ࡱ> F*Nт۳ Y*JFIF`WANG2 CREATOR: XV Version 3.10a Rev: 12/29/94 (PNG patch 1.2) Quality = 75, Smoothing = 0 C    $.' ",#(7),01444'9=82<.342 i }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?Ѷm:LREQEQE܍L-QMM/L3NQLy5=XMqq' X?|%bVX?|# rgK6 ¢G4'  ͷy!HAx"I9ϙ6kR,cT]cnAJ,1Ymi鷾lFƻcTQ = *HVA\RqIQӬY!/PdJA5o:MfӮ+u~$=kwkV/nF )s4ޚcS.* |WB襎Xuu# ԔQEQEQEQEQERQEQKEQEQEQEQEQE! s[څF@3ɯWNjˢ^L|9M$K^ៀk3ϖzk <9SI 9MvQQ5EQ( s2f&K>ҷTr rEr4_^Z fmX6%2J:״+2#"z6ycOh[jtj?k:"ߺox~4Etrkc9unp?*xE2q(@¹:mkrQy"jo⻟@#mOS^V~iVQ@qL4H/`[$6+3Q4Z&K(f ܼu~$*inֳu5!a? H4(r%4xNt5]>34ף2K]6Pۆmkw:FCoT4gr=+pjxU ?*? 6#^%1׬xR.4EB2Mp+*Q GtR1G,O#c ¾CQ>'%7A|XQkpf=6V%*E|.'PӭnapTs򯡭mm*U=MZxA)@-nI#+ſ 5 3M-sj"X S<'K]l 2E} 7ɝb }* -QEQEQEQEQEQEQEQEQEQEQHzkM+̲(rs_9ǚߍ/v4 8?`{}м/xr R%hw2Xڤvq 'sIK5FH6*? h^'RW!~VV+|-]E1&=mR5E(WcIh/޵? $ 6%ٌD}*Oxz/ecm:r1{׿ibL$J +ʾngC^5TWxݲSRJ'K?4b\۵} {-GCӂ fAWVj]/ڍ66~5|;:3I+:Mg3sonMڑ׌pmoZq\\JҊJul&]!qYfXSpѱ#XHG*9,/_In|^ xs_nFJk< 1i }­u-%!J(((((((((()@Ҽ[/;Lr(9 4sZKoF7}31uy2^: ڕWnaZQ^cxZC5 #{y~hq4n٬|\qҾw+M\S ⾗VWPAdyYzݨom2W+/jZ]QX(uiؽ*иL ̺ cg+0$5~{y Oz'58𽿊=qg"5Ah xxKIJxgX-}_5b:aՁR2=k>3,>p%F>Z|%`4 ָd ƼoZ?!62GAaKM m^Sy>w ѥHc]Er3 7w{pCQO^:ϊ5+^M>/0dtm졊_:UP}kGc4; rTaG"y #gdJ<UmY_Mcźglub@~e5QEQEQEQEQEQEQEQEQEQTyG c+築?Z]+CdI0<ҹ_;|ev;0ْgJc|3`}G+TA'.xͯkHۡDoG9h$<+q;(P9$N/\jVf;N/zNWUC۹\U#+7^O|S tqGnk`Mn$#pZOKi V׊m*(/. 0ֹ/2ҼW($^IPbxcږi>%ɶ&|xᯌ5kUKłMqs^yYV5@ 1׼[Y4rVQ7c!ul)?_TcYۅ%\~:QLwTFf` OJoֱI}M{4<9[i n u5cmj6ڎ!Jx|H|\ RyWDktG2^5 j:,k ,с+t_[.2A4M 6(VE"'EQEQEQEQEQEQEQEQETI.%_ďW$M7Nш$dsĒǩjHir_Iime)HEhqA/jmnOGc/Դ<hM ނo豓yBU5ɏ31oՎfV7 4L:ҴW?&owSђ E|cZtMnTNA_FitW$jq*ʹwVA.J:=NgúLq9,qQ?P)䢂IP=jڥ􂩟9n>2<xӓŚ [fufwI?-AZ r#XڃW7xcKuK۸CMlۑȮc-yŏp#9S{xP?ɯl"F5u'/ v Si^ɵCv7G$;hZY3tg'WUËXıj 2y]k"d=W?~!YRi_x-QEQEQEQEQEQEQEQEV+hi$H2OJĩCw.R3`>|/_T)`*>}'imvGP8W;yhPy o#I]G{k%˺9)5ZvSO^ZIc#]W¦r~lk-;6ifx*e7EWv]wJmcJNNVF@kZ,g&YFI5*F bczou(UUk>9Xh]:\o];I"~|G՜5+১Vu1;ո~ig៼9?_?AQyWj{|j|Fmu˸{U)>xMoxWQ;3?5Vm>4jk<@}E?һⷅu;ՂCq]ݽbKyD=5ltV>{e,S"-mo 5"ws)נs66g+cw>0Ք~[ts./ ߵaש5R2[A!yz54k.xMP\%` #_zr=ih((((((()ŘI=oyt-&l@HJ]l?j xE$U\|qikCPbWMq'Éj]#4NUМ0?Jk6:=7w1ƈ3 7ѧvhaֿ|su=^OX8~wpk>LBVJ5k51x퍬.+on<;Isr"f[>2ibŚt|0+i+6yzyjsJѰSWjռ5OFBmZkTExr.b xVγa+ح-" (UQLu m6K(MxcǖX+CYaxn7ۻRpG;źd*#k;Pռ P4St9WEb^6yv^4jvu2W`: Z(#{Zi=C[xDbPng5-B)μTQv j2Ǵ V|;r{[xKKv?ZmB.-fIbq)Yx $QeB"Ny-*[ǜk&Ծ+kei-?t+Yxke孔A#D k7'|}us:Hϧ^t/hOhf");s׵E4w,0daa^Ucz&a]B >7o<-@[d5}gjvƟ C iEQEQEQEQEQEQEQA\|UoMk\y"%'MFR}p3_Wx3С X֝a][NpvƤ?GS-k)m.Y!qiMgƫ.M*M?ƻ߃VΟ& f2r^8mj;\_؆kHzG_ʽӌgj6]^Lă%׊jF7IvKZC_k5?wr8ׅEp~;e2u'A\1)xOvmq^[ë~ex!;H6yG>64=Bb-?,~( QEQEQEQEQEQEQET,$N)UWcelB}kվ t-uP-{;tƋ[]_HLVk,q^OA9mm2yS]+?R-uk)m/"YaU|  5'KM'=Sǚd6̻nf샽z<e8E.fiRkK~(3p>T,k?|]9B7 ? _K͒X@||konfQOݦm97$}szP !x6UK(sYk C\\n>|Q}lBMGQף 59j4 㷒:v ?Wc]FCQ^y^yOxYG\֦Mrpj# BےU-x1oK"_\wqDeQɌ4RZσ|U%,,pƀҼCڼ/Ֆf ~t.g^<ϳ lo/m|95M( | [_ ev/3LܜoKQk]: 6a <]K"RH=kt5K lPZVƛrq a 8+WŚ LRosGu &hyCjMT^/Zkvicf?vOŲxwB֙7ן5 NwjW_;uJ%vEx-rY3<֨'d3EX: }S!8ߎi~EaԠ>~7\S:W|]ާ}&Ny3e#'"+^0l>6X4Y=֡r  ~'x#ðJv^=/ÏKPcS m+~(x:?jcYlr}x)ܲ }}yaAYCwT UҊ((((((+?SMn/ep…M|}}f>-nvM/^3_M;~1;y[kc:s UI=Myx#Ŗ7(;3;RxŖקMfϛIpzޥkdrSE"vq^[=JӮ6ڽ2AJqO3_^:F XWiVgW7ţ߻ ^img[Ek(EV^Mze!#0 s6UI֋ˤOBӚ]kD3ۈ|C:/DRk !7?fn/dDu x'Ě*3(2޽VWW+o>&_~U/.'7:&n?y]~i^{URh>QTGV-nzQ1yfdGkz(u+s~*_vZ1j#[f;vX:Ljt.|< tq3zwzrּMߋ>(}X-V[DqJG&| r+>Q%eP1jk^:&uKhktrp8VW~ݦs&f((((((+ž;;HMLMs̀\? k {O}>v^mmحTVC7e^Mж:vuj.-2F E<|?eˋ-6dl4,zUi_j`;r {W=sV<o4f6M"9x Az$#FrTJox [٣ҭ+oz֑i}{oy6rYi#{ƛnEBKWm_^7G'oagmuM 89>DvO F+f?d/Ү^T]cP_WWk:**yoa^ QM.IB[۞ M{-EtH֬69Q0S}k%BH-,,dAֻxŚ$w! X5*") ⻋%9{ 3';Ew𭷄? 4c'dҞE|;tgz*Vg%Ք4L35DƓ,;Gn=+%_QU4]f8U#=E'҉C&Q^ڕ9o5 Qx87ľ#ƻ0Ѯam)Z7enດw? ~2k,o-ﬡ*R 6->."VI>(oheT$^?,M;I,Y#A]Ox~oQrbg^ooa!Qs1Vy]h@;5zKíLhp3W@(((((;W^~ Tkݧ5 |: "n_[*(*N:dSrsw a|z0kzkP)+wc j/kiu,Mz~>$&pAjτ~Q~Ɉ8=kXeX~j> oI$:5Ǽ^)vi5Myxwz&c]-n[|n6{\/&aBB=Hz$Y۴Hkbz X Yz'~G3$2s[KGtE+s=V#EyKu$W"P$ՏbToTsФ ߻aSGҵQel?rLӴ֯Nb? 鱎_Nv%_4ؚ- t\*1f{!{?LXՏirkǩ&vgZ4>yMr@C]Ay4Z>ﬥVGySW"w0Ĩ6[hk1dV81!QߏtZ_5/j knLH-8"^W%e#K(фF}%Cj񯆡O,Am-w \?Kg4\g"HhڂF"cĖߠndӝ*_ ƕzy|358q8WXZKs1csjfk1Z˾\wſsw4qn<Wďː]4((((((ȯ~<{XV˒]R꒡ܷԵ-A46_ #ֲ-o1@Uw n~{Qǵ~=-<3b |ώ벽7&!Tu5kWpxn.$A+حn`gD6 "J,(WzbG?`Yrl)e2Mx_O{ wO by^XxCL /v5q+[98Y~ /GN q]ei/)*?xu';xl攅 I^T|7 D1f}9 "{q^Vw,-C&@$WTkAhV׿h7Q>S3}\qkKm:[$1.I'mͦY6UP*;Wf&0Vms[Iӄs;Ivt71=OL,ed0 SE⏴[B~A蠚'Stom\4R`G8{z֯cv0tP`ڇ CF9ci յQjr#$g> ^&ݶ*A?<9;SlOWZ:k |'2c`2]<][:"NNϯJF>'jwTbdcJZ }+w^~H"81Iף\4|5{Tm#_UxXMw}X+((((({tvS9ƌğa_2Ɠ6Kg_^xgLO21!u gqt.Akw|7Ϧ]m/<,::g~h4&m%aҺ~(xk"[ubGL}+o̺,&7OjZZ//@=)9תM㒅8Y/qs\<xɺPa$AcO5$o[hsK/$.z2[r|yZ~+x]>)j7ggAx" i+5n$#VW0oåj*lH77/^ Ct9t_|Ga#}?k?ɑ_Z]#DAw+WVZ%׊_ 0zQ⻏j;TcҺxW^*Ok?-Nr[WuԺ圂n<;x#7EƯoho4Oפ͢xFfc$W1O~$6icbGZkZƐuy9*IT o h;+!\>2hZeÍ0q,uO4%hB:W7xO[8O/8HsM?H!FyW>> o>O 9A^Z0Ad\V Iq3Xx^cpV~:f/[rZωP}Α>Y+!c!|Wզ6C=@)8Eb{Ӊ:lrzҮ~am3!Ҋ(((((;W SV]#n_<%=) uvG?6@h~+>WYSOgWxh63i,:\3_AVKaZ"E? ڃ:bKO 2^[gHm`|s^p4_|D?M?MȀFp\d^ii:jZķ ~3\Kf|c]p‰EgP3X$ sN,jpsڼᖉ?YRG]7Voi887z.j=SF"⧃naDwVH|gz~G]qOV.{MgVY Zb8'ں1rV&uuv>bȥȮG)>κ 'A_?WIc\+a׺!k3-.Ogm/ XG,5tWK4p^GTP9,p+>!i_c_<}ki#TϨ!=sR J,>&h h(O#41*i\j|#h|,{)7fH¬CK<w5~2xj-gmoRO_ŤwSr c"/x'9 :g-OW{cvZb%B+_Km+~Cgۏ]d-!a¾9wQ| n5 yzd5}?zYMRg^pȬ"4Ka!w}kh&}-@9eɮុ/eLA?Ȯƚ%V"ϭpƋw:/%-u h֟'R=4j~ĖX[lW :j7V0_3>3Z.~!x Z[wH98ֽ+V#4 s^;*]D,:׹+Fu4\<-xՉ+5!NJJKwbo-4F܋z{ױk"/6R(_j._[C 2Fps\2ַ$<s槬$ 7@.HX5T[լfᢶm Wfuow-lFckc$sϪ1777kM͌m9]L^H@XmUyo|cOMw kgivpo[x\5Xƪ}gO e{-]lF_h}(=+E}i|C! 9gְu?M񞋪rZZkmb:|$~5ƟHGae(J|Cڴq[Of?o/.bU x{u+ ϮYC= ƣ<'}eiMRqXc3V]Fw[|qsZ~jFDxf_ƻQR{ K]o$.]hlC_ײl*0BY:|?VCd2|J%w2 Cl/SPXDW`;א3;/W&;RW.ZҊ(#}3vczWkVڷkvϦ6d3Wg4, }*ޟ=LU[m6qܦMjX]B"AYAk;kUD=@}寏:x*OI$׭|&&*(((((V <&,_s('}[@ +ɭjGNh.%&GpHֶ<j\w:%ܗ+k)sI{Q7Z߇NםKzgXXm1)obkpX ]7Qeq `oEݤcuxiö pť0%#j4 ~`n-bF4 ?SL46GEe#FA?Ox]ktGF03^-'$=X6*Ww4:\N]q?V!Q}*iffvZFWڹ/Bκ (#LAwn"ZRzW|OHH FT)ָ C㟉/1٪[„?G?B@j(]T8;Nq^&7ާ'^0á{X״]?R1 gV gmD\&~aڕp}___񭶏ak s-ܻ0thpZd=xIs^EQEQEQEQEQT'1 6`x|ů_i٨K8#QW|{eMJb@In;] ;/ʚ?UKIMJطt@J#Xy5@kx#1so@!A5'孚H(,~_ c }*x>ɩ]%ˮ'r? ZytZOl[Kp~ +_o)-ZR.bŝٷq9>"i{!i{\cQې> Ȭhb!\v<W"tmƖ'k'V{--Լ~VKn/n)cR:&p-杇ʋް'sɫf6ZW{yLTqNԾ%\i#%u/ @ ^c,Xy91S+]F!Zf Y*-IA|u ݵw pqZGXլ@p=EYv_Gko9!PxSҼKkxLK8dY𷇾xqVC{kup:!'v‚8KdU* q?‘HPژ~*xETy{"֎m+ReKApP9t;1ιoN:4vc&s9+L-gW]B8ܟ¼Tx|%!oN-kʷfb[yzcpuO]Y^Ǧ&-\O+~:Ϣ%4c<r8p5;d {eku^>+)Ͻm?oJCs*ך(}kmѫzkh}Nq9ʻ5H^EQEQEQEQEQYz>5} /t{bYg k=Yi UpdE|}Fhn]O`븏_ᶳ]cJ!km5ŶE9#\U*+ {-4WxOZf]>_¼ ߎ:̬ ~D׼y)kd1z5?4Iav֤Vgw{{Zܐ; ʒjNw-q`p \gl#݆FbA OR?:jI{-A~&k5[y#0u,$cH]mVjpN%aj};z[!x;~ė c03of1+(՗崻no5IE61Ut[MSM2I ]^0*Oxm`uijey4KN:H85ھ}iq{B_'yŚ ]>w_QBkY.KAk<()ҡt,+h-l0e@**c6x:C'4W '>0k}&5KZWg[klcm#ci'EtT(?j|5X|rndB- T]ڶZl"P8~n%wd8x/tM2OJJt#T hœ85l^'>it?Q^X*HG<:'Yg"^]}XGѣm='+OuI5G@9et}+>>6k5Ze,OWxƱ<,pRMq%cSr׾1#1+׮bZmD)ɵWX7𯞙wcZSOM,H0H@NL1JFU8k ҷAں}n1LH5(Q+!Tui8Ȳ?V#vB3A1sJ|9g^^E}]׃|l֯t/iW#>Kḳ~_ t?-pan᫧mATsَ+zZn/|Ă㬨< 9qWoP?#Hʺ#)dW#xC՝/٧<`;Nk ìFվn~چ{6I\#~nT~/q7! _X4)"m$y4mNKh$91 ?/ _}yMwQw[y3tV_P8 :(((((u-ꎦF9nzA}t*U.=B-Ṿ* 7FӴ87}jZa|15xW`sWA=cgDg^iiS-ĐD+~}Y5Mnw8xNs=›:PxWKi=F'`ɭU`2 xg[7 pg_ֽcږ}iQ;W|⼔ F1sk *0ʀ7Z{M99)H KVV+"I\b?X/m[ܸHFf'\?<˫iM=:_.+MzaF1ʳ-nY?UZ MxŶ!Vo%U:4O |,V15C gGT|* 4'V_ \nfZe5dQ:^݁ƹ$w.}JUXC+jvOAζ#TsFK;KƔȏ^޼㴅C7//zސNfq"xHxiT3u=EuY[EooQTp*;Ra}/j?Ez;sVG⟿[?}EQEQEQEQEQU̲OFKׯ4]C +P oFnjkbTMWN5s~5=P,?wy&~'1ku} 5Qx1_v~ ߘlKk wFxsI#dL?y׈>I 跗8W++Y 0A'-vӯ [57@e ?VӴ:5=svv[¹\o7Qz \U?o5EC o8n Hs^\ l69o!-CY./[tyKimMqg>HSMsTPӬDKҘ=ƩikVEp/=i$ Ecs.~&w;ִ5[]^%ôI_硫nZ?!!(;dk#z4Bg=t񖣯_^LdXPFW :oH״?GՃNneHӖ栓UѴ3@l kޡqx#IA<5yiEDY#w~w |c,;NCDV/>u` =㵌 $Oeow@:|?Gf{M+kAE ºG!v6?_^ 1PҼg/|=umS^w70^jQGjܼ8zV=īH2YOvq뫲IfYbnC)ȫhɶåEnZYx((((()2z/d*s -I9y*_jMzFZ(Z¾Ծ$K6^J9#$~ k>H\<%IJ6y?{WvvV:[İkZ9h^g2Ӄ`G^ WosT_/G? u/daH;|Q Ed:ɎGhզGyg(x~^Ƽ㝳K 5^Ch67L"gVC`z8-kz_PH@Mx>9^,?/zy6[ꗑ M&q־q2.;D_ݏmf˦<3[Ն8W'eˢk:4MxҴz](7kh wQgt+m8EvatCJORj|2lpXJ;kᯇZ+#37Ax~NV2uh汴_6m^]K}7):jv7GeҐ ~Oҍ T/9Kg}|/=}b|;ahiS)rƼ~{K2/kVZ|k׭kU!N2Pvc.+OWlb^lVJ#}F[Kּ?OoexgF H$WSZ|SM9eSM3Ym{ J%Mѣ_n?_XLӦ-4}2i H >Cފ~\zF]Z ['^@j&ut# @7t=GX2ʻw?ZuDŽ|{uᕙ?6;C|C^x=Cfa,s^EQEQEQEQEQA_$k6^?|af]5 uOv9tOš 4'5|7f*(&t=r87~,JM.n$epp^k 3oks/2R λ\B[ysA)OQֺ?u1TާXc90=L1Pƣy '̈Bi~ eaxv֬Eq,j)Wx#$;4[͍ # ٹ W9S]7m6fHb^y-Ċ3JkǚΦZ\;|ipG] wjz{Wu)ΈARď]:g@R1q^iJ"1ҩg ;Dd690`z 8|E!Tui8Ȳ KI)qHG/Z~R$HH ǿ5zu4s\"Wz>'i>" mrMFolנRQX^'F.3+>\.+; ⦭seᆲ25S\FSVʹ6$.#DuPda$8"o!xNg}*ki,@Xбx{v~ kE?t=wQoᑴ@mgaOXtI{hMy ] B66d%jNYb2I^W^oWkezq^?|> !9XF07~QEQEQEQEQE|C5]?Pa?t'Չ9xdHbϴ, bsMkUY ႀݓ] 2YCWKa *#nâvOQXZ74;:fomkv,W AٲZ0knb͞ED25ZVw kjЬC]F23Uiz֭}b&kч!y׫>wt,˂پ|_cPl=9fҬ y ~_ʴx8bDOEyUTdڼK?^ yY&^7Ω~\s+)RxkźՍIF,j$;H cAxԧTFy"GR`7/ݶehMK|#7/*kAOӭ#Pz™D;#!5=?tʩ*;tPp7 OPsjKVp+>4jS >mqn7_+oVn(^Upd#ǂ3@yl)"Xھ2麲yEp?Ǻ^$w H-9+$cwجjP Pyeş=Zu#3G_K֗2ZȞa3<I|w=`Fz~yo3i [AݹwwFi5':X6$8FA xMg y⻽7K,$*cc? [?|헐uj&`V<"?|Kruݹ%뭃}}!c> Q٢(((((& kgx^w W[O`ͅN=}9ڠwyQn9l f{maiR4fc+̼CD{{{N~7n:fv'N_N,Y,W{QҼ#4 _zg`bpֽ?k?\2"주̄1^x[(/>d⭷/yږW|NԡlM^:]x.'< c X}narq]G_ IJ7e 2خN{BD$^C]_<A-pw4-֮9*zfVMEE^ (> yV>*#HبX0yeJ~ʠ7-ԛm{Pk-ɾz ԑRIX4ڌo4gL&'*sqo@Mb8k!:/Dnu"H*58K6Lc"X j4K?g~l]bڬM] mHͥۂɽQQaSK/jh-׬FR2j6qrcKg=kƾ^*NE״wO<=+l>i:5yIخ_he bD*/#יW1Ck <70s-oC}HͻnH UMka.+>:xYXihiWEᏎaVD_O4Mn :2g` oAKQ|q J>[Z{;ۦٱ)QEQEQEQEQEL: B/#M͜1\yo?¾͂d9ǥxſZxWG/vɰ< M-b7!MzlVV;x@r)ml>hf`*x}Zm?P'BżsޛOÃDy =qx¿Bok2ko--[<lEmI/EQRM,pHʨ$9&U5YGFk?FQyeq( 86(_0ޕxCZ悗{7SW޼_%-ofK .y5^,A ۆG+dI|RGgI;mLK,jLI +2V༷`J_D-LW(q\y#~dE?5<32ohu^únyj7;Z-[Ð?;6~vjO~1\V}Zus%,sj/+zW]x.ħZOHb ʨo/B Hq^q| 4^Nqʦ fE>"+y+)k>24[cfNޣҽxQ+>cZlm~Gq4qs+I+nZ((((()0kω<*lfewvW$j#qJ xO"=W⎹^|k) qs^E&xL?[xy2L֯g4'GPU(O^6Rnzku^GҸOn,$=^uK{[ 5&?>0Lӭ~+g|QMcp,#cjo> o A^#$WRr+uռcx>^M= { <9]7b pB>f>qcW7Kcה.Tާ'Zo~ E$ ˌhI}8UπlGjٟYw0^/^GA bebF\}?W<\m~>d?6zZxn%Z/:>,C9S\7Q&t9=z W|PvI[~UTh]_;CJ_R٘rSXxvkHn_b;^[u 4,̮ x&f%t.yZVo^[8hPC#Hl:@ׅmmvbWPs]x#RъLJ{h.P$Pk| 㛽n("p? Ofu_Ih]) 'q:m9J((((((xOlӘ3FC>x8+ȴwyM렂Km? hO4粑gk 鷚Ov Xu&cy_ I׸\^Z~6*{O8܊HSGZƩ[=֛pۧN}EUimt<g\|ALjk}>& WA vQT@Ҧ#">kA0s\<{s^ t2|~+L!<2659#it$մ>!x[4m=sGQ;{xG¨y]7v3]H ]<73mb.Ҝu5EiX=uF𽍒.ݑ ܊:~l um9/K"2BTÊP3Qqd5>/c.Tvt5nM[×9Y!rUM{5E}+7k7ˣ˟n碷{Ҳ-*T1\*WW7xZ[ɎF:Wl^)e ,R2@A\ΡGREc+):<+/Bk,7vAJXֶ~7bX$l~WꚔF=˅$,rk<c?}q[&Ȅ7JSW6Ǧ[sll MFfI#;WJk6\ Z6]#}\׊&.y~d+{ uqߌ}GivֈXc VQEQEQEQEQEPzW;5 X:/+WZq1%^m3_cj:|d O|O3f9;z_xJ-o퓄9${> zd>(i$;brGZ>giYıƒIu}mcN;Wsc& ex믇^=VrQd^ݤ֙ UV쌛yc?ʬ)R0x,|ahTCz1̽s^sx\{ 1%;b9}kb״}:Y%LVt2 *-^,{k_#nN:Wzcx5umlʷwUJ=K:8A {XPxFeж\qu{^/6"]?i_z%+mz|:T`b8ѝ?uaV%KC|dpNkH#hC Ic]{ęT~Bׯ* 8S>(^:3\2 x~ |27:hjv]i+G$T8+ςEΖK%?ѼoO5Ő9|muGKm`}IT1NEղ1^kFSaN7_@ O߉ɥCW1k֦BRa2;Ҁ t((((()|Ÿ$т=|W|A<>t{5aXf[;UmooP51\?>!Cn:qs^ox%:05 bx@>t$t> /~x+; 9;(xgM%j"c_=,znrp>xO2ގ$f7zteXȘWSA:|v;cƶ3\?iZ}3^ڼM<7ƕ+;#>v:$܏{V4]HxpE]gtp*0>W=O]͎"CMyƯ/MtptȯG_Í/‘1qxF^w9AKER1WKgMkKWߨ܍"T*M6ٵUwj76[תqҗ`T34r"2+[sCU,YrC'BkuxcO쯶lE {/ 1H?[ԍK1>?qOYZO.!gῇÞ)CqMvQEQEQEQEQEQE|L70$y㜊 ^/g܊ys)}yeyWhP5JdH|[^OS /y\] +Wm<7e>m#K';N3y[v(j+1+.Z'."m9q4.Fes\ÏOouD^ I(p})C( W⟅ݥ}%c$?K}FNN+WK,-IMg( wx:*jz+ⲷhFk G+c^ rCklుa#F pcڗ42`GRxŶ^dUQ5ugU"H GYzvcOq V;KAY?k"l;^-,>)~/Oo+UUT` ?0Ўm 7\6*_|&VI= WJ1ҝEQEQEQEQEQEQE5*As_,dFڅx;FKoq^H*y_>|Ix/?oA'{|9\P𪂀k;N43dص~ϺaCԝ~y'Wꚵf7 H9,kt?C':-ܘ,A*=s^oq)4.7PGz󯈿VYxߊ4?Pq E: 񦕪&y߀v u(Ԁ3ßĒh"_&4R ^W FG=iJ =+U𾏭!}5j7u!զ~Y"m#ēEflLtjTҾ/.j%k&_֝_5/)µ>i*VMJNGuOp^&DB;jiMJLbº;_@~35yn}iͽ1oV6k.x%}k<9ͤhZM3*[ [?z[<.,Ƽz+C2鱶b#Z=œ2 > ~<-O4&y74>`lཷKyVHd25x:w"+veITa]T}4ifKnmީAܾBĚŚό|[$2ģ5Ï -onT y[k(((((((ҹOfxvDaRbltjVPOnh :dfοoM PpC3i۬c ؊ƨ 㟴Ӂ;8R*| r}쩹 ,xt xj^&Kk xKº,)hl>Z:Զ;hQ.^Gj+ 6hڎ>ϪE#/4CpbLf%7WF A=+|y;Bkk YU1mF㻵k4I!u"AxQЭIR2qW>|A SXp4ZF>o<ѵl#nrXhCKMN1FGQ(ڎFOݱYZϋI҈\f<[X Ge$vVcJiu=sƞ#[FK=*7,J~fi=>_د3O׼OizYeaL0{΂PIF\l`mҸoEӼ%fM|G מxkߏu/[=ۢnvXGoo4UQwTFa7{o?yi+ >Ycq |WφӅ?,L3Ǩ⺻OXK [v=&//Gq /[.,)b(,l4Rvڳ/cc5e&Jj^َ/ֺ?4zZvIP?|UYE·G&㪹zJՎ`|)Y;$r=EbxEYk4xj5kbڗb[FŋN+WZNEu4riv8B ziwt]:]Z1Z|-k-E[?xHEq^ݵCCsq -,*F,q?|ZyNX1FB7d_&M&-{qq"U?QH@$l4h IDSn\+\6l* k~,(,"5|צ[gCQWpGA_0}U) }k I>".l/Tc;=+ڻW -,"snJ-QEi6Zū[0Wk _6)+Wß]7Ķct)r0 S!IgXd`j(hʞbTM^n!cf,7dj%\e.Z'`R1>][ԏ6rx5ү7 O<1YOq"+k!w"["(9=Mz_è5I1n7_#FWogkuq|jO NծSCb*_4{cY\|GY|ɷֻmk4N8hZvA%Q2H_|Nм4\]tX993e+&ߌ/|>)ngIuS8v t(K2k^P^y?ɱ-hv\N0+ۆ6Yޱk]ȫ`OZ+>%@]џd1¾W4𾊗WHGz`Җ(((((((J|S_X]v>9S_'ZV?4/nxLq([Y[޽jZ(3Epk/_Dq*5yρ|iu纶>Kp+OGַ|rdہ}'Ś.cR 4[kyABۢcՂWDӓQ{i\a&ܖЬj͸W8v+B3Q-gr[@FXcPԬ#/ws*W`+2hN,zd~> ;X_MӛxcHzB^ 1A*"Q*P-dQEZ$ #V'|1aI G.G$ֹFs1=fNVRl(}k9-uXs~((((((()O-`9W'A๷~Wa_Ox6~2ҖU%%<]#(UZXU@',EC'Y(x[G"x-[pk_Ф~bB fŧo _0F]H>F4RSmֶM>Tw`9}ϊx9o'`lZ|%+`[iֺ**P>(]ZY-۪@-_&x]ֵ }tI_ |DZ¸ˮ{קTnbAh2ǁ_<|Tɣ貕^%O/X x/oQӐ嘏}+ >L!Q@QEQEQEQEQEQEQEQEQE!+;"9}oèF27{[[/-aoa_Exem`TN7}+҇AKHyx3Kִ{á+&>l1߅fGf9o0pGTy /zt[Wyr -<+V,*<I? iX|t(=*դ7qIꧡ+Ŀ5}KKm(g +# H aT 7 A(d;xY̋$%1ι^y;Ld ' ^\B"l2=qEQQIrEǰZ,+x"pP3}+KX@6ƁGSH8ERMxz׶ZeshP:R(x6N@!W|(oNuWrDC{WјA5_W?'gBT̥C޻/|EC4 lTQG5?yncVSE gŽsIlmInWx͗.E_f=5)  `:~5reܟE$t ( TQETM,,qVc+ǼwK2X.n@~Umwq#{?;Y#!+֕* ?QEQEQEQEQEQEQEQEQEQER`TSC4Rtad|Ԍ*nycx#V$'F]gE%i|:ne[W1 [5KEW^ֿ vQ$_/7.$|ڽss^2xk×Z?: 5b牙RcNъQKᆭHZXW׾x7^_fSd_{դ K$mXdi:zp<Ҿvau~9V`ׯ,2A#}XHS&kĶ2Ga]Gmj>(EsdEe w(4 )$+gĽвp3HpFNO֭x/6YR6',9j'Ҽ+nX[(`>iHqREQEQEQEQEQEQEQEQEQEQER0x wW^PI>9x_4z+zG s^6E=ū#s{m)oBc~>_tf%)ʶ◵QY!+) O^νn#/`8'Ʃy:5ɂ|ֽy2}G?fh[yQ}=v[u".2ɞ^{~hGu}J((T Q*J((((((((((((R0kt?}f#0>( {h^CϋzH5'#<[QR^g+м3rme>: \`{S$8q\εh?ڵ8wk̵-ѥzIҼ\oV[U_99Ğ%rڼ1&Y<+KH.5/˅i(5p6,QT`U8((((((((((((1H@KEHW֑N̼כFO%<:f\)}-FqH|57KFQEQEQEQEQEQEQEQEQEQEQEQEQEQE*JZC0?L%|%K9j5?NiD}뗿6Pʽ;uw6_/Ys=up1U-86zgя?Y<5/Ɣh,'gԿ?zz\WK?[6Wr}pKښN0u\N_KHYs]$qh4U_E&((((((((((((((((QE`S4QO"ȣȋy'*LQ(((((((((((((((((((((((((((((C( ~/ 0DArialchowmantt9 0"DTahomahowmantt9 0" DTimes New Romantt9 00DWingdingsRomantt9 0@DVerdanasRomantt9 0"PDHelveticaRomantt9 0 "`DCourier Newmantt9 01pDMS Minchowmantt9 0h1DTimeschowmantt9 0  C0.  @n?" dd@  @@``  0   () *  - <  :  Bi   $ 444<9<(   :+'1o!)10> 63;<?DAQ%JKL MNOP/Q/R1S4TUVW[\]^_`,abklmnopqrstuvwx|}~/X$R$Nт۳ Y*2 AA1? 33ff@338; ʚ;J%5ʚ;g4dddd 0pdppp@ <4dddd@k 0t8 <4BdBd@l 0tg4<d<dP 0p p %0___PPT10 ___PPT9nnIt>"ՌPNG  IHDR +tsRGB PLTEfffm cmPPJCmp0712 7tRNS@fIDATWc`  SP1H $XLIENDB`? -O  =x!=aXMachine-Level Prog. V  Miscellaneous Topics-- =Today Buffer overflow Floating point code Next time MemoryfZ&Z ZZ& FjInternet worm and IM warNovember, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). Messenger clients can access popular AOL Instant Messaging Service (AIM) servers F F   Gk Internet worm and IM war (cont.)August 1999 Mysteriously, Messenger clients can no longer access AIM servers. Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes. At least 13 such skirmishes. How did it happen? The Internet worm and AOL/Microsoft war were both based on stack buffer overflow exploits! many Unix functions do not check argument sizes. allows target buffers to overflow. f[T f[  THlString library codeImplementation of Unix function gets No way to specify limit on number of characters to read Similar problems with other Unix functions strcpy: Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specificationN%=+h%=+h P$)ImVulnerable buffer codeJnBuffer overflow executionsKoBuffer overflow stackLpBuffer overflow stack exampleMqBuffer overflow example #1Nr Buffer overflow stack example #2Os Buffer overflow stack example #3Pt Malicious use of buffer overflowQu"Exploits based on buffer overflowsfBuffer overflow bugs allow remote machines to execute arbitrary code on victim machines. Internet worm Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: finger droh@cs.cmu.edu Worm attacked fingerd server by sending phony argument: finger  exploit-code padding new-return-address exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker.gc8Y3*83  h >>Rv"Exploits based on buffer overflowsLBuffer overflow bugs allow remote machines to execute arbitrary code on victim machines. IM War AOL exploited existing buffer overflow bug in AIM clients exploit code: returned 4-byte signature (the bytes at some location in the AIM client) to server. When Microsoft changed code to match signature, AOL changed signature location.&``Sw Email from a supposed consultantDDate: Wed, 11 Aug 1999 11:30:57 -0700 (PDT) From: Phil Bucking Subject: AOL exploiting buffer overrun bug in their own software! To: rms@pharlap.com Mr. Smith, I am writing you because I have discovered something that I think you might find interesting because you are an Internet security expert with experience in this area. I have also tried to contact AOL but received no response. I am a developer who has been working on a revolutionary new instant messaging client that should be released later this year. ... It appears that the AIM client has a buffer overrun bug. By itself this might not be the end of the world, as MS surely has had its share. But AOL is now *exploiting their own buffer overrun bug* to help in its efforts to block MS Instant Messenger. .... Since you have significant credibility with the press I hope that you can use this information to help inform people that behind AOL's friendly exterior they are nefariously compromising peoples' security. Sincerely, Phil Bucking Founder, Bucking Consulting philbucking@yahoo.comE E >AJW{Avoiding overflow vulnerabilityXUse library routines that limit string lengths fgets instead of gets strncpy instead of strcpy Don t use scanf with %s conversion specification Use fgets to read the string/a/  b/  &X|IA32 floating pointHistory 8086: first computer to implement IEEE FP separate 8087 FPU (floating point unit) 486: merged FPU and Integer Unit onto one chip Summary Hardware to add, multiply, and divide Floating point data registers Various control & status registers Floating Point formats single precision (C float): 32 bits double precision (C double): 64 bits extended precision (C long double): 80 bits*(0gv*(0  g!  Y}FPU data register stack(FPU register format (extended precision)Z~FPU instructionsLarge number of floating point instructions & formats ~50 basic instruction types load, store, add, multiply sin, cos, tan, arctan, and log! Sample instructions::6W6W,r [Floating point code exampleSCompute inner product of two vectors Single precision arithmetic Common computation*%/%/\Inner product stack trace]Final observationsWorking with strange code Important to analyze nonstandard cases E.g., what happens when stack corrupted due to buffer overflow Helps to step through with GDB IA32 Floating point Strange  shallow stack architecture '?&'?  &/h^ghijklmnopqrstxy z!{"|#}$~%O   0` .T3f` T3f3f` 999MMM` lff3f3޲` eoHff33Ҷ` ff!` T3f3fffq` T3f3fff[>?" dd@ ?nPd@ d " @ ` n?" dd@   @@``PR   @ ` `$p>>  C; ,(  , , s *Ɖ "`0  T Click to edit Master title style! ! , c $tɉ "@0  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  , c $DΉ ":   AEECS 213 Introduction to Computer Systems Northwestern University2B0(2* 3 3 , Nff??"` , Nff??"` F   ," , Nff??" , Nff??"  , Nff??"  , Nff??"`  , c $׉ "ce  L*"0(2Z , B޽h))? ? T3f3fff[ 0___PPT10.Zj&___PPT92p22 1_aqualab01R  0  0@(  0~ 0 Hff??"A 0 0$ "    A Click to edit  0 <' "   T Click to edit Master title style! !T   0 "  0 T+ff??"  4 0 0 Td.ff??"  4 0~  0 Hff??"A~  0 Hff??"A  0 RAk B?nwu-seal-gray"@P%  0 c $3 "`0   !Fabin E. Bustamante, Spring 2007H"0(2 3& 3& 3Z 0 B޽h))? ? T3f3fff[80___PPT10.Zj&( 0 d8(  d  d Nyy .   v* a11aa d Nyy 2 .  x* a11aad d c $ ?  4 d Nؓyy 9 3  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S d Tyy q   v* a11aa d TĪyy q2   x* a11aaH d 0ηo~ ? 3380___PPT10.eۡ ((    N_ yy .    \* a11aa  N(l yy 2 .   ^* a11aa  THo yy q    \* a11aa  T$x yy q2    ^* a11aaH  0ηo~ ? 3380___PPT10.dz͓ 0L0  $(   r  S <03  r  S =0    H  0޽h ? GGGy___PPT10Y+D=' i= @B +  0 & @ (  @ r  @ S  ),`0   x @ c $),@0  2 @ H0+3o?"` P  H AIM server" 0  2 @ T/3o?"`p p  H AIM client" 0  2 @ TX43o?"`  H AIM client" 0  2 @ T23o?"` X  H MSN client" 0  2 @ H<3o?"` "  H MSN server" 0  B  @  `Do? , B  @  `Do? |, B  @ ZDo?  B  @  `ZDo?k +H @ 0޽h ? GGGy___PPT10Y+D=' i= @B +m  0 D $(  D r D S x_,`0   r D S Z,@0  H D 0޽h ? GGGy___PPT10Y+D=' i= @B +  0  H (  H r  H S p,`0   r  H S q,@0  T H  f$swawa?1?"`   /* Get string from stdin */ char *gets(char *dest) { int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest; }"0 # D$ H H 0޽h ? GGGy___PPT10Y+D=' i= @B +  0 &L (  L ~ L s *p,`0   b L  fXwawa?1?"`0 0~  @int main() { printf("Type a string:"); echo(); return 0; } A0 A!$ &  L  fTwawa?1?"` d/* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } e0 e!,I H L 0޽h ? GGGy___PPT10Y+D=' i= @B +~  0 P 5(  P ~ P s *$,`0   ~ P  f(wawa?1?"` $unix>./bufdemo Type a string:123 123X%0 ! !!!!$ s P  f wawa?1?"`  5unix>./bufdemo Type a string:12345 Segmentation Fault<60 !!!$( v P  f²wawa?1?"` 7  8unix>./bufdemo Type a string:12345678 Segmentation Fault<90 ! !!$+ H P 0޽h ? GGGy___PPT10Y+D=' i= @B +3  0 ZRT (  T ~ T s *߲,`0   A T  fwawa?1?"`   echo: pushl %ebp # Save %ebp on stack movl %esp,%ebp subl $20,%esp # Allocate space on stack pushl %ebx # Save %ebx addl $-12,%esp # Allocate space on stack leal -4(%ebp),%ebx # Compute buf as %ebp-4 pushl %ebx # Push buf on stack call gets # Call gets . . .B 0 ##W#  % & (  T  fDwawa?1?"`pk d/* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } e0 e!,I M F 0  T  pH  T  <jJ @  HReturn Address0 T  <hfjJ @  r Saved %ebp* 0 T  <jJ p@  =[3]0  T  <jJp `@  =[2]0  T  <pjJ` P@  =[1]0  T  <jJP @@  =[0]0  T  B@@ T  Ubuf0`B  T B 0Do@ 0  T  B`   ^%ebp0 T  6"o0@  ZStack Frame for main*0 T  <'fo@ @  ZStack Frame for echo*0 T  # l o11?0@ H T 0޽h ? GGGy___PPT10Y+D=' i= @B +#  0 ##..X "(  X  X  0P5,`0    X H68c?Qp \Before call to gets,0  X 6<8c?V  Bunix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x8048583 (gdb) run Breakpoint 1, 0x8048583 in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0xbffff8f8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x804864d0       )   !  (*9 X 6M8c?Ip Q 8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point.R0 C('M F 0  X   X  <HZjJ @  HReturn Address0 X  <4 fjJ @  r Saved %ebp* 0  X  <pbjJ p@  =[3]0  X  <`jJp `@  =[2]0  X  <ijJ` P@  =[1]0  X  <mjJP @@  =[0]0  X  Bq@ Y  Ubuf0`B X B 0Do@ 0  X  Blu`   ^%ebp0 X  6,zo0@  ZStack Frame for main*0 X  <4fo@ @  ZStack Frame for echo*0 X  # l o11?0@ F ` X    X  N48c?   F 0xbffff8d8 0 " X   BCDE4F8c? `z*@RbAZ  @    ` P  X  <@jJ` 0  HReturn Address0 X  <fjJ`  r Saved %ebp* 0 X  <8jJ` P p  =[3]0 X  <jJP @ p  =[2]0 X  <hjJ@ 0 p  =[1]0 X  <jJ0 p  =[0]0 X  BH {  Ubuf0 X  6po` ` 0  ZStack Frame for main*0 X  <fo` p  ZStack Frame for echo*0 N P p   X  ` 0 p <T p 0   X # P 0   !X  <fjJp 0  <bf0 "X  <سfjJ p 0  <ff0 #X  <lfjJ p 0  <f80 $X  <fjJ p 0  <f80<T  ` @  %X # P p 0  &X  <jJ ` p  <080 'X  <³jJp ` `  <040 (X  <tƳjJ` ` P  <860 )X  <TʳjJP ` @  <4d0 *X  <ͳjJP @  <xx0 +X  <ѳjJ@ 0  <xx0 ,X  <dԳjJ0   <xx0 -X  <سjJ    <xx0 .X  # l o11?` ` H X 0޽h ? GGGy___PPT10Y+D=' i= @B +*  0 !!..\ 1!(  \ ~ \ s *,`0    \ HP8c? 4  [Before Call to gets,0  \ H8c?P 7,$ 0 bInput =  123 ,0   \ H(8c? ,$ 0 F No Problem 0  3z `pv  \  p  ,$D 0 \  N08c? v  F 0xbffff8d8 0 " \   BCDE4F8c? `z*@RbAZ  @    `@`   \  <PjJ@@  HReturn Address0  \  <fjJ@  r Saved %ebp* 0  \  <ljJ@ 0  C[3]$0!  \  <DjJ0  C[2]$0!  \  < jJ   C[1]$0! \  < jJ  C[0]$0! \  B< [  Ubuf0 \  6Ho@p @ ZStack Frame for main*0 \  <fo@  ZStack Frame for echo*0 T P p   \ # @@ <T p 0  \ # P 0   \  <fjJp 0  <bf0 \  <x!fjJ p 0  <ff0 \  <fjJ p 0  <f80 \  <fjJ p 0  <f80<T  ` @  \ # P p 0  \  <,jJ ` p  <080 \  <1jJp ` `  <040 \  <4jJ` ` P  <860 \  <3jJP ` @  <4d0 \  <7jJP @  B00$0! \  <P;jJ@ 0  B33$0! \  <?jJ0   B32$0!  \  <BjJ    B31$0! !\  # l o11?@p M F 0  "\  pP  #\  <KjJ @  HReturn Address0 $\  <FfjJ @  r Saved %ebp* 0 %\  <XTjJ p@  =[3]0 &\  <YjJp `@  =[2]0 '\  <\jJ` P@  =[1]0 (\  <VjJP @@  =[0]0 )\  B[@ T  Ubuf0`B *\ B 0Do@ 0  +\  BPc`   ^%ebp0 ,\  68lo0@  ZStack Frame for main*0 -\  <kfo@ @  ZStack Frame for echo*0 .\  # l o11?0@ H \ 0޽h ? GGG___PPT10`+jD' i= @B D' = @BA?%,( < +O%,( < +DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\ %(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*\ %(DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*\ %(+p+0+\ 0 ++0+\ 0 +3  0 &% 00` %(  ` ~ ` s *,`0    ` <t8c?4,$ 0 r Input =  12345 60 ` ` 68c? ,$D 0  8048592: push %ebx 8048593: call 80483e4 <_init+0x50> # gets 8048598: mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp # %ebp gets set to invalid value 804859e: retN0  !!t9$) ` H8c? R  P echo code:* 0  ` # l jJ11? y/ .00 /# ?z   `   ,$D 0 `  Nt8c? `4 F 0xbffff8d8 0 "  `  BCDE4F8c? `z*@RbAZ  @        `  <<jJ  ` HReturn Address0  `  <\fjJ `  r Saved %ebp* 0  `  <jJ   C[3]$0!  `  <jJ   C[2]$0! `  <jJ   C[1]$0! `  <LjJ   C[0]$0! `  B  Ubuf0 `  6o   ZStack Frame for main*0 `  <(fo   ZStack Frame for echo*0 T P p   ` #   HT p 0  ` # P 0   `  <ϵfjJp 0  <bf0 `  <ӵfjJ p 0  <ff0 `  <XҵfjJ p 0  B00$0! `  <\ֵfjJ p 0  B35$0!<T  ` @  ` # P p 0  `  <LڵjJ ` p  <080 `  <jJp ` `  <040 `  <jJ` ` P  <860 `  <jJP ` @  <4d0 `  <jJP @  B34$0! `  <jJ@ 0  B33$0!  `  <4jJ0   B32$0! !`  <\jJ    B31$0! "`  # l o11?  M F 0  #`  8P  $`  <DjJ @  HReturn Address0 %`  <fjJ @  r Saved %ebp* 0 &`  < jJ p@  =[3]0 '`  < jJp `@  =[2]0 (`  <jJ` P@  =[1]0 )`  <LjJP @@  =[0]0 *`  Bl@ T  Ubuf0`B +` B 0Do@ 0  ,`  B`   ^%ebp0 -`  6 o0@  ZStack Frame for main*0 .`  <%fo@ @  ZStack Frame for echo*0 /`  # l o11?0@  0` # l\* jJ11?@`{ ,$ 0 RSaved value of %ebp set to 0xbfff0035 Bad news when later attempt to restore %ebpZS0  &,<H ` 0޽h ? GGGR J ___PPT10* +%ȸDf ' i= @B D! ' = @BA?%,( < +O%,( < +DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*` %(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*` %(DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*0` &%(DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*0` 'S%(DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*` %(++0+` 0 ++0+` 0 ++0+0` 0 ++  0 7%/%013d $(  d r 2d S G,`0    d < I8c?`G ^$Input =  12345678 0 M F 0  d  P  d  <hEjJ @  HReturn Address0 d  <QfjJ @  r Saved %ebp* 0 d  <VjJ p@  =[3]0 d  <HZjJp `@  =[2]0  d  <pjJ` P@  =[1]0  d  <\jJP @@  =[0]0  d  B`@ T  Ubuf0`B  d B 0Do@ 0   d  Bi`   ^%ebp0 d  6Lno0@  ZStack Frame for main*0 d  <lfo@ @  ZStack Frame for echo*0 d  # l o11?0@ 9 d 6@{8c?@P Q 8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point.R0 C('pz  0  d  0  ,$D 0 d  N<8c?  F 0xbffff8d8 0 " d  BCDE4F8c? `z*@RbAZ  @      p  d  <jJ   HReturn Address0 d  <fjJ   r Saved %ebp* 0 d  <LjJ  @ C[3]$0! d  <jJ  @ C[2]$0! d  <șjJ  @ C[1]$0! d  <@jJ  @ C[0]$0! d  B0 T Ubuf0 d  6o 0  ZStack Frame for main*0 d  <ĩfo @  ZStack Frame for echo*0 T P p   d #   @TT p 0  d # P 0    d  <fjJp 0  B38$0! !d  <fjJ p 0  B37$0! "d  <,fjJ p 0  B36$0! #d  <tfjJ p 0  B35$0!BT  ` @  $d # P p 0  %d  <,jJ ` p  <080 &d  <L¶jJp ` `  <040 'd  <jJ` ` P  <860 (d  <ĶjJP ` @  B00$0! )d  <ȶjJP @  B34$0! *d  <p̶jJ@ 0  B33$0! +d  <<жjJ0   B32$0! ,d  <ԶjJ    B31$0! -d  # l o11? 0   .d   BCDE(FԔ? PP@@ 8@` @    ``  /d  3 r׶ jJ11?    KInvalid address 0 Z 0d   fL jJ11? `  h*No longer pointing to desired return point"+0 Z+5 1d <8c?0  ,$ 0 !%ebp and return address corrupted6"0 H d 0޽h ? GGG___PPT10+D' i= @B DF' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*d %(DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*1d "%(+8+0+1d 0 +  0 @h G(  h r h S ,`0    h s *, P  Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit codeBZr 4aYiJ h  fwawa?1?"`^  4void bar() { char buf[64]; gets(buf); ... }50 5   2 h  fwawa?1?"` void foo(){ bar(); ... }0   h < 8c?p@ c gStack after call to gets()00  h <\$8c?G ?B"0  h B)8c?G 6"0 v  h N o?wv  h N o?   h 64.8c?x G  ? "0   h Z0 o?4 Lreturn address A 0 B  h ZDo?P h T4 o?& gfoo stack frame"0   h T8 o?H&P  Mbar stack frame"0  h Z= o?   ?B"0 B h ZDo?x ~x  h N?o?Fh  J exploit code" 0   h NDo?F Apad"0 vr h N o?"R(  h TB o? 0  cdata written by gets()00 H h 0޽h ? GGGy___PPT10Y+D=' i= @B +  0 Pl <(  l ~ l s *W,`0   ~ l s *pX,@0  H l 0޽h ? GGGy___PPT10Y+D=' i= @B +s  0 `p *(  p r p S 0t,`0   x p c $t,@0  H p 0޽h ? GGGy___PPT10Y+D=' i= @B +s  0 pt T(  t r t S ,`0    t s *<,@0  ,4aYi t <x8c? ,$ 0 \Later determined to be from MS"0 2H t 0޽h ? GGGWO___PPT10/+UND' i= @B D' = @BA?%,( < +O%,( < +D' =%(D,' =%(Do' =4@BBBB%(D' =1:Bnormal*3>)B!style.fontStyle= `B<*t (lD' =1:B bold*3>+B#style.fontWeight= `B<*t (lD' =1:B false*3>EB=style.textDecorationUnderline= `B<*t (lDo' =4@BBBB%(D' =1:Bnormal*3>)B!style.fontStyle= `B<*t lD' =1:B bold*3>+B#style.fontWeight= `B<*t lD' =1:B false*3>EB=style.textDecorationUnderline= `B<*t lDo' =4@BBBB%(D' =1:Bnormal*3>)B!style.fontStyle= `B<*t D' =1:B bold*3>+B#style.fontWeight= `B<*t D' =1:B false*3>EB=style.textDecorationUnderline= `B<*t Do' =4@BBBB%(D' =1:Bnormal*3>)B!style.fontStyle= `B<*t %D' =1:B bold*3>+B#style.fontWeight= `B<*t %D' =1:B false*3>EB=style.textDecorationUnderline= `B<*t %DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*t %(+8+0+t 0 +P  0L0 _W (   ~  s *$ڷ,`0   ~  s *ڷ,@0     fTܷwawa?1?"`  o/* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } p0 p!>I  H  0޽h ? f33f3y___PPT10Y+D=' i= @B +   0L0   L(   r  S |,`0     S ~wawa1 ?,@0    B@8c?P _!Instruction decoder and sequencer""0 "  B8c? :E  AFPU"0   B8c? 0E  J Integer Unit" 0  pB  HD8c?P PQl pB  HD8c?P l dB  <D8c?dB  <D8c?01EjB  BD8c?jB  BD8c?  H8c?p   DMemory"0 H  0޽h ? GGGy___PPT10Y+D=' i= @B +[ ! 0 z (   ~  s *`,`0   ~  s *8,@0  F `@A   `@q   B48c?PA =s 0    Bx8c?PA ?exp 0    B#8c?A Zfrac 0    H\'8c?@ =0 0    H8+8c?`P >63 0    H8c? >64 0    H)8c?  >78 0    H18c?`P >79 0 W  Z\5wawa1 ?`Pp 0 uFPU registers 8 registers Logically forms shallow stack Top called %st(0) When push too many, bottom values disappear<h5,  H>8c?@@ Lstack grows down 0 F @PRw     27l   <8c? P   <DD8c?@ w  H  Top  0 rB  BD8c? l   <8c? l   <8c?  l   <8c? P `B   0D>? PP   NI8c? Rd  F%st(0)$0    NL8c?R  F%st(1)$0    N`Q8c?R F%st(2)$0    NDT8c?PR$ F%st(3)$0 H  0޽h ? GGGy___PPT10Y+D=' i= @B +` " 0  (   r  S a,`0   ~  s *tb,@0    Htd8c?  gInstruction Effect Description fldz push 0.0 Load zero flds Addr push M[Addr] Load single precision real fmuls Addr %st(0) <- %st(0)*M[Addr] Multiply faddp %st(1) <- %st(0)+%st(1); pop Add and pop 0 !   "!  +^ H  0޽h ? GGGy___PPT10Y+D=' i= @B +  # 0L0    ? (   r  S l,`0     S ~mwawa1 ?,@0    N`nwawa1?"`.  3float ipf (float x[], float y[], int n) { int i; float result = 0.0; for (i = 0; i < n; i++) { result += x[i] * y[i]; } return result; } 0 >0k  Bg ?"`  l pushl %ebp # setup movl %esp,%ebp pushl %ebx movl 8(%ebp),%ebx # %ebx=&x movl 12(%ebp),%ecx # %ecx=&y movl 16(%ebp),%edx # %edx=n fldz # push +0.0 xorl %eax,%eax # i=0 cmpl %edx,%eax # if i>=n done jge .L3 .L5: flds (%ebx,%eax,4) # push x[i] fmuls (%ecx,%eax,4) # st(0)*=y[i] faddp # st(1)+=st(0); pop incl %eax # i++ cmpl %edx,%eax # if i?    Nѻ8c? P  F%st(0)$0    <ջ8c?  2. flds (%ebx,%eax,4) J0   Hۻ8c?p =0.00 XB  0D>?  NT8c?R  F%st(1)$0   H|8c?p0  >x[0]0   N8c?pP D  F%st(0)$0   <\8c?   3. fmuls (%ecx,%eax,4) <0   HP8c? p  =0.00 XB  0D>?    Nt8c? P  F%st(1)$0   H8c?p 0  C x[0]*y[0] 0    N8c?p N D  F%st(0)$0   <8c?     4. faddp J 0   H 8c?  G 0.0+x[0]*y[0]0 XB  0D>?    N8c? P  F%st(0)$0    <8c?  5. flds (%ebx,%eax,4) J0   H8c? p C x[0]*y[0] 0  XB  0D>?   Nt8c? F%st(1)$0   H!8c?p 0  >x[1]0   N\8c?pD  F%st(0)$0   <8c?   6. fmuls (%ecx,%eax,4) <0   HL.8c? p  C x[0]*y[0] 0  XB  0D>? ~   N28c?   F%st(1)$0  ! HP78c?p ~ 0  C x[1]*y[1] 0   " N0;8c?p D  F%st(0)$0  # <|=8c?    7. faddp J 0  $ HD8c?  20 XB % 0D>? ~  & NG8c? 2 F%st(0)$0  ' N L8c?  Mx[0]*y[0]+x[1]*y[1]0  ( HO8c?P JInitialization 0  ) H8R8c?pPY G Iteration 0 0   * HV8c?p  G Iteration 1 0  H  0޽h ? GGGy___PPT10Y+D=' i= @B +m % 0  $(   r  S X],`0   r  S d,@0  H  0޽h ? GGGy___PPT10Y+D=' i= @B + a 0   (   X  C d     S d9 3    H  0ηo~ ? 3380___PPT10.ph1 j 0  (   X  C d     S ]d9 3    H  0ηo~ ? 3380___PPT10.1 k 0  (   X  C d     S md9 3    H  0ηo~ ? 3380___PPT10. 1 l 0  (   X  C d     S \d9 3    H  0ηo~ ? 3380___PPT10.0 1 m 0  (   X  C d     S d9 3    H  0ηo~ ? 3380___PPT10.0 1 n 0  (   X  C d     S ܲd9 3    H  0ηo~ ? 3380___PPT10.0 1 o 0  (   X  C d     S <2d9 3    H  0ηo~ ? 3380___PPT10.0 1 p 0  (   X  C d     S d9 3    H  0ηo~ ? 3380___PPT10."1 q 0   (   X  C d     S 쀵d9 3    H  0ηo~ ? 3380___PPT10."1 r 0 0 (   X  C d     S Dd9 3    H  0ηo~ ? 3380___PPT10.p#1 s 0 @ (   X  C d     S d9 3    H  0ηo~ ? 3380___PPT10.p#1 t 0 P (   X  C d     S Td9 3    H  0ηo~ ? 3380___PPT10.$%1 u 0 ` (   X  C d     S qd9 3    H  0ηo~ ? 3380___PPT10.&1 v 0 p (   X  C d     S ]d9 3    H  0ηo~ ? 3380___PPT10.P1(1 w 0  (   X  C d     S d9 3    H  0ηo~ ? 3380___PPT10.P1(1 { 0  (   X  C d     S pd9 3    H  0ηo~ ? 3380___PPT10.>+1 | 0  (   X  C d     S Ld9 3    H  0ηo~ ? 3380___PPT10.>+1 } 0  (   X  C d     S ^d9 3    H  0ηo~ ? 3380___PPT10.>+1 ~ 0  (   X  C d     S  d9 3    H  0ηo~ ? 3380___PPT10.0,1  0  (   X  C d     S d9 3    H  0ηo~ ? 3380___PPT10.0,1  0  (   X  C d     S `d9 3    H  0ηo~ ? 3380___PPT10.0,1  0   (   X  C d     S xvd9 3    H  0ηo~ ? 3380___PPT10.K.1r CHQY`=eFohvqsx}I bBSVYW}nr{Uzg.BVj~xp 2~1Oh+'0T hp    (0 CS 343 OSFabian E. Bustamante aqualab01Fabian E. Bustamante99Microsoft PowerPoint@@ @QZ@@TGSg  )'    """)))UUUMMMBBB999|PP3f333f3333f3ffffff3f̙3ff333f333333333f33333333f33f3ff3f3f3f3333f33̙33333f333333f3333f3ffffff3f33ff3f3f3f3fff3ffffffffff3ffff̙fff3fffff3fff333f3f3ff3ff33f̙̙3̙ff̙̙̙3f̙3f333f3333f3ffffff3f̙3f3f3f333f3333f3ffffff3f̙3f3ffffffffff!___www LMEM4'A x(xKʦ """)))UUUMMMBBB999|PP3f3333f333ff3fffff3f3f̙f3333f3333333333f3333333f3f33ff3f3f3f3333f3333333f3̙33333f333ff3ffffff3f33f3ff3f3f3ffff3fffffffff3fffffff3f̙ffff3ff333f3ff33fff33f3ff̙3f3f3333f333ff3fffff̙̙3̙f̙̙̙3f̙3f3f3333f333ff3fffff3f3f̙3ffffffffff!___wwweeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeϮϮϮϮϮϮϮϮϮϮϮϮϮϮϮϮϮϮϮϮ՜.+,0  $ , On-screen Show$CompSci - Northwestern Universityx  ArialTahomaTimes New Roman WingdingsVerdana Helvetica Courier New MS MinchoTimes 1_aqualab01-Machine-Level Prog. V Miscellaneous TopicsInternet worm and IM war!Internet worm and IM war (cont.)String library codeVulnerable buffer codeBuffer overflow executionsBuffer overflow stackBuffer overflow stack exampleBuffer overflow example #1!Buffer overflow stack example #2!Buffer overflow stack example #3!Malicious use of buffer overflow#Exploits based on buffer overflows#Exploits based on buffer overflows!Email from a supposed consultant Avoiding overflow vulnerabilityIA32 floating pointFPU data register stackFPU instructionsFloating point code exampleInner product stack traceFinal observations  Fonts Used Design Template Slide Titles,_"0Fabian E. BustamanteFabian E. Bustamante  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnoqrstuvwyz{|}~Root EntrydO)Pictures2Current UserxSummaryInformation(EUPowerPoint Document(MFDocumentSummaryInformation8p