв!T ^y)ǦD0 09w&~|=//KLp8mI[Km=X |Y/Hs5Ua%]3Æ@xz"<1" (G2~itU~BSHnQ9>zYc?3%@s3: OE&A8ŇAa@`ߚ\}={>gGp2 ?!@UpU_J{ny|= t0d[nWŸE+@ %Wұ|-UA@+ RޞX>Nwj]T!Tso67:TY nq,g?b*=cr^WylvテmBN Bߖ!@`*#cy鋼T |x!>{Ugl&F+@ ?c36l;@Gc87",?[ wSEC8XƇ|TnݕA؛QoK')|7C8@J wE= L }۽g @SC)*x<& @NUUGޚ1 ;lFS79$~mW8 pu)L+K+W_0 `'$b @D"ux %l G@%>ʻI/ٛg@%=ޯx) %T$>Hl؈;/v:IcsRT:}bZ=zO;*IbkB劉_ӽSf +"&o0a򘄞({sLx9Ք$@xG*9 8%M &ƽYLX`zUBN^xoeq"OpPrs/ﮐ_U72Q+O{=4n+ӭ**Be>[i_Z*,:,ͲVkIR4="cm BiosQ+?`$XQNhAD;kAU((.|1-Έк*~>WfN?KZ?wLo~HiƐq˽LSo6b*LU7&>غ-5̹Hnnc0B'|W>ҙe{}kJ;Z+Ik &Jv^g«'w# ꦋ^uᆖQn_u#|k mZ!+y"SyGyi{0$^BC9]mFl@9e93m➶IU}-ۥx܀S/4Q~!^Vv?a}kA=I+龾ǍN׾n@ikhyVs茹-^) }K"ɪ~R0{Gy%4Fl$Pܫ,ŷn|{?g\̚Z H`sc8 9ւLte{Ki]EBNAcU͖"`*nB= q [s IF܃59oT3Bָ9v~Nr"0eOw"1pS9o7<'[{O6T߰@) Zs!`"B~N<'s1&2=\MhGNΉ~vo 30fY@pO[?n4:3vr^F>p:|ANyI?'ߝƏ ;qp?'_WMdљ-1#`{>tkr#y'AR垁~RccVة8Xls&j*naP&As!?=vr9o4 *o*3vdW4py;9g|+ޯQ1eyB)k>n7i+T`Vɝf:Arκ2V-_E|#q6VQ1J_% @ݏZOy1uji 6^L}I'"i#Ij1U_%"UfΩlEYC<*2j?{nd`{ro; ~Ji@,*k0ޖ8S =4`ҾS\IfTJ̗؂cE>R'b7摅'5L;e"v;MuH 8debe^MMݙn1샀͜s| !7sHj[ _[tקbOA@_`#^+G,T"W&J%VWUF/v)z!ٍS8$?gϟFv*=?՜q7abZ^n=?3=9KWQ, /ꝡ ]e<|MS^(*#5:𢎖z*#X(-=@jOV]Kt7R VC|fN@m_/ :?&K'9k3N1GE -zg{k :u( (`6#ތfvؤ KegtMGKt8,EYp nh}ӗ-. י-C|+? N,rhYW)T>jE xRKI^:YGDb 1'"ii> P1̀#e~0Ag@/lapyBy'U"}s9&0o&Eo*D` ta͖ H X(ڿfY(JD ѾngEQl]k>'Ciz9h-mT(g 0]VP,`h8ekh.\Mh-m׀cIVL'R,@(F'dT\xG &YtYFhH|*0^T_D)BL#ƏЋN@h~M&#@w2[7adJXʵ1^trlvɀ^T5$ iGdfWxstnibhδЮn^3>xQ(%q+myh[kfJ2Zr3er}xto]SMkh _/uCnFe&C./L.Z2Zt ߌzuk鈨8(b>wEQw~~3&KBhrUb6ZV?"M}+=\HZ ~'o,uE} LCX6"yQf^ 4D/z6^/E7]:hEn+b,O"@.VD4<GAzd4 b*%9 @ߕklb60^T nhF#}$@f3&{8WΤ(yP|HyP$Ȏskh@:`]saD"E@D,YP1"@"OF^g ERŏY"۪#p`۴g}0T]LpPZ|Ǘ9ЋNFמ~ͫttRSHZ?0 XW[X=NJyш>a|DI*YUDT@- E+ MB']() C߻h˓Q)+IHl9ECȞ>3$j,'mFѨ.8iǨ9 S0/Ȭ{&%<00EK$F?4>3d: Q9xK.]} :%tЯ?_`ǝ3dtrF7{i>]pFHà轾==,=t EX$؀ I"G^TK @gD@!Mz2?ߪ*FE*WËjќ)Kĸl nBQ') 1hv/&˂EJtnp0:thG\U|fNh1( tGF0*8"fҝbr$4K{T2+(&9EwA9Z"ތfvؤ ggto9fj뢃,Q E73 / י-CO Bitmap Paint.Picture0 Bitmapz0?: Bitmap Paint.Picture0 Bitmapz0BO Bitmap Paint.Picture0 Bitmapz0GP Bitmap Paint.Picture0 Bitmapb/ 0DTimes New Roman?|dv 0|( 0DArialNew Roman?|dv 0|( 0 " ` . @n?" dd@  @@``_>*whoosh.wav.WAV 10103RIFFWAVEfmt ++data~~~~~~~~~~~~~~~~~~~~~~~~~~~|||~~~~~zvtvxz|~zvrnlrv||vtrpptz~|xvtv|~~zxvvvz|~xrlhntzzvrrpprrx~|j[QU_|bICCYn[ICY~zlnh]_r|]SUSSjz|x__l~v_]drnUb|nfd_]d]5=rrnj]jz~lMldrx[[_f|YQfWK_xh[zx[CIjzxxdSQz|_fI9WӹM;QnvK;OUx~xj]]YS~ɵlM?plM;CGpٵ[)Kh|% %;xtKQS]ɖbGr|lSnvz~nfS[nëx;Az=+AYݻ|=/1r_ ?|潄W5/Czãf)/pvbMQr|O=OtjdhjlG?G_ɊK3לdQCMppW;1SŷAMz/#?bx͖SAM[hvhYp~~zrvt[]ptWOUtxxd]v~vvxzd_xzh_nrSQltbdp~_lrQ_l][tf]W]~hWfp|fWhnhbU[hzlSCWbYbnxpdhjvjM9Ot]GQ[dpp~hhhdpx~xh]Yntnrp]dlvjQMb|vdjpzxzztljr||_[r~~jb_j|z|xpp~~v]Wh||zx|x|zzndhpxr]Yfntzjl|z||~vppnrzphrxz|~|xtrjjtv~~vz|z||xrrv~xrprtz|||vzxvx|xtx~~~~~~~zxxxx|zxz~~~rrz~|xz~~|vtx|zxz|~~~||zx|||~~zz|zz~~~~|~~||~~||zz|~||z~~~~zxzz|~~~~|~~~|~||~~~~~~~~~~~~~|||~~~~~~~~~~~~~||~~||~||~~~~|||~~~~||||~~~~~~||||~~~~~~~~~~~|~~~~|zz~~~~~~~||||~~||~~~~~|||~~~~~|||~|~|~~~~|z|~~~~~~~|||~~~~~~~~||~~~~~~~~L7carbrake.wav.WAV 201026RIFF6WAVEfmt ++data6~~~~~~~~~~~~}}}}}}}{{}}}}}~~~~~~~}{{{{{{{{{}}}{{{}~}}{}}~}}}}}~~~~}}}{yxvvuusqqppnnlnnppqsssuvvuvvxxxy{{{{}~~~~}}{{{{{~~~~~}{xxyuvxy~~}}y~~~}}{~~}y}xxuxuvvvvx{yy}yyy}~~~~~yy}xvvy}sps{{qiksuqgiqsqnlqusnpsx{{{{{yy{yxqquupnglpqpnpqsusu}}xxyy{{{~}}xxyxvqpqvunnqussssssqquusvx{~~{{}{usqkipniggkpvspsvuy{xxyy{yxy}~yx{{y}}~~{uvvvxunkqunlnpquxvy}}}vvvspnklkiilpquuvxyy{yuuqppnnquvxxuvvx}~{~}}}}{xxvpknpppuuqsslinqsusssxxyx{{vqppkilngablvupq{~{y}}vyuuqlkknpnkilllklpqplnsyy{}~}~~}xuuqqnqplfffffliklsxxxxx~~~~~~{uquupigkppu{}~~~}~}}{y{~vuvqqssv~}{~}xsspifdddfkpsv{~}xuuusuuuusvxvvxy}~~yuqifdddbaabfa^_abadfflkklsxvx~~~}}{yyvuvvvyyvvx{xyslgbgb_d_bilqy~~}{sv~}{x~~}vqqux{yxx~~}~~y}qx}sxx}yussx{{vxvupgdfkd__^ZZaa_aaZZ\W_bgbbgillns{{}y~ygabi\TTOPGGJKH=CC;CMJ>@HO^^_nqv~{{vvysnklqnfgpvniv{ulnspspgfnvqgilxyupquyysllpnklqvspsyyv{}~~xx~xxuq}qgkpxskkpqlillniggglibb_bfipppuy~~}~{xsv{xvy{}}~{~}yxvvpkilpnigdgkgd__gkkkfdfinnllkpnsvusy~~y}~{}upkklklklnqslllnnkkkidadiib\_dfiiiinvuxxyxx~{xxupipnfifdggfaffgipliiiffafddglgknpv~~unkpvysx~}~~~}{y}{nglsupnsv{{{{{{{~~yx{yxqquvyxuqqy}upqnvvx~}yyvvspxypqs{yi\^^YWPJKKMTY\^Z^ipssxqpuuusuppu{up~x~uǦqx}s^HCUP=..33+"!01+)18>JOT_nsu¾}vlf_UTWRJGJMTWRORY\UUYW^a^^bilkfadluqnusv{{xpifksld_fg\RRYbdWT^inliabgkgffdkibiqvqsx}~qnxsd\lvnYTagaYPUa^WMMRMKKPTRUW\_Yaknnls~xvy}}pilppkbdbZUZ^ZWUYZ^_a\^bdknlllqyyy}vvvqifadZY\UZURUTRYU\\UTW_d_\abipsx}}{v}}xpsxqukbgl_bgnigqqnnkflvg_d_dkdZUgyndaluliianxunpx˹ǵǾqqd_UOKC90=;03>CCJRUZYUP__UTgidpx{vx}{~}xnuuҸxdRRJ9,&!  '>;=Tlvxý½yppsxgUWWYMB=BRYTC66EJKKMMRWaa\\bgldZdqx{vv{nZ^lkWKHKJCB813==9CHC>BUYPRfnkq»{vxy{l\dnliffbgfWMMR\\Y\\^TR\dbZdqplv}{nyssy}~~}{~vquyvvuqusligZPRYUKHPWYY\abkilsux~xpuupnxqqnnnpnqkdaYWWPKKORYWZ\^^iknyua\nxupv~vy~}xgiqpkddffkiinnk_fnnq^ZnyibqsvyŶxnlvpfTKO^_WY\W\^^\\\ZW\^RP^b\WYadbbd_bigdk}~^vȶxffu_E835, '+!$9MRWdxyx~Խ~sx{xnggdWPPPH@GJHKRMGMWfaKRi~xbd{~ln¹¹}~{lbpqdRKOMC86335056BJGEG^pxux~~Ŷ}~~yps}yv~~}xu{upgbdb_\Z^ZY^bdpuu~xss~}xxv}~}vupkgaWTY_YMMZddY\gsxsu~}{~xy}xqqpvxsslpslinlafffnifpx}}~qdikbZUZYa_\inffsvssllpi_\iaMKYkpgTY~basöŽ»pn{udWOR_bJ;COYYPMMKC@MKEG;BPROU\_by}pxʾn\YOB60,$ !.8EPZdyʾy~{xuqlZOOCCORMG9=JKGJKMask^^daap}ó}x{yqy}qdWKEYRJY_TJPWRPWYafdb^anlgu~}yv{x{pln_R_iliaggafffgfblqllns{vpivui_^bg_Ublfb_ipkki_bfpnggip~}xnillf\YUJJKMPU_ag_^gu~~lfu{lTRlxiUECOYE>GGHKEMMZbZds}{Ǿugpyssifvsdddf__^^ZREMYTJGC_kPMi{kks{\yҾ}ugUEEH>'$')"'55,1=HHHKM\kx~}y~skia\adUM\YYgZEM_iaKJk~y{}gZZaaZR\b_ZZaafpkZbkgddY\nvvu~vnxy~~~ndgkknkpnklxskfkvpgfggUYssgiks}x~vy{~vy~~}npuyqlnsy}sknp}{qx}~vy~xpuxvqkqpgbbgngggkpqx{~{yupqqkad\TROUUMPRT_fZOYdspiny~lWWsbMGYqkWPTUWYZTHR\\HEWfnYRuxg{°qupaWMG8+6$"+'0356BH@CMUMUpq{xy}vxu~~silZEGOYUTYOdx{}x~y~vvxq\TfdZZ\nuigkpnnqvyyuux{v{uv}}upx~sdp{xvvnyyvqik}vbsxipubv~ysy~{{uvuq}uxuux{y}x{up{~vpqspkkllnssgW^bgqpqvu{~~yniys^JGbqaP56^iH@Y^xx~~xiuuiakqxsdgnuviTYbquiWUfZYqu^Yfafyv\iäŮͳusbldTEGE55@RUWYWTfu}qadikpdYdq_dynfnuqpk\gns~{sknvya\nnfg_akd^\ik_p{}}}y½ydfs~{nUTppbYYgnlkqpiluqvqxysyxpvy{ysl}{~vysilk_glgsuiu{plpngkpnqplpkbYTbiuqs}ys}xs{qsnklYPOfsZWdlxvi{{}{}un~{slv~qysnu}}gZ}~kqn~{pnqf_Zpxvvfv~~sY_qiRPZ\da\\\Pp}{uu}pq}}pu^aqsuniy~vs}i{~q{y~{~}}nknplld_Y^gb^Zdqv}~}{}{}y~~yxxnqkq~xx~y{yxv~y~qlxqlg_ax{snki{{}xx}sy}{ylgy}}{}~xss_lpgbZbiuulpsp}}y~svyganuyp\^pvsigu~svyv{~~vplqubqvu}pdnqs~~uvq^p{~ilqyub^fvsd\\\b_PHOTHYpsl^f{sbnvv}}ifdaaiiWbqsqlku{{qx{{v}vy{vuqdknvupqxux~~~{}{qpux{vsuqqssvu{uxyx{{vx}{}}yy}{}{vxvxsvuqqkinnkkisyvv}yvxxsnnspnqsxvuux}~}}~}~~xx{}~xnnquxvppssu{}y~~xux}}yx}~}~yxy~yyxpsvxxuqs{~}yyvyvkiffgfgiiikkfilkfkpy}}y{yuuvqlgiiggkklqpqsvxysv{{xpgkqsqvvvvsspqxx{uuy{sssp}gZ_dp{us}upk^RKd}sgvk\^ny~}qdbix~fPCMfsuslbpii\M{ykYa}dvTa}^g~lGba;>UnlkKO^{kP^akv\9HfOTlqE;C=\{G^g{bGZ¬nPikPTqUs{aTUl{¸W>KaMTx>G;Kg80TpxB)KuyqdPZxǕuglp§TllE09O^uqlfG3K^Ug}ǸsPWlZCRgvö}^PW\UbpsWWYC>Kas~W=EEqff͹bn_qTHbg_M_qxT61Hfvp”RfC6U{i^~xJKk_@CZl}ùZ^}RBRfyçisZ@Jf}xծqxiCYuP6Jlg9UxuiqbJ3HgaWk¹laidsyǹvdB)!&3WZYu~}bJ95EgZWvŹqdvbGBKi}kK@RM}vnŗ{uJYqG9K\{qgT89TRMdy~pgZGEUZkԾuB1B@asWPl\=GRig\nZJpuTERk}˸nYsg@3CayybusP9CHsv{ʶnvJ{q{R>;pKsŦv9Yl_HuGRvKYOJlplvnl_dvˍWpȩlC\xvu^d}qBHOidKJi}\ulgig~{ȳpCun\~}BWuC.Ck;=ZsG8Osn{xu}pOdbORflyfYYaZ356J_lûlMbWTduxȾ—_iROHRi}Ƚ~\dC^i^Y_Uiudzd_qu;66^~k\_y~TGGkd=)9TgžԽuEpgOTp˅Z~ÙWbZ6'1JfffJ9Jb{}b;=gpunnű_g}kKP^x͵ulxiZJ;KTp{ňxqC>;~Y5JJ~guJ+ig>HCT@avԅ{¬sskPUqʾa@6=BZixŸ{~d85KaGK^vxsPEgyPZvжiO059GZZp~ylaM+$>Uk}ŤsiPaladsŬf8CKWaB;MfnqfE3=EYbp~dBETqg_sň~yf\p}as{lR;;TTMZllM'.ZYBHT}yY@W\uv϶fBOYYJ\}\Wnu}__E8Jbu}ŮRPygOfKKgyȱgU\bp^yqB58KGMbyvP;MWnYnǜU=BaaPbpYlO!)d}=MfnHGYfϧY{vM9\E\l{WniYaPa\}xM$MiEyuygȳqdH6Gqbu}xUq96TE.Rbf{Y}Zq\u~paqv_CCUnfaTi}T9HxTgg{Ȟ\dslnU{MdxgÏOWx_{iuikRk}gOWYWqsq^=8EiMps>anU9,6Zk±^^vsxnRKfy¦lMi{d\U@0JbubJqvkxb@@OWZW}s{q~\H{yUdpWMixMPOgiJsK>Zn_}yklYabZvs_ZYH\i_k{~nP6=U}}{l~dGG_yxbõu~M=Yn{pyqZaY66G\{}qiaM>Rk{NJUg}vfW@.3C^fslkgfGuWfUlx˙ͱsUa_;>Pndsg}lYWORCayvv}dOK>Rafq©ldvaREKdp~Ⱦ_ygRKH__dxld{vnqgUEgYlaagYJnu\9OTCfyf~fdf{»n_RW_Z6EEJ_p}xkG=;ffšpB+B}saZsŸ_5PlifRdyl6=yJKWky˻qU8UpPWf{¹xfO3+@TbqvxlaJ15Rnd_{öǹ^OTubxyyʳ~l\C6Kpqu\vnW.3lkZbv~ydC5T}YpqP3@Zx^pq}siG&.E^}p}«~pMRl{GWs٦\Yqf^ZfsxJ'GM_Wql{\36q~iTiʻfH1B\p\~ùg@,;TgPl{xkM,Gi\Y{axqqqfa\T^YivkWaUluagyukf~ulUKp{ZniYKbyqHRKJguxfdaUUWb~~yypyqiYKPduödi_^^b_U_snO@EUku}~kM39;GWiuvdHUTYalpȹlHGd^\dx~kE&B}fRMkxkM9Epgký}pdYB8P~lfЩpdWG05O{abangM,Bsa^uȻxy~ZHP~kMTn~ëvv_9)dfasufuеqyRE_nxqdP8Eqgf{{gOHWYTkxq_WkgdxsisZnpfanl{{qkUkifk{g^}xqnbi\u~nHn{l\qu}u}xP@y~viuxsgqqvkuY@HKduǾ}KOk}_\TWguaYUnsOH{gffds{¤vxpfvZ\{ngbPHdqvxvd_xukWp{susdU\_RRqpdKOfÊi{iY9O}u{v}f{pW@@\lynvxupx~n@6RsUugdUWa{vß}vuO~\akg_lDZgg1Ex}KOqxuM@akx\qaa~lPYfU\v}y~}qakMPq{d_Wp}~iYksg\y{}6@s>>bqG_lqunTkp^kayaqqluvf^Tisvdqn~xiskZHk^vx}~vbqlWqq~_~qdqqaGaivn_RY^b=WiUpiR_\MYxyqgxxvuffuJBPng~Z~^8=\{{l~âuqqlkxfqqqlbqgxuu~~Zinfgdlvl{suvvsyP>;bs\ya}ZZbb^qRdyKBv{~}x{GM{kqZuf^TGEkki~xnfsMavU\yZM{palÏ_pdx~qUUdbf}~~y{udMs~dx{}}du}yxsbPfq}}ngxklnRJR{iRk}nBa{vYpWnubk_^ypk{}{i{qdvy{vfYWR~k}U5Znsxp}udapx{~~}qgfyxKTxk~uRanPOguJOdbnx}iWpuqZ_fu^~}i}sgki_pykslxuqpkxaas^\sxud_x~vW~_i{~pgxq\JZf\PqxRbqunWkiyknvsugW_vksn}{pklppa}qWf~ukGYfkdppfUk^\pnxq@;xdYvunnd\pqxsfU{qndssqyvZpvyybkkpkgau{v}xlbMCT_gppq~}\UnfYi{~}bZsnZWxiukdy{~fJasukJZbnd~qYkifi{\K^uxubTk~p\kklPJabaxaf{~~svUv{ZWis{plu~bCJ_nnvflfdv{}gM^}u}}x{~}uyWHE}xd~ZEMg}xk>B}nqupgsMnMRkskn}s_R9=OZ_\usgKJnsanfiJYdgT\Wkv~p^^lu~qkU>BP\gnivvnl^PEYddid_g~vp}x~ZRfvpsu~usvRkTP^isuiv˩yy~qgWEZba_uqfdibTEPguȰ}nqZCBWgvͶnkavYKT^yuȫfPp{kigqlq{iy^OUUfv{sTTdaUdqk^KRTn~î}lsTfxsYp{Y_{^EUWUi{uvg}d^Ydin{n_KP^iRav~udRZibi}sifaUHZnba~kTPnpy~_x\yORviYsx^YfygZf}nx}pgZP_q~nxlda\KHWgxknibfdbuydO~~iZi~nkZs{vqYan{}pdROfkxk~nPZuynl}y}v_aRYlyixq^pyU_gYiy^nqaf}_Y{WYg^\~U^pggaUssYl^Zq{fl}a^p{fx^Zni\y\Raxy_yyPTklnaTp{snZuvaxv_dysykgxy~ub\bsup~{niuylnpiqn}sb_n{qsysunvy}xp{{~~ldiky~y}kfnqqynpu{lbgy{s}kgvxp}}llpqx{lfgq{yuxyx{{qpu{vnv}skuy~vp{~vsqnv~vvssqv~y{unqyx{ss}}plv}pluy~yy}xllv}}xsss{vnqyyuux{yy{ysy}~}}yy~{vsqqsx~xxy~xqqx}xy}uppy~xsv{uv}{y{}y}~~~~{y~~yxy}~}}~~{{~{{~{xy}~~{vvy~}xy{{}~}}yxxy~yvy~}{y{{yy}~~~}{}~~~{yx{~yy{}~}{{{~~{{}~{}~~~~~~~~}}{{~~~~~}}}~~}{}~}{}~~~~}~~~}~~~~~{yy}~~~~}~~~}~~~~~}}}~~~~}}~~}}}~~~~}~~}~~~~~~~~~~~~~~~~~~~~}~~~~}~~~~~~~~~~~~~}}~~~~~~~~~~}}}~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  TV4        *" !"#$%&#'(()* + , - . /  012:3<4 R$YT\rwSͿb$3Gs)1b$7;7kcs[ Qb$Kqdzx\b$>D"'plb$Q8R1,⺔ |b$q]~>hg朳Kb$V'O}X/‡ tb$޿ wʃx$ Yc $`f3fff@{ʚ;2Nʚ;g4JdJdv 0pppp@ <4!d!d` 0,@<4dddd` 0,@ <4BdBd 0,? % !"#$ %!&"'#)&*'($+(,)6*_K`L7+8,9-:.;1@2C3E4J5L7M8N9O:P<R=S>VAWBXCaMYDZE[F]H\G^J ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@   " @ ` n?" dd@   @@``PR    @ ` ` p>>  m(    6` P  O-Klicken Sie, um das Titelformat zu bearbeiten."  0    pKlicken Sie, um die Formate des Vorlagentextes zu bearbeiten Zweite Ebene Dritte Ebene Vierte Ebene Fnfte Ebene=      0 ``  >*  0ܓ `   @*  00 `   @*H  0޽h ? ̙33 Standarddesign  0 I(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx   C PA8D:\head-bw-background-3.jpg   <߽3 C 2001 Halvar Flake    0@ d.Auditing binaries for security vulnerabilities/(2/$   S X   BSpeech outline (I)   0pp:,$ 0 JLegal considerations concerning reverse engineering Introduction to the topic: The different approaches to auditing binaries Review of C/C++ programming mistakes Spotting these mistakes in the binary Demonstration of finding a vulnerability --- Break ---  @`H  0޽h ? ̙33A @ X(  Xx X C PA8D:\head-bw-background-3.jpgx X C PA8D:\head-bw-background-3.jpgAx X C PA8D:\head-bw-background-3.jpgpx X C PA8D:\head-bw-background-3.jpg X <3 C 2001 Halvar Flake  X 0"@ d.Auditing binaries for security vulnerabilities/(2/$ X c $%   CSpeech outline (II)   X 08(pp:,,$ 0 {3Patching the problem away Dealing with Run-time-encrypted binaries Automated scanning for suspicious constructs: sprintf() and strncpy() Automating the process of reconstructing structures Extending structure reconstruction to C++ OOP class reconstruction Free time to answer questions and discuss the topic44 @`H X 0޽h ? ̙33p  P \(  \x \ C PA8D:\head-bw-background-3.jpgx \ C PA8D:\head-bw-background-3.jpgAx \ C PA8D:\head-bw-background-3.jpgpx \ C PA8D:\head-bw-background-3.jpg \ <93 C 2001 Halvar Flake  \ c $=   FLegal considerations(  \ <?r cTechnically, the reverse engineer breaks the license agreement between him and the software vendor, as he is forced to accept upon installation that he will not reverse engineer the program. The vendor could theoretically sue the reverse engineer and revoke the license. Depending on your local law, there are different ways to defend your situation: dcH \ 0޽h ? ̙33 WO`d(  dx d C PA8D:\head-bw-background-3.jpgx d C PA8D:\head-bw-background-3.jpgAx d C PA8D:\head-bw-background-3.jpgpx d C PA8D:\head-bw-background-3.jpg d <K3 C 2001 Halvar Flake  d c $8O   KLegal considerations (EU)(9 d 0PP ,$ 0 EU Law: 1991 EC Directive on the Legal Protection of Computer Programs Section 6 grants the right to decompilation for interoperability purposes Section 5.3 grants the right to decompilation for error correction purposes Under EU Law, these rights cannot be contracted awaynJ6A D xH d 0޽h ? ̙33< ph|(  hx h C PA8D:\head-bw-background-3.jpgx h C PA8D:\head-bw-background-3.jpgAx h C PA8D:\head-bw-background-3.jpgpx h C PA8D:\head-bw-background-3.jpg h < c3 C 2001 Halvar Flake  h c $(g   LLegal considerations (USA)( h 0i ,$ 0 9US Law: Final form of DMCA includes exceptions to copyright for: Reverse engineering for interoperability Encryption research Security testing One should ask his lawyer if these rights can be contracted away. BCUD;H h 0޽h ? ̙33 l-(  lx l C PA8D:\head-bw-background-3.jpgx l C PA8D:\head-bw-background-3.jpgAx l C PA8D:\head-bw-background-3.jpgpx l C PA8D:\head-bw-background-3.jpg l <x3 C 2001 Halvar Flake  l c $|   TApproach A: Stress testing(v l 0@@0=,$ 0 Overly long (or malformed) strings are automatically generated and supplied to the program Pro s: The process is largely automatic No specially skilled personnel is needed The stress-testing tool is re-usable Con s: The protocol has to be known Complex conditions will be missed Exception handling will hide problems malloc() overwrites will not be found [v[tm H l 0޽h ? ̙33 LDp(  px p C PA8D:\head-bw-background-3.jpgx p C PA8D:\head-bw-background-3.jpgAx p C PA8D:\head-bw-background-3.jpgpx p C PA8D:\head-bw-background-3.jpg p <3 C 2001 Halvar Flake  p c $   SApproach B: Tracing Input(& p 0P@p0,$ 0 A reverse engineer reads the program from the point where it receives input on and analyzes the code to find possible weaknesses Pro s: Even very complex conditions are found Con s: Auditor needs to be highly skilled Nearly infeasible for large applications Very time consuming since one will be reading a lot of irrelevant `tentacles *(H p 0޽h ? ̙33 t(  tx t C PA8D:\head-bw-background-3.jpgx t C PA8D:\head-bw-background-3.jpgAx t C PA8D:\head-bw-background-3.jpgpx t C PA8D:\head-bw-background-3.jpg t <3 C 2001 Halvar Flake  t c $    y?Approach C: Finding suspicious constructs and reading backwards@?(B t 0p,$ 0 Certain constructs which appear suspicious are detected, and a reverse engineer then manually analyzes the threat they pose Pro s: A lot less time consuming than approach B The process of detecting suspicious constructs can be automated Fairly complex conditions can be found Con s: Some vulnerabilities will be missed Needs highly specialized auditor |I|HH t 0޽h ? ̙33 LDx(  xx x C PA8D:\head-bw-background-3.jpgx x C PA8D:\head-bw-background-3.jpgAx x C PA8D:\head-bw-background-3.jpgpx x C PA8D:\head-bw-background-3.jpg x <ό3 C 2001 Halvar Flake  x c $Dӌ   kBlackhat vs Whitehat auditing2  x 0$،p,$ 0 zBlackhat: Wants the fastest way to find a vulnerability Doesn t care if he misses some problems Only needs to repeat the process if the vulnerability was fixed Whitehat: Wants security, so he needs to read all code Has to repeat the process with every upgrade Has to continue after he has found something The Blackhat is at an advantage here  %  &H x 0޽h ? ̙33O  |(  |x | C PA8D:\head-bw-background-3.jpgx | C PA8D:\head-bw-background-3.jpgAx | C PA8D:\head-bw-background-3.jpgpx | C PA8D:\head-bw-background-3.jpg | <p3 C 2001 Halvar Flake  | c $    GTools the auditor needs  | < @ F w-IDA Pro by Ilfak Guilfanov www.datarescue.com..-x  | <A ??P z  | 0@@,$ 0  Can disassemble x86, SPARC, IA64, MIPS and much more ... Includes a powerful scripting language Can recognize statically linked library calls Features a powerful plug-in interface Features CPU Module SDK for self-developed CPU modules Automatically reconstructs arguments to standard calls via type libraries, allows parsing of C-headers for adding new standard calls & types Great technical support ... much more ...H | 0޽h ? ̙33y )! (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <43 C 2001 Halvar Flake   c $4@@`   Estrcpy() and strcat()a  0@[ ,$ 0 q Old news: strcpy() and strcat() copying dynamic data into any kind of fixed-size buffer are always suspicious@r P  0p HC/C++ auditing recap,H  0޽h ? ̙33   L(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <3 C 2001 Halvar Flake   c $@@`   Hsprintf() and vsprintf()  0 @u ,$ 0 ] Old news: Since sprintf() can expand an arbitrary string using the `%s` format character, any call to sprintf() or vsprintf() which expands dynamic data into a fixed-size buffer has to be considered suspicious.l *  V  0*p HC/C++ auditing recap,H  0޽h ? ̙33  G(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <43 C 2001 Halvar Flake   c $8@@`   LThe *scanf() function family  00;K ,$ 0 T As *scanf() parses data of dynamic origin into fixed buffers by using the %s` format character, any *scanf() call which targets a fixed-size buffer with a `%s` format character is suspiciousx?/   0Ep HC/C++ auditing recap,H  0޽h ? ̙33 ~ (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <O3 C 2001 Halvar Flake   c $|S@@`   IThe strncpy()-pitfall (I)  0pV ,$ 0 & While strncpy supports size checking, it does not guarantee NUL-termination of the destination buffer. So in cases where the code includes something like strncpy(destbuff, srcbuff, sizeof(destbuff)); problems will arise.*.  0p]p HC/C++ auditing recap,H  0޽h ? ̙33  X P  (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <f3 C 2001 Halvar Flake   c $j0   JThe strncpy()-pitfall (II)  0mp HC/C++ auditing recap,x  <q:   6sPP `,$D0 ? Source string  6w `,$D0 5\x0  6X{ ``,$D0 7 data<  <Q`,,$0 lAfter copying the source into a smaller buffer, the destination string is not properly terminated any more.mm  6܂PP  ,$D0 DDestination string  6 ` ,$D0 L data with a \x0 somewhereb  < ,$0 |Any subsequent operations which expect the string to be terminated will work on the data behind our original string as well.*}YH  0޽h ? ̙33 z  (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <3 C 2001 Halvar Flake   c $0   IThe strncat()-pitfall (I)  0Hp HC/C++ auditing recap,x  <ġ: 6  0@0  NAs with strncpy(), strncat() supports size checking, but guarantees the proper termination of the string after the last byte has been written. If the buffer that is targeted is the first one which was declared in the offending function, it is possible to overwrite the frame pointer and gaining control one function layer outwards.lO  N 2H  0޽h ? ̙33x  (  0) (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <p3 C 2001 Halvar Flake   c $x0   JThe strncat()-pitfall (II)  04p HC/C++ auditing recap,x  <:   6f ,$0 JBuffer to which we append  6|ō ,$D0 9 saved_EBP  X  0  0   6ɍf  9 saved_EIP  X  00  X  0  x  <čZF z  l @ %@,$D0`B # 0D)@p@ $ <э1`  |Lsaved_EBP s lowest byte is set to 0x00'' & 6֍0` ,$D0 WFunction epilogue: mov esp, ebp  H  0޽h ? ̙33  ] U @(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <ߍ3 C 2001 Halvar Flake   c $0   KThe strncat()-pitfall (III)  0p HC/C++ auditing recap,x  <`:   6 ,$D0 9 saved_EBP  X  0  0   6f  9 saved_EIP  X  00  X  0  x  <ZF z    6` ,$D0 SFunction epilogue: pop ebp H  0޽h ? ̙33  B : P(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <3 C 2001 Halvar Flake   c $0   JThe strncat()-pitfall (IV)  0dp HC/C++ auditing recap,x  <@ : X  0  0   6Pf  9 saved_EIP  X  00  X  0  x  < ZF z    6   NFunction epilogue: ret  6 @The value in EBP (the frame pointer) is now our modified value !0A H  0޽h ? ̙33    `J (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <\&3 C 2001 Halvar Flake   c $d*0   IThe strncat()-pitfall (V)  0 -p HC/C++ auditing recap,x  <1:   63f  0  BUser-supplied data  670   9 saved_EBP    6;f   9 saved_EIP  x  <(@ZF z    6A@` ,$D0  Next function epilogue: mov esp, ebp ESP slides upwards (as its lowest order byte was overwritten) into the user-supplied data. We can now supply a new return address to gain control$ l `    `  ,$D0`B B 0D)` 0 1   6LI   FESP should be here ...z `     ` @ ,$D0`B B 0D)` 0 1   6M   N.. but it lands lands here ...H  0޽h ? ̙33    p (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <hU3 C 2001 Halvar Flake   c $pY0   JThe strncat()-pitfall (VI)  0,\p HC/C++ auditing recap,x  <a:   0b@ bFurthermore, the fact that strncat() has to deal with dynamic values for the len parameter increases the danger of signedness misconceptions: strncpy(buff, userdata, sizeof(buff)); strncat(buff, userdata2, sizeof(buff)-strlen(buff)-1); T )?a&l      ,$D0   <llԔ   l.Fills buff so that strlen(buff) = sizeof(buff)"/`B   0DԔp  ZB   s *DԔp p Dl     ,$D0  <rԔ   Llen is pushed to  1 which is 0xFFFFFFF"'$ZB  s *DԔ  `B B 0DԔ  H  0޽h ? ̙33z *"!(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <|3 C 2001 Halvar Flake   c $~0   ACast screwups (I)  0|p HC/C++ auditing recap,x  <:   <|0 s5void func(char *dnslabel) { char buffer[256]; char *indx = dnslabel; int count; count = *indx; buffer[0] = '\x00'; while (count != 0 && (count + strlen (buffer)) < sizeof (buffer) - 1) { strncat (buffer, indx, count); indx += count; count = *indx; } } "65B @ 0D)@ ,$D0l  ) ) ,$D0B B 0D) )p ),$D0  6<  V&First byte at *dnslabel is 0x80 = -128''l @I  @I ,$D0B B 0D)@I I ,$D0  6  JGets expanded to 0xFFFFF80l  0    0   ,$D0B B 0D) y  ,$D0  6L 0   Hsigned comparison passesl  `p ! `p,$D0B B 0D) ,$D0  6fP `p S#arbitrary length string is appended$$H  0޽h ? ̙33   w   (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <`3 C 2001 Halvar Flake   c $h0   MFormat string vulnerabilities  0p HC/C++ auditing recap,x  <:   <xzF  Any call that passes user-supplied input directly to a *printf()-family function is dangerous. These calls can Also be identified by their argument deficiency. Consider this code: printf( %s , userdata); printf(userdata);66 v-z       ,$D0`B B 0D) ` `   6̼PPo   EArgument deficiencyH  0޽h ? ̙33)  (9L](  Lx L C PA8D:\head-bw-background-3.jpgx L C PA8D:\head-bw-background-3.jpgAx L C PA8D:\head-bw-background-3.jpgpx L C PA8D:\head-bw-background-3.jpg L <|W3 C 2001 Halvar Flake  L c $\0   HExploitation Details (I) L 0,Tp HC/C++ auditing recap,x  L <?: X L 0xP" Stack layout during regular printf()-call : printf( %lx -- %s -- %d , var1, buf, var2); (,/,/ L 6hf`   Darbitrary local data L 6` p   ( L 6f`   ( L 6` 0   ( L 6n` 0   ( L 6]ff`   (b8 p 0@ *Lp 0@ !L <ҫԔ 0@ >Return address`B "L 0DԔ0p 0 8 p `@ )Lp `@ #L <Ԕ `@ LPointer to the format string@ p  (Lp `B $L 0DԔ `B %L 0DԔ fB &L 6DԔp  8  @  /L @ ZB +L s *DfԔ ZB ,L s *DfԔ@ ZB -L s *DfԔ@ @ `B .L 0DfԔ 8     4L   ZB 0L s *DԔ   @ZB 1L s *DԔ  @ZB 2L s *DԔ @ @`B 3L 0DԔ@@@ 8    9L   ZB 5L s *DԔ  ZB 6L s *DԔ ZB 7L s *DԔ `B 8L 0DԔ  H L 0޽h ? ̙33 0";PP (  Px P C PA8D:\head-bw-background-3.jpgx P C PA8D:\head-bw-background-3.jpgAx P C PA8D:\head-bw-background-3.jpgpx P C PA8D:\head-bw-background-3.jpg P <.3 C 2001 Halvar Flake  P c $(c0   IExploitation Details (II) P 0@Op HC/C++ auditing recap,x  P <0Q:   P 0TP" ,Stack layout during malicious printf()-call : printf(stuff); // Stuff is set to contain //  %.200lx%n%.40lx%n (.G.G  P 6Xf p  P attacker-supplied malicious data!!  P 6L^ `  ( P 6&ff   (pF p 0@ P 0   P <4Ԕ 0@ >Return address`B P 0DԔ0p 0 F p `@ P 0 P P <D5Ԕ `@ LPointer to the format stringN p  P p ZB P s *DԔ ZB P s *DԔ `B P 0DԔp  XB )P 0DԔ  XB *P@ 0DԔ ^B -P 6DԔ XB 0P 0DԔ P P XB 1P@ 0DԔ0 P ^B 2P 6DԔ0 0 XB 4P 0DԔ pXB 5P@ 0DԔp p^B 6P 6DԔp XB 8P 0DԔ PPXB 9P 0DԔ0 P^B :P 6DԔ0 0 H P 0޽h ? ̙33    H (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <Ǐ3 C 2001 Halvar Flake   c $\ˏ   ,-- x86 assembly recap --  <$͏i b.void *memcpy(void *dest, void *src, size_t n);//  <я0PgP,$0 ,Assembly representation:  <xԏ`N  W push 4 mov eax, unkn_40D278 push eax lea eax, [ebp+var_458] push eax call _memcpy"XWRz Pp   pP ,$D0`B  0D)P  `B  0D) p `Rz Pp`   pP` ,$D0`B  0D)P  `B  0D)`p``Rz Ppp  pPp,$D0`B  0D)p``B  0D)PppH  0޽h ? ̙33 :2(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <ߏ3 C 2001 Halvar Flake   c $p   VDisassembly: strcpy()/strcat() ~  BA f& ??Pr z  `    ,$D0  B4Ԕ` `  P This call targets a stack buffer!!`B  0DԔ ` z @    ,$D0  BԔ @  [+The source is variable, not a static string,,`B  0DԔ@ ` H  0޽h ? ̙33\     (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <3 C 2001 Halvar Flake   c $   Y!Disassembly: sprintf()/vsprintf()" ~  BA   ??  z     ,$D0  BԔ   OTarget buffer is a stack buffer  `B  0DԔ p z     ,$D0  <ԔP  g7Expanded strings are not static and not fixed in length88`B  0DԔ p@p`B  0DԔP @ ZB  s *DԔ@ @P z P   P ,$D0ZB  s *DԔ   N P   P   B Ԕ P  j:Format string containing  %s `B  0DԔZB  s *DԔ H  0޽h ? ̙33:    z (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <3 C 2001 Halvar Flake   c $   j*Disassembly: The *scanf() function family$+~  BA f&  ??@   z P     P ,$D0  BxԔP   f6Format string contains  %s `B  0DԔ  Mz Pp  p,$D0aN Pp  Pp  BdԔP Pp Q!Data is parsed into stack buffers""`B  0DԔ0`B  0DԔ0`B  0DԔ0`0 `ZB  s *DԔ00P H  0޽h ? ̙33    W (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <(3 C 2001 Halvar Flake   c $,   q1Disassembly: The strncpy()/strncat() pitfall (I)$2 ~  BA    ??  ez p@  p@,$D0  B/Ԕ @ GIf the source is larger than n (4000 bytes), no NULL will be appended4H)`B  0DԔ p0pZB  s *DԔ0p0 z     ,$D0  B87Ԕ`   Z*Copying data into a stack buffer again ...++`B  0DԔ`B  0DԔZB  s *DԔ` H  0޽h ? ̙33)  i(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <@3 C 2001 Halvar Flake   c $D   r2Disassembly: The strncpy()/strncat() pitfall (II)$3  BA   ??0! 8 $D0z P  P,$D0  BHԔ P v&The target buffer is only n bytes long4' `B  0DԔp p H  0޽h ? ̙33 KC (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <S3 C 2001 Halvar Flake   c $W   c#Disassembly: The strncat() pitfall$$  x   <A ?? 0 z @    @ ,$D0  6[Ԕ@   k#Dangerous handling of len parameter,$ ZB  s *DԔ `B B 0DԔp`B  0DԔpH  0޽h ? ̙33 e](  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <dg3 C 2001 Halvar Flake   c $k   /Disassembly: Cast screwupsc  0mzv  cDoes the function accepts a size_t parameter for copying data into a buffer ? (e.g. strncpy(), strncat(), fgets()) Is the size_t parameter a dynamic value and not hardcoded into the binary ? Is the size_t parameter at any point loaded using the instruction movsx ? Is anything substracted from the size_t parameter before it gets passed to the function ?nd2 G5] @`H  0޽h ? ̙33^  (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <L3 C 2001 Halvar Flake   c $   ?+Disassembly: Format String vulnerabilities~   BA  ??P   z  `     ` ,$D0  BxԔ `  CArgument deficiency`B  0DԔ  z 0 p  0 p,$D0  BdUԔ p S#Format string is a dynamic variable$$`B  0DԔ`0` H  0޽h ? ̙33u %0(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <Ж3 C 2001 Halvar Flake   c $(0    ZFDemonstration of finding vulnerabilities by manually auditing binariesH  0޽h ? ̙33: @z(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <3 C 2001 Halvar Flake   c $P0     -- BREAK --H  0޽h ? ̙33    P/ (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <Ю3 C 2001 Halvar Flake   c $(   1Patching the problem away (I)  6\ ` @ >PE File Header  6f@` @ X.text section containing code  6ད` `  Oother sections containing data    6p ` ` 3...l  `   0` ,$D0`B B 0DԔ `  <őo`  s1Zero-padded to the file alignment (usually 0x200)&2ZB  s *DԔ@@` `B B 0DԔ ` @` .l `@  @` ,$D0  ZXˑffd`@ `  @so-called `Cave`   `Xϑffd`  @so-called CaveH  0޽h ? ̙33p    `" (  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <ؑ3 C 2001 Halvar Flake   c $,ݑ   2Patching the problem away (II)  6ڑfP` 0  X.text section containing code  60 `  _%`Cave` where we have put our new code& l @ 0  @ 0 ,$D0t@ @  0  @  0 ZB  s *DԔ@  ZB  s *DԔ  0 `B B 0DԔ 0 0   <Ԕ  d*jmp ing into our codel @    @  ,$D0t@ @ P0  @ P0 ZB  s *DԔ 0 ZB  s *DԔ0P0 `B B 0DԔ@ P0P  <Ԕ ` Dpassing control backH  0޽h ? ̙33 p' (   x   C PA8D:\head-bw-background-3.jpgx   C PA8D:\head-bw-background-3.jpgAx   C PA8D:\head-bw-background-3.jpgpx   C PA8D:\head-bw-background-3.jpg   <3 C 2001 Halvar Flake    c $`0   p& Dealing with runtime encryption (I).'^8 P    P     6P  >PE File Header   6fP  X.text section containing code   6f P   X.rsrc section containing code   6 fP  X.data section containing data   Zffd P ,$D0 Adescrambling codeY8 P 0   0`B  B 0D>P p    6p 0 ; Entry point     0 ,$0 r@1. The de-scrambling code is added to the end of the executableA 2A   0  ,$0 a/2. The entry point is moved to the descrambler0 20   0  z ,$0 ]+3. The contents of the file are scrambled , 2,z P 0 !   P  ,$D0`B " B 0D>P p  #  6$p 0 ; Entry point   $  s *  ,$D0Dl P   ' P  ,$D0`B %  0D>P  `B & B 0D>P  H   0޽h ? ̙33! a(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <$/3 C 2001 Halvar Flake   c $,3`0   q' Dealing with runtime encryption (II).(  06 ,$ 0 Steps to undertake: Trace through the descrambler until it passes control back to the application Alternate approach: Hijack known compiler startup signatures instead of tracing Repair the damage done to the executable structure by the scrambler/descrambler/executable loader Dump the memory to disk Very time consuming ! Automated tools exist to do this for many scramblers (e.g. IceDump)H 2 2"GH  0޽h ? ̙33 1(  x  C PA8D:\head-bw-background-3.jpgx  C PA8D:\head-bw-background-3.jpgAx  C PA8D:\head-bw-background-3.jpgpx  C PA8D:\head-bw-background-3.jpg  <DF3 C 2001 Halvar Flake   c $LJ`   v6Automating the scanning for suspicious sprintf()-calls$7' X  0(Mf  <Criteria for suspicious sprintf() calls: Does the call expand data using a `%s`format character without size checking ? Does the call expand a non-static string through the %s ? Does the call suffer from an argument deficiency ? If so, is the format string dynamic or static ? Demonstration script: sprintf.idc*%  "^40  @`H  0޽h ? ̙33{ +#$(  $x $ C PA8D:\head-bw-background-3.jpgx $ C PA8D:\head-bw-background-3.jpgAx $ C PA8D:\head-bw-background-3.jpgpx $ C PA8D:\head-bw-background-3.jpg $ <e3 C 2001 Halvar Flake  $ c $`g`   v6Automating the scanning for suspicious strncpy()-calls$7'  $ 0kpp*  Criteria for suspicious strncpy() calls: Is the size_t parameter smaller or equal to the size of the target buffer ? Does the call copy dynamic data into a stack buffer ? Demonstration script: strncpy.idc*$  t    @`H $ 0޽h ? ̙33 ~v((  (x ( C PA8D:\head-bw-background-3.jpgx ( C PA8D:\head-bw-background-3.jpgAx ( C PA8D:\head-bw-background-3.jpgpx ( C PA8D:\head-bw-background-3.jpg ( <Lo3 C 2001 Halvar Flake  ( c $Ȇ`   Q=Automating the scanning for format string vulnerabilities (I)Z ( 0| PH@___PPT9"  As we will frequently encounter wrapper functions that implement printf()  like functionality using either vsprintf() or vsnprintf(), it is desirable to have a script that can be used for all functions. The data it needs to get from the auditor is: The address of the function that gets analyzed The proper minimum stack correction of that function The argument number of the format string^B$  v @`H ( 0޽h ? ̙33 ,P(  ,x , C PA8D:\head-bw-background-3.jpgx , C PA8D:\head-bw-background-3.jpgAx , C PA8D:\head-bw-background-3.jpgpx , C PA8D:\head-bw-background-3.jpg , <03 C 2001 Halvar Flake  , c $ȡ`   R>Automating the scanning for format string vulnerabilities (II) , 08p  ;The criteria the script should then apply are: Is the stack correction smaller than our supplied minimum value ? Is the format string dynamic or static ? Demonstration script: format.idc J/l%/l  @`H , 0޽h ? ̙33` @ T(  Tx T C PA8D:\head-bw-background-3.jpgx T C PA8D:\head-bw-background-3.jpgAx T C PA8D:\head-bw-background-3.jpgpx T C PA8D:\head-bw-background-3.jpg T <3 C 2001 Halvar Flake  T c $`G`   )Finding some bugs (I)  T <0@ *Let s imagine the following situation: A hypothetical company sells a product on which many companies rely as their only perimeter defense This company (I will call them PeckJoint) has gained a marketleading position  meaning a lot if confidential data passes through their product (which I will call BireFall-1 for simplicities sake) So let us see what our script could turn up on this. b(258  RH T 0޽h ? ̙33,   0l(  0x 0 C PA8D:\head-bw-background-3.jpgx 0 C PA8D:\head-bw-background-3.jpgAx 0 C PA8D:\head-bw-background-3.jpgpx 0 C PA8D:\head-bw-background-3.jpg 0 <D3 C 2001 Halvar Flake  0 c $`   A-Reasons why we need to reconstruct structures  0 0`jR hMany applications store data in large structures which are passed around between functions. The information about the layout of these structures is lost during the compilation. This is bad for the reverse engineer for a variety of reasons: Without knowing how large target/source buffers are, it becomes very hard to evaluate the danger posed by a suspicious construct Many overflows happen within structures. Without knowing what we re overwriting, it becomes hard to see if a condition is exploitable at all 8 @`H 0 0޽h ? ̙33  47(  4x 4 C PA8D:\head-bw-background-3.jpgx 4 C PA8D:\head-bw-background-3.jpgAx 4 C PA8D:\head-bw-background-3.jpgpx 4 C PA8D:\head-bw-background-3.jpg 4 <lГ3 C 2001 Halvar Flake  4 c $ԓ`   D0Demonstration of manual structure reconstruction  4 0דfN  0While the manual reconstruction of structures using IDA s built-in capabilities is great for `real` reverse engineering, it takes too much time when only looking for suspicious constructs. Automated ways to at least reconstruct the structure member sizes is desirable.H 4 0޽h ? ̙33& 8f(  8x 8 C PA8D:\head-bw-background-3.jpgx 8 C PA8D:\head-bw-background-3.jpgAx 8 C PA8D:\head-bw-background-3.jpgpx 8 C PA8D:\head-bw-background-3.jpg 8 <3 C 2001 Halvar Flake  8 c $`   6"Automated structure reconstruction 8 0` mFrequently, we have a pointer to a structure as a local variable in a function. What we want the script to do is: Trace through the entire function and find all places where this pointer is loaded into a register Each time the pointer is loaded, trace the code until the register is overwritten. Each time anything is referenced relative to the register, retrieve that value Use the retrieved values to add members to a structure, thus reconstructing accesses to it Demonstration script: bas_objrec.idcBs`'s` @`H 8 0޽h ? ̙33    @! (  @x @ C PA8D:\head-bw-background-3.jpgx @ C PA8D:\head-bw-background-3.jpgAx @ C PA8D:\head-bw-background-3.jpgpx @ C PA8D:\head-bw-background-3.jpg @ <3 C 2001 Halvar Flake  @ c $x`   E1 Considerations concerning class reconstruction  @ 6f0P I Method1(...)     @ 6 fP I Method2(...)     @ 6 fP  I Method3(...)     @ 6f Pp  I Method4(...)     @ 6fp P  I Method5(...)    @ < @ vTableX @ 6x@P @ Every vTable entry points to a function which accesses the same structure via the this  pointer. The vTable therefore gives us a list of functions we can use to reconstruct the class data layout.J @ZH @ 0޽h ? ̙33 tl<(  <x < C PA8D:\head-bw-background-3.jpgx < C PA8D:\head-bw-background-3.jpgAx < C PA8D:\head-bw-background-3.jpgpx < C PA8D:\head-bw-background-3.jpg < <ǽ3 C 2001 Halvar Flake  < c $$̽`   ?+Why is this interesting when auditing IIS ?b < 0ͽ`&  Because it consists mostly of OOP code, and OOP code is notoriously annoying to read in the disassembly. Now, automated structure reconstruction can be of great interest when auditing OOP code: The more functions we can analyze which access the same structure, the more exact our reconstruction of that structure will be A class is nothing but a collection of functions which all work with the same structureFQH < 0޽h ? ̙33> H~(  Hx H C PA8D:\head-bw-background-3.jpgx H C PA8D:\head-bw-background-3.jpgAx H C PA8D:\head-bw-background-3.jpgpx H C PA8D:\head-bw-background-3.jpg H <d 3 C 2001 Halvar Flake  H c $1`   #Any Questions ?H H 0޽h ? ̙33,.x$E8@"*,F0PQDAw9sY9's9qzewwv}zkzjgwkv;oG.x\mv'nܳڴ'nٲeyGh'hƟ(tt0ttЍC7n 9t Э[Cn =tPН;CAw  :;t$tth1бн{C ?ЃC=|Gqx-ko{/m"ol}lLOkcqR"ل=yucWæٺn¾<?u*[dMwx7W>cϓcw~z$xz=6M=vv'7Mxlu ?[7{po;&@;b䶏gǓwcۘ]2|Saѝu΂]?zp#GA=zx 'AO=zt3gAφ=z| A/^zr+WA^zz 7Aozv;wAz~AvGBs'OB> },9/B_ }:*57oB߂ }.=B'@[ C?~ 9 Я_C~ =П?C ;пC : v6C;B;A;CN  :5tCAg :3tО٠C :7tC.]0tŠC. ] 4tCW] 2tՠC׀ ] :6t@CAC@7n1t͠Cn 5tCw 3ttݠ#CGBGA  :7tC=z0Cz(0#GB =z,8'BO =z*43gBς =z.< B/^ z)2+WB^ z-:7Bo z+6;wB z/>B> m@> } 8 ЧOC> }<З/C_ } : зoC߁ }> ЏC?~ 9 Я_C~ =П?C ;пC :zzpmvvvN:tj4iAv:tf,Y=Ag:tn}A=z`@PaáG@=z Xq'@O=z Tiӡg@τ=z\y@/^z ReˡW@^z Zu7@oz Vmۡw@z^}@>}ڀ>}q'OA>}y /A_}u7oA߆}}A?~s/_A~{?Aw?At"Ӈ"rw6C;B;A;CN  :5tCAg :3tО٠C :7tC.]0tŠC. ] 4tCW] 2tՠC׀ ] :6t@CAC@7n1t͠Cn 5tCw 3ttݠ#CGBGA  ksO8~gAM5!dM3Ol*?0m8f%՟!oRns>~#y'!$4' :3fvulEWcOy!ֱ1'c;vM:ORҊUg#%os O!-!BY.oYB!u,!,Wk~!d=qm{}lG;IOY;E׏INJĮ(Y!ddFg6/Y: Ǔܨ?!۶+Rݏog\ƺe}{0 ?[!d ɨEޟ !dv8vbQ$zz4&d Vq_&~aM!k¢h,'|ױAF-yRiYz򬷯ǒƺ~c?!d(8XVŕ /`INzBfmvW?>Ǟc1sJy&FoM؏v~RF>yYl?0'|cLNj>zY;k?;4c-'Tg퇐{>93o uy?!'ec)'ɟhL4~EOlBFEE6*"].O!3 W6gYYG< ?[!dTlc.y8]Bηm 9-9><(Sޒ ^d{!~'_V~3kHCev2#o!Br|:1·) joYBV&$KMbìOQן̚$ηmY?Gf-k.YH+Q8S!3"OT [7IW)Ӳ?I?=0ɛ^)91H~%KmtjnK?Hr H#=Q H~9PcKsoi7;q =R7fkKi TK Ȳ|]ډ=-RꈍʼnяzzscY!΋QObcuiI-ֲyBâN:_ +c-۵̬cR|ױx4~QKB̔U&OcJOH,~+΋+Ğ^=ά}#zd~$ozR<ٗO߮B^ t^Rֱdq].uR?9^InR6|gşʙϢ:6M ȏ%l"dFH%[H&^4tc2'vfJUi@PIJ%$m/Jcdv}iuxuu,!$ 9dsL#MȏU-o/K\z]AHFeQ2Kڄ4/BƉm{^ٜ3u>ձI`1b{)2.$`KVxZďxGgEul)V=g}jr|~z?\Df֩X+{Iliiż3cn wZ2KEת&_W0y@o?pr|yO<ޒbBJ고I'EQIzF!dsUEvF[_NXǒuϋB!,ηc !KbOBηc !XB!o^UiWI:*:RBfD6t#)Ey#t/!۶+ROi>,1ePzPCH~搙R7O!DV{p<~Gqugp0!é'q!ul5-![ {<@?٨t~LSVշ⁆LJ>9OĘ7^!D6wiXid׷kzsԸ?!9EuRLi"o3BHlLqS$?Yя8e@0X28NWDQCP7XBm{^RCO]=$͹塇q2uJE`! ۶+PN=m~,&Pb.!K}3,٣mJFW[{Fi|`I>񊟬K}}{ME|~z%?ڬU*Zɺ'k&+Z7sT ŨGƶGߘ,:ɘ~2Zc IFUۢ@iwi'n2t?~YϲpVZulii- .c{Xq _gyֱ8K'`~V-D|ױAhڏMu~Yo_GeFWKx:6y:TP:#eGDz1i"`EX*qul6άR\%/8aKȬq].U7I}||v?ڬ])p2D^yձLCHLэ}[է|^^*gW*:M?|cUd%1}vmֳ<[]-#՟Aiqל[!}̣KĿ!^ZejQj$$ar俺|W1f_#BH+oFK*c[hXvI:vhҷϮ씶[!O[lk)R??Ypxj +wX2goޯ@cT9d=}bYYs50ݵ XpXB!BƉ-XB!Y"9|:BE,b !KXvܒ`f5zp"[(!$)6nz?w{Ur_yi! ESڷ+ ucrgʼne]L;[Uq*Sغ}PL~Q'no!d$8*ul${xGqbX+XB 3D1Nu4L~Q'.)z-!Vc O6*xLruCbʍ:E~YֱA6 T2F>i^"[xQzITZֶ\E,!SO7"oݾݢ~1O76}`J`̎o !s6[d%ٜͮݔ]W ][]&O!dN \4)dӺMWC{wxQ'98[O%B8q~ϫ${`I;$?},v=̔^G&1S*eǞ*2´KO+*#!d$8yB!u,!d)3bd!o-!-XBȲ"dIo&?C 'ηmYıKz0Y[DGW\א͋']Qw󭍋܆Re*~'Y?z`7cBD=6])'㎴}?Xo೟hc?a|׍q-i}J^`)KE2uHĒEs^(ǖ8KovӇթRI{R߲%KR)BH~'2,S]C*!3.Ƣ1،NJ(Y(iH'xtE)knul4A=obϻP7f=ά]JsH8x/]iŹuul\+ձx`L2Zo:V1 GKx)US/S9YT&)t^)3L3 %7{w`~Su?C[JX>,cl`:VCȨpֱ<#EIcrL4&p+%`mN;+ģ,c-'f 'q> \wf7%iE~`Gl}KQe?_⊓R F-u4^)-26o:3䜩8X()Tڄ6Fu~R7cG^&c̥ XǒX,n-BHm?.JjNM 0Y5?kwe/! ?<!cfu1mNK&VcC8Jӵ${02^qҥrf*Lz⍮%9^WJzKƙ9ڕ'c P1ըȷͷ==~ |?B!|:,d !Q|:,%a"8`i3ntVבZ-^KE6t|kcK~O,E׵&Wѯt *:XB|&Ӿb Mm,$҃B[-cĤG^\/Ɯcܱ^7Julb|ԱBqGcVfMx$&Y8u$6-XX0BHηz&,x4~ѸIfܺ N^gl2#y%Hi4u4![?wc@EZd=>eB [UB4iAɮb< A슟I'x[<~RzO'xLI~+>wPX.$P|%lLqS$?1ҘmҘ=I 紓=RglUׄ%'SOjJ+g+XyW%dηz'.C|ȰIzI)c}p?cN̳|c玟j׍ɏ$gӗ%YulQ9:6nżiN?tj1L!)( Wſ41|ױnH'xX<KzE}ɮ(_b^4@:s>cBRa`]O}%%纝QB|_W!/$OXWVJ^/^PZJŧ1$˼Lo !yҜɵBb^i5ב2oul2xQhEҘ6v$ONJ'0!hFJ"9#(0O!dϷt+!/q^ʎ"'ηyd,c'ƘʒkeظEu=Tc<ulż!1JjR#ηmWԱ]bd<?۽%rI@]H"?!$ful'BV۶59^q rcWz0鉧ʰߘ'k*I.<KH5ٴ٪%uϋB!,ηc !dIcBȨpeK!ŢI|XUO[ԸEK\Yw5A ioB@2JXxzq_`ܴbLn(N{N`JWX+/ !d8߶_A:~Q-S[sb?KYB&Hg'*N8Ksf0۷k5G%~rIBFwi' y, Qve[::beKHL?t|RZt-~ \í+nvil}dOn]c|!#Vc O6c?x|gHAX~YҶ,~%$I$/68ŋk{xJwil}dOn}e/BFmvd)"f-TEدkUG}bGJ=dmi?NӍMA'i؟gBpֱ$EI%'Kcq+hr4p(HR'dd.viݦ+Qmvδ/$xI?D'ηySd,c'&ZxSnz}l|ʴ{ B*rNcccq)-9E{DI`Ss}E. <@Ț|]ډ=8^3 Qv=5{X]6ޓë燬Ii7Y("䇽?͒/ 08ulxF~'Ř KO 9#nWY [:6NzS ,qtJlW%eBߥRNjHr=igW)]阸/UvWuu줓ST7TnҩmD'&>}tjLMrlw<@Ț|cPNjiL6iÊs1RMk}Zױ懬"-^fLMr!Jɏ?}*Y?C^BRCLtmɇAƢrwuG!㡨r+L~%y5 :+);ul16MX%zoȼV!au윙>p9ηm krƮ`Σy##*Ԫ!d$SVif[ 'ʀmy5ϋB!,ηc !dhr&s ~#dpeK!B1i͋E,!mcW%?qlҍ'1kbb?J.BH~_IJ >ǒoM}G8xsr-ŕѤN oޯK\t?R>ѷeݔ՛؋Fɏ?j!+O?t|2¢E*}Uٽay*vN~#[NBɏ$r>(>UXB֍~ dEK[䇽?̽bO%!u8ulxF~'&!u Yy 3瓸?Y8UO-L~)=^E"lW{2ߤ͍-A6wi8oO*mֆZucÛZ\-B?ݘ8l+Yqk2اO켒O{nO_q%!u8f~>19&@)7u9X%xY6GrQ`c25eʁ*&&?d+#{tg-ޖ!˅m{^d,qU)(Y0qױ8 !NQ֪+\P !m(ul*kزuO8gh]eޯfuB,ҥ !dl8߶l'ԮN8du$T\g,b Y1@eJ~ $η{^B!dpeKY xB[ֱeE,! ηR'}N^KK~m4p"7Z2r,K'w󭍥SʖYBH>j!Hwtǡw;0t;òfh!A~,2 xU.D%VQb/XAP${EL@ `;`[z {Eۻsff7|do{y|v5t onY՘טhnظ]ǺQnylNZj܆7NÉ[xNxg ޵hlqn{q!| >Gc8 D|>O-it|>sh<Ÿ>m_/\p;| _/W+Uj| _7Mf\op߁;q|U#ƝqWn;ߋ!0}'[ͱؚ~WWk icʃFko?Mg۱;]d a&WNueActln[eߘ['Kf楼VswS?mq> 25>kkĽpop<Dsނko]vuF[+B_A|ǰw0+l.į`隆K!jA@ŵ~_ ]y)O_wBkl%7mrX&vSV++/vtS"+ȹ]++/vtcVv}1weuB4kjVeBSW 14h_Y9zJK}^T{-҅"L1CUM eb!Dį@!'~B>vxQ!*NY)f픕Ban|)Wlj)Hk;K2% 6enزr}*B denJOIB qZۘ+X [VƪS&v㳗9볏]qCK1{<{+B_SQm4Ip~ԑ( f1Tįmee;}n<>$z9]ruEXkWj[uV֓hɕ%fepde9K?ӻX}A{$d㺯Y50BO珖 )ee/zO?%ZOVZ4XzkeKhvJץkAz&" ٪ }xk9]'p AYΪ?}k=~\{nfx6 O{t\=/LXtFMZf8r; G/kЬv]$ֈ {.?s/]]+}iKK9Rѳ?{vm /!;B:B:!H!Dį@!'~O)W>KóD!b:t—^wt_AM^vDq)n<>$zwy6Ks O&]L//4֙dz1WkZR2 ,jbn{YI$+{9-}[Vj`$ZOV9u\"+C/СV\ginGXTeeeІ܃W(Ь\{ٟ֣,udePe{/5π1]ҵb"/KAf?-5H/+Hڽo(-ZXF++[4mѪr´fYX{)z:~K39x$Eg@@@@I $# DsbsbA109YnfnꪎogoM5~ֿ-[am4?{zd8.k^N./ G!S=rsd#W9\I,U^r5%[C)גkur\O/+7ʍrLn.[ʭArNn/w;ʇȇʝr|M.{˽rot## (hyJ>Z,ccy`zj w>]&3qs1_506dPd>xK|0Fm|(X-@>@K̝#)~`yH4X?_[m'9pF¸ @G{+/O(<@y/&|[/& A?0ۅ!2k{P!?>~iX֞.2|buw@>c=okq_*|0.9B>el 7>cj!x8 c8n[8!&?|0 |Ė5lóx>=@>ݟ=C<_@p?DZ<з?|Hx}m;/@Dt75x9y~&gvh l`KD/2uƋ8 ]:. `|p$G>W.]Ch>_7uY1 M!G@?Ul۩2a tJf"xK'~LBp&KU:׳NLa!C.|-6RKpC:ʭLjq02|Ez.(dאAZz>4wn<lWq(<]R*w䃻*a/ȇ2m8S?/ޑeͧK0dC iדnɗ3A-q1\$Pǥnh9AuVv|᳼CJbukpv;_?x:s7<l'=~#3nS{͠lXdӰumΌ"g=fvB8X6p0~;9?4N*vzn] ֳOZDyɽ38)>iwWLX[m[ݟ垑y4UgA WeC RvZݫnΌ-ƗضS!mˇv|9}to<ߺ%uoA0V}K}UЫGmnugJB}5|9䲊,9#Lo$d?9&nF0?d1;ed[}rHgQ HmC~ rq|5Q@89ޯ߶LoM FsD{z޶m;5Bf;P?5A>߲"`Wc?ߏwPtxm f|Ǝj"5R0Q@>@Z>A!o@>@K̝#)ޖ}B:;I{]O}|J3x#^ f7l1ןhL G>$~S0/wH|$#!'|Spz9Vz%/e9|B b'`z"9;иJsc,࿼.b>P5{Lߒ!\'A?8ܻ.4L} _%sm;+ʷ!R[>,I>t㐷U#-+DE|pȍvYOywƏ,3<./`CW>"4IpO9Bf{ޯc9PҢa@qF$ 61OzC𬿑:Zر]7]ˇ~j6%!|͇QCSu)ўbN͇yh@dHluN4q;zw󩇪=ݳ&f :qRġuVC=C\[|HԖ}^OJ>|+uEQgE|3=x:w=ywƏ,3<./`CW>㾂 ަƗHqho[=3}0~ȁ/]AmѰ:Ev +F0 =iwhޢ{N-ջD?NMhǚ|yTwR?P{_;ws=kب7oz&u["Sus"oOOOϐϔϒϖϑϕϓϗ////////7WWWʾ||||||||||||||||I,'/? oyM~F~V~N~^~A~Q~I~Y~E~U.__ߐߔߒߖߑߕߓߗ??????wʟɟ____????˻___?DNoJΓrry\Q$W *rUy/\][!הkɵ}:r]P'ח F~rcT_n&7[-Vrk Vn';CCNrgU>L&w{=^roW'GGAQ`yA#ϕOBy\,/KeryUjy|V>Y>E^'7%CLK$'R7zw^8ݾ^m޴˦>_| =Lfm1_506dPd>xK|0Fm|(X-@>@K̝#)~`yH4X?_[m'9pF¸ @G{+/O(<@y/&|[/& A?0ۅ!2k{P!?>~iX֞.2|buw@>c=okq_*|0.9B>el 7>cj!x8 c8n[8!&?|0 |Ė5lóx>=@>ݟ=C<_@p?DZ<з?|Hx}m;/@Dt75x9y~&gvh l`KD/2uƋ8 ]:. `|p$G>W.]Ch>_7uY1 M!G@?Ul۩2a tJf"xK'~LBp&KU:׳NLa!C.|-6RKpC:ʭLjq02|Ez.(dאAZz>4wn<lWq(<]R*w䃻*a/ȇ2m8S?/ޑeͧK0dC iדnɗ3A-q1\$Pǥnh9AuVv|᳼CJbukpv;_?x:s7<l'=~#3nS{͠lXdӰumΌ"g=fvB8X6p0~;9?4N*vzn] ֳOZDyɽ38)>iwWLX[m[ݟ垑y4UgA WeC RvZݫnΌ-ƗضS!mˇv|9}to<ߺ%uoA0V}K}UЫGmnugJB}5|9䲊,9#Lo$d?9&nF0?d1;ed[}rHgQ HmC~ rq|5Q@89ޯ߶LoM FsD{z޶m;5Bf;P?5A>߲"`Wc?ߏwPtxm f|Ǝj"5R0Q@>@Z>A!o@>@K̝#)ޖ}B:;I{]O}|J3x#^ f7l1ןhL G>$~S0/wH|$#!'|Spz9Vz%/e9|B b'`z"9;иJsc,࿼.b>P5{Lߒ!\'A?8ܻ.4L} _%sm;+ʷ!R[>,I>t㐷U#-+DE|pȍvYOywƏ,3<./`CW>"4IpO9Bf{ޯc9PҢa@qF$ 61OzC𬿑:Zر]7]ˇ~j6%!|͇QCSu)ўbN͇yh@dHluN4q;zw󩇪=ݳ&f :qRġuVC=C\[|HԖ}^OJ>|+uEQgE|3=x:w=ywƏ,3<./`CW>㾂 ަƗHqho[=3}0~ȁ/]AmѰ:Ev +FwDQL^B*xGl0`Lw0ӻ \cM5ˑHBH$H 齓|ywgoOҌfjvW#hh;i=z{ԟaCk&uMā_jMX򡡡ū8'q=\aWkd\Z63:ZnƸ nT-q+mq;wq'w]q'qL<ƒ\?|)pc?ټٰ;~xL]qx?gm֬m`e7h6)=a ekڸ;ix.8yt%EZٻx#;.+NpwĽpѵ}q? <C0<#qƣpţqx< x"')x*x&g9x.x!^b/r%«qހ7Mx3ނmx;ށw]x7>{"> O |&> =<|>_/K_W|-:|=߈o7[6|;߉w{>ߋ|?G1y $~jx3Y~_/+0>_ůM~C % # 1;?|7 7 8WUq8)ຸnসNq ­qqwqn;{^8g޸}q? <C0<#qƣpţqx<mf`S5w`Lxv6(B!B!ݱSjZCC'6eO)H^L %?[d~'.uOpǒ,/QK%q1 rS) L5'e}, d/5)"|?)~d_׉*ԅ%)0!B! 4>>-Q#=7q޲8]FӠ3[gT˴oLuj/3-oex^{׾+џ;F%iny݌АOB]cxL \rn;)aͩC{|J uN/0V^w9k_Lnt-.+s]XK7Vn&rգt&=.su׵>ľ]RҾpyiTҹK#'„<4Mu׵>d0}R?tS]ws K{(ON1S%^N-68T_{SB5bNUPPndik/E өQ@kGMpѥw^wdvDz||]ک+~P*;o]^+ Uk4-s2%N1KH}\.9w_/`og}5ucňp ^Aq4o3)xqacs)} |w$)xQ>"BeB!:!D(OP>B=~=d_ _KB=.kʹbXebS>",M'!DI Xo>:L|RyMu|"De4-M=~KM%+?ZBP(!B!BA~UNlzh܄IdE4vY5Ep'p2YNr4'Nq1Avד̗/2o@#P$GTiek0%|:'ˢێ&ACo%.=|2Z|(L39sk7 [Iߪؗw\Jױeaɦ[Ô()ɔ4K<ӡ{f(J$ݚj GTDsKƒؗ{< {_!c<",K4^qVOp|qI*4 ܪWF|yz "kzh-9\ҔB!Bs5V !D(OyC:\c)DL.uZ&6!Ҵ|2h~B@>\KHCD*'jTgP'BTFI]q Dyzt._Bn)B!B!HY| NzMAVDcUc/\4 y|  ک-唨.!7N~~qd~oSueD`ZY1L 8'av'G]i'P]W:K|o|ЙLY(#*43} %:}Y}',}&n} S@$S~,O+Lڝ}~DМ|R9OX>qO,I҅&0MxWU{.w\Q>ͭzzq-!ewDF5t2‰uӟXްL&Q)'B!k"'BP(!BaTLujkSe] Ll'Bid<#(I|'2SUO <ΠO哺 oS;]r!GkS !B!B ϳj):5Ƀ.^h\D.S[!)Q]Bn):2zbwdy31YE2yDVf S7ΪIx2]I0b<"O "u\'aəKT^cqܒOVOƾ S`F GT}&n} S@$S~,O+uSJOXO\4ǾI'c;IC&0MxWU{.w\g\FOUZp$}DxF5t2??1ҔB!B!C!sD㏒^tG6\^-u׋ ӣKmTg{Yh:1uj Ƅƽ{G1zcc쿉ACΉd^Nn*(ܵo<88Y.(_|Zr|R$]Ru>6.?Ig=qz;aN+O|:d8Nu%U 1I S&\aynQ>Uc>h)LGr KW.ܯc<.n-'B%l-C{  L.Aul)|ТB! _~%6ZZZܚњޚZւw[&:6s&eNlzBjX xw$E{vY5 Ț..(E]E f@@&0'lsxνLwUuUOVOw驩:Ugfz𿮼q뿋Jyz?:Lh?֫F,)6^НН@w4Y!=C{B[{Am :::?ЃC = : z8УGCA=zDIГcc@O83г г@'BυvAC/NN^z1ˠC^  z5t:=7@g@o΄Ao΂  @ACozN]л@@z? `.v+ 4`3>7ƥ}lrUG\}A9XmA2ܻ:vesa0};XxnÙCɷqa5jXp?sMWL&`ڼ知_e0yϕ?/cqdU?~=0瘛Ξٳƫr_arV1y^8x~A>}tt1q'OA>}y %Хˠˡ+/A_ +B_] ]] ]]}&-wB߃a1^Ec'OA?n~QL/_A.VQC 3ЭmߠC(Z9}/< ;k`p-^;Omu; B!$Hn6+o|w@rZF:ghL,#-D)g~VY+zlm1s1^/wݙ@z&Ƕw}s1K|w O2v 9ώ̸Q;3ˍ9j[}<=<牾QܛjcDxzL?5W*=ط$FVy8#\ w@BH,Bb@}r0Ϥo;y&}C߁|i|־FeU|Lw Zr7湟;oyڟ';EyͳÒ1 sw Gh[<U |=[||w G9_*c)$Bc=LAaIWw@BH,BbdHU~w(Ff2?"Ww@ -M ׏cxlyKgww9,XHӟ<-X]K|V%ϓ9 l+ɸmC}Fqs_S:~m]x}a ozݴaG损Sger{v[ו;kv'Bb }X;#ï7&^X;cmYg)[Ⅱ@%e;/oۨaXBgGd}r֖Ϛ mВXc\ď}!7^{IL9$zʥ衜t1^]{IL9|ַq]:kʥSS=$&F߁>s//CΛϸ]A>];#tئ9t'_yX X퍧<6($&F߁|׏mخ5,8vٚL:ui;ȟ_Â׏euNaBw?9LjGww}Hġu }X;;.g<@ }r-[zck'˄9l9gh{i*9}1Y2<>Q+ٗԓ%C߁-~Pe}r9Y[&Fч<dw G9_*c)$y&A;ȟ1bĈ0Ù'mAh=Y&Bb }X; |ʻ}$ A5NfeX>; _sGw G㟑/I4KY+SZ:[36[h2l˪gj`w GhC_2z;$@ }rs9SLl;#4힇O䆾9g7QΗJ}v:84-$O I93oY0}F!$!`aAŞb[qtqb}ŮtË hڴJ ?vr(VUTxD {vT@APT("\{/lXШ ػbgo $3fS˝Lf켐K viӡъhFe~"ykۍ@^DU˓cfYocJXDTL<9-mm]]==}}kה%_[|]zA7o$X|S`f[ȇ,Qt|KV#ȷo'^|||||GNw&]|O^' _>Q~@AI'O&*&?\>]~|||Z>[>G~(cʏ/?A>W^Xj#j5]j_w.`rc8Y}T萋:xRALK:L˲vD?B48=VRƯuqcX ux?vZWzKku?%h n,әbUryY'GW|#;a|-]/ɿ : 1Ux5O,?E~43gϒ-?G~< /_,D~2+Wʯ_-F~:H>O~FMo&]~N]//'_AC<?*LX(9O?)JttE?+N/_*_*_&M oߑ+O?/?!Rk7oɿ Qg/_!_)So?Wkmh\^!דח777W˛țʛɛ[[[[;;;;˻Ȼʻɻ{{{{א)_K|7o(H|˷o)J>\>B|||w(I|)K|'(?H>I~d)S˧ˏϐϔϒWgȏ%?Z~Xq' 'O"?U~t3gϖ#?W~| /_"T~r+Wɯ_#V~zy$'A~&[o.C~.{/@!"G/?.BOʟ?-_"F9/_,E||57oߒ-G=?,D\3/_ʿ-F;?,E7?+-G?*y</+zF*ycyySy3ysy yKy+ykyy[y;y{yyGy'ygyyWy7ywyyOy/yoyy_y?yIP~̕&ysK_Nh!Pﴰ@#PU9!Py1B~)dYNE#P@NZα!'Kԧm,9_4}$AەbSRRRNYfu>Oimx()))^y{?.SRRRNYfa))));]V%]֫1%%%%e@,2e5dj܆7,9?"h!"E\@)wos>InԧJ+KW֜o۲K Qf9؆b=@Z>|6ioZv!s>Zir>jŚ}"hRxRW]@fuT4 ;zƞ=#yBzM\w@  9ov9H2`vSE'9̝xo8]rrNs&,bۻ4mējIZX650avS&;~T@w>6]-͇Y<֎xG`>ߒ<7d}wo?4LynZv ` b>iG%+۸wK!+i )=emsS}@>9vrN,@}><@a>_;*30|~0wjjO ˭Ch*++hUovS&;~Lp= U\|WN{,-sS}n%ېR 7mr=9?=*-z۴z羍#EX >?^2MΏZy߇7^!t<@-p!@ka>P 5|ee5R|>(;Pk:lxRJ 3p3 G<ɾૉog]Z2\*/}9u|3}ޏqײ?aX #|>nG :rL8>`,Åbo]Rk tҾ>\*/}_e>쭋F(=pe\kpӜYf4j޺/lxRJ~F tٴ?JS?`A>oEQ<}ƞS2繈:=6ofC{'v6߇5| @a>oPy!_)\SP/j~!^&\VP#ruޝ`%YORaظacѷ ͨ 8.k<,Å"UZ!gGٗT㸖 ;j93FyK/ܷi⁳/S׸-Å"_M{3xf.k<,Å f(=pe\kpg&@x6y\m[/* Z3jٵ6J)RzA'e44L#àuTiio4TM9@O3\0,߃h3`kp_tF>9oqm, M׫{?_䜱|Hupi8^/WK۸g=K徍e٥+󡖡k2V*Rh;*r!fZ?*\↥M|PܟL"yXٕ)?so}-oy]Lk1w:.]ڗxƥ}e^fw`'ɝJ~F}M˦~L50@~|Y2 ԥ#M)S8Sk%wf7*bŵnZ0ߚo51C楫+}|ɹ5;q}9-$j]e&*"ar C}"y1<@w9]jyE}v1U"<@wG[vtQ0<@wS B 9]Y9erhRyMYԧrܷrDԹ6BnPݥq^;.]ݥ4KՉ/6+݊6ݥ/*u}qmi}C)<@w1ǐ݅y9]\f"s#yys>CBh |_jlSE57/! yݷ)'?f+6ieqܪ)_B!s>;O'?*(vhWq\pQ[+sc*17jnYHs62|16] j jDZLBhF x%lMnGuyS}-jL!B)|v3|ck3*In\}Dr!Ԙϧ5igkrq.4Zc\k2n7SWL{Br?_l_BvmY]dlh yS}1M>yЬŻ4^#?H鞊O :>BT^χU|]L#4W4zS&`jRs!:$r!-r!-r!-r!bgݨ쳔GKͼ_p\"`Za$[9|n&L~e^@HRQQ\r>w~jK^FIrޒ|եlMTS\g)XqOJ@tlf `1QA/6m@Ǚ?70Kd;!ݰ4o+핦p쪴i'V `q/ *=gks>ٰ8O7r>׃%ּr>`O\{λ*ZCD9y(VnͱlOܨ7|{{%xs޲Ie;-9Z$[o]XGIe,Xo/E,tsSW=zK*q ߜ_xIq磂ҭoib zEe+(҉F0Ue^9eW?9gIm6UN`fg\ G/fd*+P#I϶)x=W'fr>NUևaL3z9lzg*߫JB=4.$[U|_m~C&8{F96dyEEFIrTZSs =r!PD#PyBS!%Ziѱщ*Or~hsJ.۬כfsnuy[YY0xID *DTTqBAPTy@EA8KTqr מ~ʭJߑRIuǼu?Q͎:s#Su`SNgP}Rg85̏B1бq %̓C'A )Щi"t Lh1tt6Z  -΃·........C+++kk렕 ЍME[[6h-Z  m6B=н}ЃC#УcГSY9h+< zvB/CWh/4 CBACo@oBoAoC@}gםĵghN`niKeK9nZLHZQ+ѬVz=S[ _\nݻ;woH_ռa~X4=}r05 Y(w1Vf ټzϾ"+=gb)Po+WE9+#{AC#cS3s K+k[;{H%u*17l~tߜzo]M7+?׾e$Q$]30ѝ1SΕRbwƀwwT(K~l۬+5{y(DF=3g E0"uɞ͞aN(EGt)cZw(Dށ4yL0b!]>w}e>)DۡSSI8;"X)Ag034n;m8Dsq<ݏzb ;Ni8pD=O '{N2[}f. GWϟL#\gD#|.|hg!wߩPm* '{%vSH-}y:{He@Gށ Q+s%>?Hw(D+⋼F61C#%_~.s4]?yc*@#؂HJG(,;`+{Ƴש.0=z^yxe0ӫ7O٫Ȥ+cU[}(~l2 m)GaAAC 4B{ ͏…Ei&}Q(a" R#0b.>^W86϶GѿѶGБw13 9&a|jꈼFgq3n{ʘ g#pp|%\ wC3v]QO:b2Jӕ]ljĩ0^k\%:7E[(qm'nƘZއc`t(f蟅fόoJg{eq5f/۾O~;[ؾ[{͞^=Eسm6E>Nodmk - UB`~5NuUݷ{kyoU䩹]罷5=wo$=/٘#նqM)l^{ }={ mt_~) : zt8@AЃ-CB=z$t$(cB=z"$бV)SAO=:zl9sWv=z :z!tt2")KB/C;ЩˡӠW@C^z tZu37@gAgC@o :z+t>6h7z;tB"bhz'.{B} ڻZ$< kv~;<ٴ`37fdc^#l2Z=bdܽmsaKOD`,wu8PϺ2v[1w`6c<}Ws&ܫ/m=܆헳w:F97^6kȩ.KJY|du%$1sV2OF*> >]]}QcǡO@>} Ys/@WA_} Ukסo@߄}CWC߁ }>uЏC?~ 9tt3t d6WЯ[۠ۡ@w$y[wy#'_B'tWҏ̳qضl4[u70Fk8Xʹ<~&ָvIH'XBd !2$}3kG(<4I2_dy n{uS~ WcE)~50ah?W2YҍH8/rnVc0zdL5ر;Q]~Xׅ44~`_h!kB?!Dڟ4FԼ Rkh?'k%U~?Pؾ]:ӥX]"3guB~_C~^-<@/?C鹚24C5hu2'бgbAru_g<-,XkL.fԷWFֽTh}-qa!l毯ft+׺aD^Nx2:v]c1/ؕQZk*׎ut~ Mpm6! P}f-MdIl0CaO'Xk!c%C_C [~:IXk_\aW%ѱKqی %Ƒ%s5f4eR1$eԪN'&[=:<-w%iۄtk6aFI'XBd !2Qj>}|2-&i|(K ^xMZf_S!mk~N1=蠵?/Udysu𔀡),Fh)\.\!yT)} ,pf'?s63Zo=A5>TC/|H,>rI"_fr sJm(0]2@5dpfT(0 (c7-]njy%)5 -Vu80Y2})i (Ic&喇X 3J?!Dڟ"cO'RM37{6>} U| 0~=B OEGJLPԩ˵CR %NVG TSj 6'(<$ )aIOh+'0Q X`|  Speech outline (I)Wigan Ludgate (Wigan Ludgate (24aMicrosoft PowerPointP@+@0Efx GPg  R('& &&#TNPP2OMi & TNPP &&TNPP     'A x(xKʦ """)))UUUMMMBBB999|PP3f3333f333ff3fffff3f3f̙f3333f3333333333f3333333f3f33ff3f3f3f3333f3333333f3̙33333f333ff3ffffff3f33f3ff3f3f3ffff3fffffffff3fffffff3f̙ffff3ff333f3ff33fff33f3ff̙3f3f3333f333ff3fffff̙̙3̙f̙̙̙3f̙3f3f3333f333ff3fffff3f3f̙3ffffffffff!___wwwmmCCCmC   C  CmCC mm m  m  m  mC C C mmCCmC   CCmC    CmCC CmCC m m   m m m m   C C --&TNPP &՜.+,0      Bildschirmprsentation Mhdrescherq3 7Times New RomanArialStandarddesignBitmapSpeech outline (I)Speech outline (II)Legal considerationsLegal considerations (EU)Legal considerations (USA)Approach A: Stress testingApproach B: Tracing Input@Approach C: Finding suspicious constructs and reading backwardsBlackhat vs Whitehat auditingTools the auditor needsstrcpy() and strcat()sprintf() and vsprintf()The *scanf() function familyThe strncpy()-pitfall (I)The strncpy()-pitfall (II)The strncat()-pitfall (I)The strncat()-pitfall (II)The strncat()-pitfall (III)The strncat()-pitfall (IV)The strncat()-pitfall (V)The strncat()-pitfall (VI)Cast screwups (I)Format string vulnerabilitiesExploitation Details (I)Exploitation Details (II)-- x86 assembly recap --Disassembly: strcpy()/strcat()"Disassembly: sprintf()/vsprintf()+Disassembly: The *scanf() function family2Disassembly: The strncpy()/strncat() pitfall (I)3Disassembly: The strncpy()/strncat() pitfall (II)$Disassembly: The strncat() pitfallDisassembly: Cast screwups,Disassembly: Format String vulnerabilitiesGDemonstration of finding vulnerabilities by manually auditing binaries -- BREAK --Patching the problem away (I)Patching the problem away (II)' Dealing with runtime encryption (I)( Dealing with runtime encryption (II)7Automating the scanning for suspicious sprintf()-calls7Automating the scanning for suspicious strncpy()-calls>Automating the scanning for format string vulnerabilities (I)?Automating the scanning for format string vulnerabilities (II)Finding some bugs (I).Reasons why we need to reconstruct structures1Demonstration of manual structure reconstruction#Automated structure reconstruction2 Considerations concerning class reconstruction,Why is this interesting when auditing IIS ?Any Questions ? Verwendete SchriftartenEntwurfsvorlageEingebettete OLE-Server Folientitel3Root EntrydO)i@Pictures$Current User$SummaryInformation(Q_]testRoot EntrydO)7~@Pictures$Current User$SummaryInformation(Q_].test  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO)Pictures$Current UserSummaryInformation(QPowerPoint Document(XDocumentSummaryInformation8