From 474540052869efd2547888c15674b990b20a7004 Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Tue, 8 Aug 2023 14:13:00 +0700 Subject: [PATCH] v 1.3.7 Start switch added (Fuzz syscall table starting from given syscall id, mutual exclusive with -call) Internal rearrange Readme update with fresh 24H2 bug Rtls update --- Compiled/NtCall64.exe | Bin 86528 -> 87040 bytes Compiled/badcalls.ini | 1 + LICENSE.md | 2 +- NtCall64.sha256 | 47 +-- README.md | 9 +- Source/NtCall64/fuzz.c | 297 +++++++------- Source/NtCall64/fuzz.h | 27 +- Source/NtCall64/global.h | 49 ++- Source/NtCall64/log.c | 10 +- Source/NtCall64/log.h | 8 +- Source/NtCall64/main.c | 229 +++++++---- Source/NtCall64/minirtl/strtou64.c | 4 +- Source/NtCall64/minirtl/strtoul.c | 70 ++-- Source/NtCall64/ntbuilds.h | 90 +++++ Source/NtCall64/resource.rc | Bin 5280 -> 5280 bytes Source/NtCall64/{util.c => sup.c} | 491 +++++++++++++----------- Source/NtCall64/sup.h | 68 ++++ Source/NtCall64/util.h | 55 --- Source/NtCall64/wfuzzer.vcxproj | 5 +- Source/NtCall64/wfuzzer.vcxproj.filters | 7 +- Source/NtCall64/wfuzzer.vcxproj.user | 2 +- 21 files changed, 837 insertions(+), 634 deletions(-) create mode 100644 Source/NtCall64/ntbuilds.h rename Source/NtCall64/{util.c => sup.c} (68%) create mode 100644 Source/NtCall64/sup.h delete mode 100644 Source/NtCall64/util.h diff --git a/Compiled/NtCall64.exe b/Compiled/NtCall64.exe index c444a1f7af3263ae045811e01d4b61b39de0aeb2..85e2a0a9c276325e3b3e051bc719b94b12b81d49 100644 GIT binary patch literal 87040 zcmeFadwg8Qkw1DyFUt=xGFYGx9%G__!H+1GLu3p=M>->)fzbm!Fu{O5){LZC%QMP6 zESZpCuk1w9Ve;XZg#G2WOR^*z^2^O-ZwT4gKp>HA@Pnr@zXSr=#33Y+QD9BT4-DBb z_gmH7=P@I(xqsdJ#~rYGPIq;6b#--hRdx57wj1x%N;OR@!@qo9(;h@hpCb=nFr+v}Z7$4h*M~1F6WiKwl)0NM-_CVu4gP5r`)OMn`vGTQVA3 zRaLd1PNI&+zB4~icH~C&Z}+WFZd{7zt+yTBcq!)}y|EAJ+RsjHyqr@}zV@@9ypiAn zWt%u%``IVBURS(tkZ=`J-Wk-i=oc!qb6$8Zs>)7j7ikMi&ZyI_Ku)bsWYhO*{@TPj z^u0vWDv+puTzV%;!L+^K^?`qzcd1IUE}*{3ZlN80J5|DDgU zPkZESO?&K@ns%O(`(Jz4+rfovODg3(y|9*~tu1}MuO|2RhfZRv=Lo}{&cNoYBUn-sI zLlN@?ykVwaJ{w$YC<#E~kp^CAwMeflf@?_4ww@+)m54kLv^+0M5ZpVLGRIf z_3QNw=B_`I{D-Y~&D?EufrcqF*Hae=Sy)`?%Dp1aPMujxebPcGksFqkeu#Xgjth^O*3(}eS@jPuoyl}CeS;H~e4a<^BT z6SspgSL=-zWRfB4keQ!qtj)d~T7HOIK@+(_pOI^>HcEe&ulX6K2Iv8WnQncu;^Fcd zO>46b&786I_)`B*rW%fg@>BYxwtFi3#>92irnMfZb^KdvPE_jo^_AA+;nGv)L`P+C z-S1L&geE@uWAIkn^K$kKbI;ouunisBfi}XqyX$CNtb-wIV|~cl+7z`j7zkT`3Zs)D>lyIy0bj%G`I@W23XBZ% z_qWW#!9c^?hBaE(R{DlvZ9cE9^!>Kd->)5B;{O6hN7McL7LDlEd3QALy0Rf`J@=r0 z&o_~6TH(6Q%pLu~Y7m*P`N>r@22+f95)jRn(NNZKT%XX^Zm8XUW5{~ezt6YsP^Jn} zFt)#B-G}=+)%D7Z|*ss`A{4FEHTC_ z!`5*Oj+x(YOwJENx_)(tNHOY$^N)uofM;hVVVIzdL+eJC`2YT@d_HelH`NVVkDFtU z1#H&ca`VBbXg*-*o%uj>fw}gcX}y`Rsly-~HtL!nf<`~S7*@IA-`BJREUj%TJwo3r zf}nO--?g?=UmwiY=sS0mg|lZMDZe&54@rfVSr8iAzf2#S%Fp~M81yX<9>dou-wkyFqnr(?KIwwvK4}C0Z=ib4~N~Qlq{U5A&?DdVONv{XX65sV^Nn zfP!O`ZI=E#G_j%Dl`C>8XZ}g*i%eZLsfYkLyZ^Nkp7Yk54O0)%V6|Dt-uhnd#_?d55D*IWyh8rCOHps9wJb?X^(Vt3vB#PNx{>+V5n zy|wG){pW*>n?Y3OhFvGG#&~3|+V$?8MB7EyhI)u&<*xTMuweT&7>%*VZg5G~#)A)^ zfn|2>hWhMp&DzA2UN257$N8NW(L*MnjwoKE~%b-L2yW^1h zwVUewUx&g5f5qL0e{NZVzEt z>&u*BS`(}=_8iT=HZ$MMeWncT%gzH?qYr>_kLMo`O{{rrU9vuXfujDT2|h4i(8Vo) zn*R4XO}pQB@}0lt^U%j)jpaE5Rnh?E^NU?;sl8M+DtsCh@-+v+c$yqmx|&q}lCafM zYju}d3#TXk6Y6U04PW+;CMd;P@NB;3M}TfPny<+seJX7IGBmNVk|yLmU|=ZMf)(c7 zuyr&v(Xw+aS{K0Zl#hVKhT~Kx!Y#eXO8MJ>w>DrHj^t~WBLAuqh=G64Ze))=0Xm<| z*PKh>xtb4y%KPWjgsTrNhrEXC>c@Rhx|3xKu&VtT-!V${jVR90qQ3JAEqmJXPoKU> z({|ogR}U1jXliF8iqP-P6HLqNbcKS^Ki z7PE2JW7Ne>2b+4kueWWL+5nx=i17NIR9!Ut^tj zYUT``qY%XkdK<{fSCBwsZT!5tijiD@L+0kQ3;l#KO5r#;!UT~7_IAM z<`|6^fjRA!(=ROr9`x5K+ix^3CGM1`@276;H^wjJm2CwGdOiE5F}~Dy}D<@ntG@9VD)=yQSVg_5uLHxth@T0Y@C)vl(L)UVaQ6>P2370&8Nh;bj`Jb7{nk zoJEt%deWH4-H&k&TWgNYfRu2ZX+1xE8HPG+p$d#ctV|PMClFL`!>kMHlV=pzZu_O} zR*9i}!_2kcU|PPJ#pb&GnZ;{6tNpvHK#OUSg_3>EnD{!$74gD)vL8qyuy|Pjg zt?&Pj5=aS4hc3k9En~da%-uy@G8(^5i4>7@v!`|I==8n|+1|B5axRbsEGcXMFF;H_ zZZ1Dy@TeP;Wz|8<$v1WDSz~;`be1vX%^X)X8Xr{{Fu-dW!#rTnCw~TU8(&OQdPyZs zMPqy|@#Ir1Yr)1(W!l2aF_Aji`qD|zuGA;X&S0T1tpmZvE6>QDm|1ps5Agu~&`!Sf zem+m)c23CpU-$PG3D8=@`VsR>jA#&zHMq!w>^8EZ82wi$ia>#)Fvc4nT!2PqE}yMR z3{`ZJ*(1idhN%di_?RcCX6>P2@$Z8YV~$MM6NAwBd}HEKqGzVd+CxGi1sG#VVjXW? zG>x^HBp3x)XdTHur{2c~W}^WvEd<~_ey+WYMSc3F_wspTk~L5MAd4P}_1}je{0}cg z7oeQZ2ffqZy#U{LJw{qgSq`^sWScZxS6N`g)P}7C;oSLG9S7;F--fPVecYH>Qx{zQ zddNE6Fr`0GoijfQGwcRmZn#YM?_C=%ebRb%EFT*QjO~AE?A@zJBIbiWe9-=s>Hn7_ z>Ff0I(bD^yX7sU>{h7;`Kbg5~*U1T#X3iZuS(2$*_hj~Cfbca<9-6s;zT96jb2ieF z`vXvm^>fx=v?X#9%-69TzBfq zrffv_Km6JSc$%6nz33nn>f=rGGH2!Jx{KM*(XU<>!GQKqJetpMT zfO>rF#O=-geJg7H`~JOuKeX-S=%S$Y5^1kB)Sj8UYTy{O*8#Lfjr#ZA(MW*}v-F9k z-T$_hzGfEcyPl**gA+F_ZF>80pMUpN5KVpTNgw6t)?b2?AJ-?J362j}>63@1PFB>- z)2H4j)p!1W-gvlfR3A6b7>7Ru?o|WEzx(CPxd8X?J^1_yIP#;rr*?>)Bj-O}ubA!UaqpEPqzFtN(N{Vep^ zm1wMK=}Z}+HSlM&>Fq;-OkCgjm(uLQ zD(y}p2IV*ClgEja(w(ooj}(~m;1-y+07Gl~4YDj==bZ9qDDfLdW-1#OXBLu!X|8)V z`_@dAf3NNXEzh4oM=SMR=2FJ)-}_Y4zH;k18VPgkwLs=0W3Tx#3+T^>#@_Q~gLa@MqU+ci^vo_a6Km zd#@yOEBD8wHel)0e2FQox*5sL8F=my&!0kKNTN&4bx&mfG}F_x`!l{wJ4nY0B1m65 zb2Z_)V(esRX35yeY-ZWm$;Fv7$v-I{dpD4UXdIfKJ!|GeNGoRECdxA9#ue{u7k!3{ zu1{X)gDYA>MI&cpSl`Y<`kyYDS%B~FWHASxuEwxF8H9vfLU?P(-t}>pv!Bv`R06!! z*-sdgCui#QABp^#i@BIeGSxf(Qlb0rdR%}1X?^GKN@f-|UGZy7?AI}^PZAq4S6=ap zY@<#O=scjlBO$O$S%^~KIl^zLiwX0?P;Rw zGWxS*?A?;=3MiGqrIotngRq=Gb3Q-LL%hP*&l!uTwI-+-pgrHP*3$cxderkm?DsrN-|b}j<`lBYfkZ}qA~;k z!H?Z1GiOpsrKd8mmt@Y+=bKAGlIVU7w^&bYRkLB_3zr_HhGy0%&Q@lBM5y4O+hzZZ zS^>0xT4hwr#%5fGm`rfIQs4Qmf4iS$y%Xg>@au;(KRUl3erl~+Z8qI<^G1pvk-tLT z#1y(_mFN#bw`lLYXj<<*jF@p#@WV$WA zPUJHK@H-BEhpl|r$4%koQ?wv9v5^6zldO!l@IZNuFv!U8*}rowc?ayZaInK%{zN!; zN8O8P#XuMlhIA8q1qTr!yx(U|Y^t0oq1eaWb(k}>d`=rKOg&V(^|AT*ZG`*(i{It%uu4$6P9k=>f`a+tcXVuKB@ z7uarC;^FofjYHD!F&Zx;yY0wy9udIV%Al#f2CwUf@Z%0cTP{B^z5tf`>P z%-+RpD5NV_^}nI;ihMZ`I6F8Tyf8v+AZ>pbHrPBGT8IW133ohSGY!8#xaZZ(e15w1 zG8&D$>u9_X*=a;%rzvE8)*bYOjnvdlQ93x*Q2%#+mmKOzU?C&*!%(Z=Ko0x3k5i^~ zEh4YGPNVZQT5+oXuoQW9oy_NX( z*7smbQ&!u=#i+Qso)DteARb1W@bH%Z_TWy+3FK@3571V6_0F z@5`7J5KkHTnhO~tun{E`X0FKBY(&!vzsLz8XHVWgz6fjyS(kHAjr<&1gGVrk-~4B) z@r;@KZ2feQOnC@j2%cfC=AT8$#JuU1ls~Z^A)cwsN|bzEluXx%{7TBNp$LOHlh4D4 zyAk623+SO4#Gk6}!50yI`#fBPlV2w8<*HsmZocO3iwSW{Ef8ekB3Hdim5zrj7!{wb zH?0?@KXQ^0QrR?>?KK+vN;2nTF5rtVw~M@Ozp;PaycB`FP9R?)LcW5)O2|6f96O3o zU*Zxu0|2t%e}aY-qDmIzzUqHL*G#{B4v2sT1{ZlrxoMO1Uv8?ab%$Uv!Rp}}VuBsR zVg;otA~Y|eQDgjHY1s=-{!Y*JE}Xs#ZkW-y^5u(sn$@~!qWl;5k~xC{4^>Y9dO9o0 zAExXToc%my--2v@qJE(M-6*FJUe#Zzw24ZmC}`dE5UuAJhn46I2{E#u@@XbxipU@i zYi8DESbIqI@j`WgHT^?m-{x!DKT23o#V(#=jUCQ?;^l9E8T+cR-J(yv;P|lYVK*FS zv{?S8?}IL8ihoQLegjWfKnN=~x%~TnHhqUG-$&)2#}j&U3A%N-{CxbSO}Tu{J|?4v z)>&2j|LzVj!5pi)GvL$U7u4)R>fhUnz+`*vM0pxd(-*x%o;b{Y9<1!=uo!;@g8Kl5 z9DW1F0oF+Alaou7~T_m|#K-H{_B$6ly!SN81#EZ};WBj9i7h;EEo-w}iMtm_E6Q!98cYVH+ z;%ejPhmhs}O1X{%!M=&|s|j}gWNXQI`AU2ZTkYiA{NUR}281v?QT0(|D_Q)(#-fe_ zXcBE>#~3USY}OxM0IEXPb75?7{rG8Y`r!w0?(f@=M=7NMMKr~$jxQ8eXn6HT=YzPPETgaZd z0OdcR@>e0XvOFZpe}Zh3ZUnCBFZ~LuUao2$eV_c__-<9T;JY+Az6K+J)}^aHM(xr$ zgy8O1{k!P|4lfNmsev&xU|Lt*_hD3nx01OH_-_9n)Wlt#r2m#b0Xv7jA=1f#&npr5 zgtBFYA_^M+mCDK6QcTKGhRY>edklkNcJ`Av{K7ydG zf6w;;X%7tV9UB%`a>k|&JKE~x$4-D7R*tYrHR{K0h>rpsrZ)%W^rl7Jp^ zZOh4griJmz39$(|#`q_GS?hz5{dOjUai-QJOGJ+*m|Zlol7ab}aU7Tfk)M>rp);GAK;;0f??J9n%4j=A@emcJQ!`39r*BAf*_ro+|#QR*;Kf;8^ zcI7^JvFLIeWMw6)Weq6G#;canS423fb^~hqa0QnBv(Yk2=2Hoo+TTOT%&YkF3j+Bz zK&B63fjRjGnC@-qMbT0lT0+6NQMUyYFeR)Wj#B-46ryDFj~Af&Ps$;nyK%q?O9Tn_ zK0rLwLSu<#c~q{)qvUYrno5+jdJ5iSqnUg3PM$gjqUjL~y<{%g$jm!~9G$A|K&UuM z@DKQ=zmE=p4_?0Im)EHfxhXV zV@xp%2WQHgCh<(xtuZ^wuNI=bU7)Oy_&`n6H~j^PZ+0A;3vsLyIM(|2NmlUSA$l@% zVXpaD|JdpIBNzGi9l$Z739NBAt`ow-yvX$LJEwoo@$4^W%4u(O7?UpKH*oL;-;G9e zBU3}k7U^&O>FXG_wb-+oov4L{M12QZ8@z%8%8Z(R00KEvhI3g%d!`<`0K*S&lLTTj zDeCDL-*h&^j-aLKe*z0;&Vh`*@=y3ezT5n}p=gdxZ>I%h*JHFO(83{HOpaNSkBKNy zXT$3cVQtOBLLSc7EUX1MtaXYmLDS`HUV)PeGx643?>t`5Uc$5grwB=r#WCvtX{K&< zt~cQS{+rgnV|!RC*JlmuP`>6_QT1wx42$7iB4?$4Ur!w-4G^e0sKDs|ML@ua;Ky&{ zk!Ncub#gCw!cReZ`YxUzx*vZ%pMMCV1)YBg&=gDsz0IWa(Iu&Mu0#cB9UWW(lSz*> zBWGsO^p7dJnXBr=v_p9>p(Mpk?b5Ql6L_Jv#vbcLu$N-JV}D#W{ZlyObOPl2XX7-9 zi2oLyfy3dlreMQy>$NaqY&e2YYD}C3iOJTG%{@Pe5J_2oaH6_l>f{4xLjOsC{#x$^ zbDuBKt>ZIgp|OJ{FwqwF>+7D${0UL9Oafn@&0vRM-`g{bx!8I~LOh#+EbsU4JJOHC zfvft_!ln5G>;9TOQ(yO7x{6w?MDSe;jZKv(ynrWs*(dUcaR7$GZV+bdw!XOTul_IG z3UTn#NnI$JI1Bi6|CbNw77nJ}M4P(ss_67wBa0UC2m3)d>uMdvk;Ci-4O0hkeooA& z4`Vig+$ow&V+Y`7m^l1b(vO37*_W;TsETtr$8kc#!bw>g&9QeEq|SVh92uMiediUp zCu8p|NWVd+7(dx&y-4I;#>M(OznRT~4jle{w_#-b`)~#aIZKg4M*@d=2{bIk z{6)cc&w~9#s22J6y}+PvBPX1@sjd?NWcY_$5ob;#ko;RQ%JO{H5OpY1SL>XX-Sx*# z%%7n3n>K6Om=p&O9YcuWQ{< z8!ml5h=#HBKm{!N`(0Olh|UUUE7sojp|Z?}be!46ya}#5nEDlAya_`-_E=!kLEW0t zt+HK+h0L6kXPFVNAFM@u{(7jZdYtrWIEwSl;72vJPkjwrZ(1|CZg`I$236K+X#wAl zd1srOx$a5>%MT9lsKb*T2&1ZV<$C~XU>UrDv^Y+P9%8&e2_EKa9tR}FtVe@3IwO}h zjI}suOL+b3>BKD%2TASI!OXW1WMqNId91KiVOqyyz(?Cx+ojV9(3? z)AW7{vGU@PT|gRW>g1j1BMHjakn(cE&dMEily6Y@`~e>&P4uTRnA6XsFZJ{XE(+rB zICqF%(V6+ti%jdQjE7g3XSlO>a7NQ47TJ4|;p*f;cPEz;Fyyt?Z{~KW3=z7l;)Tl?`tn3MMskY4&#PZ;fK>)m*wdY`ter1aav97eA$59uEGr zRy!B{dplpVs+tD%1ok4qg5EN)U@<^+j8U%br)KGkI(86q-HqrM0Lf5(l{m4sFY4d( z626&MODFb4o;Al}`=CF9?~KL#U|`!mWV}E-BmNColY`GbOkuIZ!FTFWhju#h_|tYy zzGej3VyEK{#+Ka&B)4Oa;9-O;vAq8p2}{+0X|@6>Kv=BCuzsc`V${D z-A{|jV(i^w(+)Qs=!oY#;pKjD1+tl6G$f= zuRDvPvV~_uvDbh-iG}ax^E=l;{XR*}?bm6~_?=Mhx_M2L&+LDrU@w!-#64k-z3$8Y zMjwx3{W{pxxSWF@>L6<47vZ_gauC&eQtY-=qdB`L2uG4ID;3hi9U$F>3EN1fLzB>A zSeHFAd|%x#4n>m~!&tYm!Qt46Zez)W8$;j3t(x$}=f-vG9mEHyC2Q9dwDd!~$F=80 z*u4!?bODE!y+Qi3IbX999wQ>b!xUU51vU(^oDSv&e8|k8GJM?)l~}%`b)!EP!a7C5 zibWGm9Wf?8_af3`_;&&>*)cTXP-u5`DTO_8LK#7b-Q8rJhi#w&PyT8^mcG2}FK8j) z|KcTpwIO8~0(wnx@Cnciw1@#xyS$7adk8#&G+zQdS0QsMa~DNE9z{nG>Gkja8NOgr z?0gtIajQt{J8IvXfj?)FK7G3}AQa4`EgyY5u^*F@=Cu6G>9`t&FU%z6=hv#EEF{Eb}abK`qn_K*J%T7@b59=?!f#Sm;( z?N0$0h9Mw^;ku9IYd*=u?l{9b269DvbqxF{gv;?F&3(_zj%!O1^^Ki?*O zayWRO;Lqm~_1rTh3H}fvdjiFTY!J>diKK|GplL*ZM%~aKCTMtW=w4g(;b8S3zUFIs z5yiwvgdvi#&V0=+9Ml9hISX)Sh`AU%MNI6(<~2++qs}BUo9Is?7)k=Bw3qDql0mp~f~WN4MbH%!Pp!vn*R_ zjgKQ^=FEq}5D3ch??L=nvrPD|`@weI8mbNGR;ISjESz+@a z-LLO@MLX4&`zPA@)(@3ZZuV5zLS5KgmC)kVWN(eVSAN@va2&9#t>NgkmT@F-&4lsP zGORjSRkCkj&j}7u$XXDxx^R-Hxw_4|27~gPzx*JR^Z)rj$6oc4xabw}yiBH_lIb-v zy+Ni4ncgPTFUj<7ncgSUM`ZepOka`dDVdi2R$A~Yh-$pOrtW*$n*;` z{i;mAC(}n{`jSllEYk|v-?L@9LZ;WqbWo<_GQB|7o0fDbZapB&)$`l(`Rw0`oMke- zQl?!p&B*i)nf`-J?~~~xGCd*FH)LAzdx19~(={?}mFX=qy;Y`Pmg%=-`iM+llIfpi zy5J82Z>>x(mgyBTHD!8(OjUnX+Mel6$5QKKnV!K^EE4U`L^3fd6ZxI7*w(gKIvp9{ zOgq0NGBnhYh;>Hro&bT##&d0KhmFLB4<)uohT^zE9_xzrWvGULCp_&*7aExldc4ib ze3?nrM6<|WAB{K1GtEPcRy?D6%U~qc9m_cQj25oJ@ZGT?kbzp;BEvQw;=_hWyr5x0 zXHP1UNDqO0n<~4%ov9?@5YL^-^sM!-%f?bWHpCOrBBwQ#+}4?lCx{awpBUAa9%zjZWnu!c$iH5WMo)ZOEJZ+D zB7Iw3?KH;*;)%|PK;_B@N4bi^A526gl)#JfmTW4GPKf7g<3mHDf_QGu#)qQjNFo}J zr`327-^GA*MuuV;A$~6U+wsB!Gnw2P93?^o9y1<|wM0@pz8L>d0^LhvNLz;D!$QIY z9CeMGOUmxa`VbI|TOTA_aE>H4o=h-);4?55nOMh`zXM8rm_xVq?kONo{Z_}^nV#yB^aRUGKTWR|AMG`J}(1T`;5X3dzlQd%6<9#vi za3X?9;PkU+#66K%e$dUX2!w81*8ug6J`z4Tyu&4OJ&`R#a)OKU_GBjBPXZg<9%FGr zJh}{OETNq_88K+2G*gaUng@ngolu-L6;~6F5eyhM&75+xY>NM87Z~ z;7@EImCPohqA`h3l#?6@1~o_A^R*Rn6dVPK@x*|bV4*%1SJ4j88ZE|1G8MI-sYl6# z!S4W}CYYWunAD^A&hu^udcBRM5CWe{+rwhxf%wzVHYa)Zx%#1}cO?28WpDSdrPC1Y z5&o{&w&eDhRFT|Mro(`w%BjxJoynmc^v{5DV<^=Q>66HCCYw^r59ku}E4z)xawxK+ zEt!ae>2f*>x?6yr&d<3+_33+q)SlCYp zp1=cmdqQ@{K9h|l`eN#Q(X)LfPP zg8MOkp{)uKuEF?V9W9Lh2Lh{jQh!U#KRD4@J z6W<<7uLeHw1!hkym0{(}&!~0!juTQg*!y7)`0DAPh16n_hG+x>OvG8d1m^k>h;wWMyPrMr3>Jz=O6qimCr(8Y17sW7?H2J>_S?2i#`i6jJa2_pK5e6|QwCd&iS4F)^r z6dOx+JKQ0sg6z*wG99z$l+%Br*OTqY%bb3Olp8&h+~%kgMK3JL7@4{$Wwz4A6xWW*~hH>f}tvmzh;7R+(2Ys6>B3sz#7e$Ct1i+AMCZdWoy;8AfAr6mcT@U+mpw_6tUQ$Edm zPqyeU`qiC5e_f2T>9oOxZzl4E94htg;MXZ`qvU&sSckwjT25t8MSV0VpgM=37q{7~ zi|lV(GD_}zGBp&nO)+W&A08i6CnwhN7FEAd;OU}hMAW1HgYQLgL(s?Su!Tod(1%w0 zwzeg+>6i*AsCJ9#A-r;(aZL~fKZhPjCelgFa$&Q1=+m*Xxts`l9BAC7g)F*2wN$@t zd76cvL?8Gf+fs%u(}!wMVi6h|`#Fvg43l4=@Pj{qlkO4pd~zu3nCbR-bVVp00aFFx zxncGjCBMZGU@W69dWjx2FIu@!w9 z%R*SVe=_WyLCl?>IlN6z@|pB5tQ^V^^eFpQJsVL7A3^}^WKcB;CloNx;7kN@kztal z)}hEift<8pbPH#)0AYIcD8j1=Oy6y!H?pZdx8Djm2z~|;7qKufJmf-jUrtRBz(g@! zfEQvmD@xHnmt2FD6n#_#i*lad9>Z7g4L(k~FEY%26WT%DV)+#L)Ht<5dmk>j9faHE zEVx*#<1&CP+66*;HeDZ&jkx1l%w;={#bHX-U!g`=Wp@u_p;YBvTn9*{AUEvk(w9Ucqf!sEY{PyY`>tII2OUg;K%OkYr*`6>ol9TPTr+ zOWKDpu0SZt$w$@sz02}>M;Hn%#?s=JpA?iC+32)$AU+J=+|}D{b~InJNid>oiyeLu zblK&Dq_BuhZWYalym*GU>q9X3T!;$Gfyh-V`){|C9U_%RRCv}`o}VnYi6|CF3L!Gy zmT;(($lpSe!7fqmki<)@ZAqq5SX?}-scJWw=x6QQ z(b)#SG6S$!6dn`>e&k2cq11jR(jOnP_go$N*&7yw(x#y?YCF23K9|or(5~{}5KN9t zypI)*E8nCY7Oxkm=x4lSA`w|GK68F?r@%WG-Y#1DXyvo*D>0wDV<|9_utGm81;_Oe zmnAa|zNLUvc&HlEWf^`vlSa=v@ARLY4Zt25k)~= zy4zI_Bebwy6q-rcda;jc=JX70}6v$(fOw#4VXW$$*XZx{5 z>gf-Li)R3bUfu1A@pDy@?a2H%%@_*7+a8yvyfr&Cllh5m>`S_V~9bXWNA%YiUem_D0i#ap`6%{0dI)QgtS=RJp~a5U!&S8%S)x zdHJI7bi-YaVG@YdpX|4^OTQyNCh5999__>~2qW_lC;LrscNZbH33+iU*cVGPQ$HyV@7!yw6>nUoad+^*W#muq#-U-;LeM z!4&oiZ)IW&tCJ;FJt$hP4j#Kba#N#}Tow;f5QyCDyr&J@C?iHwPjaw%5c`m!AET~-Am3hMKjkmCNT z=v_g-yI`%u|TM8D}I2MjTnzLEJni)p(slG@?+w%z!h7?=oQ@RWA-hkPD4 zJOy3kbmldkCy)vQxat+anNc!d3(5aLsN9~tAQ6Xz5`C;)itwlo*oX?+ArYhF7JbrubG6fjEr>{Z?sY+y z%eX&}S~vS@Vu=vl^57$5R%W~Mv1mKW)t-0`o#X@kE%Os_uK71>JF*;&Y=?PvDn*{oCdZ;CTXKlG{f%mgMB2Nx++aajCOi{BcjR z-b4|k;Dif4J^;UHE(vzvL@2wMk0SD*G^qnmX9~g0kO-+2<;d0@m#Ak4jNE)1y-Y(eGw1rmGgk8?cQjD1kZx;?Mz-MCz zfwEP5tkmEFU;*N6SH5k{BABN996CGWQc4~?awg)a5d1H3Sk5W$O<=PUA#Ej=svUcB zOZvT&+Nm!mwP#W?!J;0|#<~4x%*H-M2V%T=ClxK%R(ue%ve+T^mUj;BNRvvC&V{S} zWHUnePJDzsBWeB#`nC^C@5ZA$34tnaQ5)&d#j#|k?ReVd1&*4X&(^zBN##og

=N zyM35upSw`i!vwdpsZ%3#4$4KRyBy0Qh2?n~&Q`xQ9vc$7CQd)y_1zj^w)(vDA%;tt z1vbCjc%;e4J)8}Xh}d`$6~c9k)yP(Ws$5zZbB>!3Ses=weM(@}XwtGn1PZ*P1M4xf zakz>D<90qrctp&Y;lws&Fbk7WK1W6LQ{us@;Em2X`JM6#fvh*+Ix^+(DVP}G9hW$) z5PN2Fv1)GsK`TC6rSPy9&T&^SoIFCberU(=Ae4k%zXd0sfx|m~XjcRhL`cl(zsjdz za{+#rm+I8A`z!HD$4DGkVFWhaT;B=useJorRY7|qe=c~rDS;NecpN6G{9p>UtCMZR zyS6qwbgoZDqIC9(%Beu%AsMHm#P%}`F&A1pzb%s5DwUDD*e+L>3>2Qup#jhMB5bCP zhI{C8^1C`ZU34KoxiyAUl?5GA_(gd!zbKxEd1=$d0q$WwL+GJLED%mtB;M>c3J^o8 z>}L^SD3CMEoG>E5A`T1|Zk6yj^EZ@CGR@peiKn%ry@%r3eb6rO1z4Dc@#4knhGQUU zXQ=#PUgo)k;?h)^>9ouHqv~LgH$UDVpN*d3?LDb%tY^nCZ&Yy9)mv|r;_7^SPgeJ~ zw;iR@SQ7PcwFXDxoKaEqfv2G~@hRrf+fbc-vEJ4Yju{X0DyQIS_t&-m<=98$Dd9Ay zghTUl?W4AIbas;Nfcpot1}iYp={iZv^rC(Xnd3N@s3O0! zJ3oRje#$;+z{e(>a$0Bg=-*}28EoxJ`K0zKpEs*Oo=X8Kyh8Jcvja2+#rYz(?ag;= zDQ`ZL%|mJD4-Q9T+a0{Yo;FW8_PsDbu5uhccWp=6^w45L=dxgZZX3n{B!!=*6A6}z ztrX@fTic!QcIuVYF1YE?L3rhvUtEnDP}?(hyF5ukFrE-uwfE(~Z%@8L?&2$#%foEM z2u0Vm*lnZ0StKs5D5!iP)L@aE$tu5Xw(}xrU)p%`bf|;Bolo_5^cUEIUj2ajg_5k= zL%z5oBoNtj3-u)gtH@shJ~dYro=zOLf_bKf#l}-Wm#}=XYorWvyS~?!Euz1R5AJeY zmfKMEyqiCu*Ue8X{JalEN>6Ua+4W#q5vcP_+cToS?s4zV4nRm~o2_WeO;4pFJJeBU zg@@LWAfNBWF-aGGo($e+VqroZBp3Ay7Fz{xhH1e8*9(-9w;a8ltGs6uDmONFb_%1@ zF(X9(O}m_K9=J*+e?ooR=tw(?2=FA*U8 z;rf(MB*Q(lpM~J{CT_sqkm~|jLAhNj^5dygQl68OXIw>oGLe+JQ9f^X?mxj&73cEF zxD$&8C}X%zy@$8M3-^;f`BV+FSZWYYz3m12&8nW0@2yPSFKb z;KW}5H|siv{I*{m$ODP6I-~op#Y%7&1|K zJ?8>YpY*cmo4}ypKJYvg>d|z$2F8}K?d)Yrj#K|Ou-@%^_rTdm*y{+47|(eieilL| z+AnraT=^^$;&~)8EOy7`Y9`0M&?!-TAzs0UZN&~ZomzrM7WB68c@z@EB0=JINKZ=! z^RoyZxJFI3EAl;Oei$CJOIhvwd_!wTR~yew$> zR~&$q6=go(Ymaa1bKRq$k>L9k*d4(_;kobLf_pq!BC#_$oE;V?7nMR2hy`B2@%{CV zVP~8OFAl`Pc9q*UkXq+to~*~^0triU5`YnY9D7y&H~g=gS`e zRrml0+l}s$HSdt;LfIvAm5b&?p@ennW1~-$+b<~)q{#Xh9C3hGlBe30Q5J5PD@b_G zFB&9=UM?36Qe4|TkC}g&QOUeeM@xnR8v?J4QqF={mSdM1ZlPoV-6pZ~=`Jz^2IsRN z+d}iOp(;Bx3mnF6PPint3=?#Ci2|C0Le>}gpuJBP$^2Agz`%_Xc{$jDN4|a3fhn=! zNAv`?pJCXN<|MsKe4#)we8wVvx$=8re3in1r{lZ0kLJxE5y$QDz6#!wD&)UG{8MNoe(d)A*nW~rmGz42pg_qIBW*nmJ#^Rk21zH5 z=*DnFN}w%T_MG-fBRj+3WEB1>%?0RbF zzF_^KKGDa9>%z@-VwpS@SClUUA;tOfg&_9(G$bDsKA~a?)*p-~+5dFK1PVa5EFh&| z+3oaT@uEo~r;RHg^N}g$;kEOHtx&k!DsgrCi#vqQsTvm_L^~9MlN)#T7<&0t1Sh1- zrbCp=*`wnMF>D?76C{5`c^k5~VLHiCEusT{p^$8emyQC9nzW9Y*~EZ&lKnFA0+b;6 zqL_v%-bn44bO@C1`>8t+0-u9`(D6ZIFFw2~hn+E(rgZm{-fe?rq^MN&BeV?)Go8d{ zXAD;pAc6=X$_AL5HXNAK1J~dE?7GBY%PAR*B46O@>`!nMMCp}Kf?k;;Rf}u9RKN^! zCz_{Q;_h<1*~TMglAj^uL(E(x3%*eh-Kz+^`iHj5MJ2WRt9r;!rnahF)!%Ru-b!Ss zC#k|!>NQG|j<$BJfCJ$ej?{YiCh}>gS!OHv$bc;YqC~V0uLvxlBB(VQNISA@mt#0T zs62svG|68PmXl$Rg7&d^lBC(jmZB@3Xp4-p#C!W8E(r45ikRc}$z`eTWqo#ic7)o3 z#6UioA?T(vWvmMd>^{o(8iWE~+zS(LZgKNRvA-uNN2FjJpiBz{Sm5J1;#n!Z{NQpI zzXeSMluF7C z7%!Z&;(GIoRkpXh8%N?Pf-Mhb+5J>XzZ<7GV3Rr9`UUinE*N5$#fz78nLZqscd{J* ziCZg>TV<}=_~7&}EaxxV~saRYbyF>(@3YJz{ z>ulFf;lVXayo*VAFmQG38|cdQ6x~!#?+LN5 zY0CakKHGUb#c9J(wXe?Tp#Uy~3y+-aMftPZW57SFJtp$`0HV~TcDqV7i~IsR4E6pd zdkSzKdtE+rFY)%a*wAoDZs6JN5&hg<_IOi0j^&E;L6{pf7WA>}33tXdmkY|J z$Qzv@eFWRLqSRHtdoZTnMM7(ajTeC-ci_XF4@GJ_rv>@6b;Y{h&KIf$TuWv%LPN9d zW0wm){}=WR_#oisuwU%*0{g_ymkS)tR}X*sw@DXQ>Q}ju-3-kym@Vl9+$d#sBNFAh zeP{EF%CVB!#nhg=pHxoD-v%fc2P$W!Yy(IV)WYJTLmqjtAsLmYoWin*o>CVi8hTUS z2weqp!GSq8j)KIC6 z1E)>~W^jX^F0!i;75EU6>)XmPB$`f+Jc|PcUJHq+Q}l^b3_`@DsEA@ozw_P-wE~Iu zoczKSq_DhjrI6+PVl>Y}>upz-r}>Vfi(bz6sG?cwVGoj;RUuwF3;+j5xE}8IMZZ1a zOx15x7n2s}UU2=}eZPiKtJ_}!25-%wD_8sx_|;ioa^%E;Ur#<>#fgx&6SP20S^{L^%DjSY113{ke<^U;~1DQ@SB&e01%xS$<72^2`O-6`kjilkedd@6S{r` zxTn`lHz&nP=`EK^+s0m4UzHaVT7UPTA91aG0-aG5zmuR3fPFK76CUuBzpd;rI^hGPSfz8&^vOA-GR9P2XowT#)dXAS&GZ;+l#Z$yB=&HW3fwNiexD&hh>k=J#<+RQ#aV76JItqJiEpZ0>f{0dr#y&v z63FXpP%chBbeUXcLNv$dhHvr3DlfeErmjR9#?2BpUL1CT^KRddlM2mgm&|q7{XtRP z)ee;xa>Iik|!py+TMAK7Q{3ab9VE5g9GQ=Z2%V z1aKsM4m@mj!Gs*d%S+~jlh;TK>9*UEtAbnoy7<@`Pl($xblpHPL@h5aI2re)00@rr zcP7LoLgEKWn0WcIz5P*KPi)~3OFS%e`i*$ZP$a&sKqB1b1@{~a<_E1IDvCU6FLPL4YLQ8yrp?$L3-dJ|g{$&mz< z6ym_@oG=-5Yyn1v&fzc@oJ=vNo$&|hbOfUt2Ozg3N683LY8vArVy04NdichZ+}UuO z;_c!^YejZCI+oetI{7shoP2|)Jq6~3Qx3feVqIHv?Q|(Kg&pidM?reZVph?3%mHUd zY$*0AZ`q^LobUyvT6>1&sjzi$x}%>bk~6|?69M>Vtyh4Z=wR!yEkXfw+RvN~bFo=i zP>*z=u#mj?Jn`hj2YFn=Pm^m;NNrJl_sF_&o0^S&Zh0NPbV5J%QSc~_F; zOGQgXeoF+e-NaF(6c*M#oWV=USIkqt2`}H0k&_gqcEHqeaEsyOGAajNmh)_ITVw^x zxNOh+9&=a$bT-)4Pcrrf&bTwBQ`-Yz;WpA?C@|(Yz8p6YzIV=D6*)*igal- z(H_cMLT%mMZ4P{aOz~{9$CKcNi_0S_c_>!2f_7yPOdWK$+f$KH7g^A$(pFb-bhPuq zaLqg9n0w>VsJDJ7xdkstbZu?9_=j>S1A=X;wvtz;Ttr0X$``dAIWMdS;>e%D>w*MV z=E6gJDFVdikEBm+;uq%A!eAc)aF2_uN0)i1O{bnPJ$pm;BH!=qR=VJ@9AslG<0K{W zwzjJrTU8#?3ePdH$0CJYikkSH1e!14kC6WY{bA>~#$r+W?HVisbOuhfD;77UMdYi| znWdtC^!qVtKw-ncR}y}Sd)=b;o&9dc&D}v5~ZK@Srw4cW^S+H*l zG2yK``biS;>LkH8%6BOiyFKKKb(QWerR+u3U5+D~@h##|niOr6I&}OO`bhE-?MS_) zuC&>7wZa@F37@NddyQ)bQ1K7T*mz`*;c(E8C~&A}6i4}lG`r}PaJ_i{6>;cByl9s8 zkZe3)Eq>ogn6n6F*!jW);*sN1vhv2BT|VnPM!!YA%kJd3ynSWAp#B{5y?Zd5!Eb9N zxMdiiIPxM4cST=uIg7mAFIg_CO3&Rrj(i*2b<763E(P~T%s3wxCk@vY{;p zy*N-NEFNXih<=IiiF`e(T={SXd)t--em=?7KKU;8Pbx{77AIZ=9_ibB0DOZFe_CGrbdoSzzCl(WHue=>wz zh)<4;3&2~Sq5*s-Q*;UEd7OFfHX5;hI5_N>TQU7)?|XwQOmtB{i{TVcz4ST3Fy@8w z{yP%xt%F(kqV%IJ8)CUCqJ#8EY)cl0kML$H-um^nk8;(fAQ1c!0aP!X9q+TFz1@AW zLdQyr+wOCVn#+uI46U@^vC)Fw@I096TgTgeqEuiwJk%+J%k>IQ^ns z3;kk;?XAxO$NC9}AtHTv6S!O)gmG73XQ}v!#Qy>HBa&+Z|6R(urKCbbz4O4NsOSeqb=0Nn@j%jx9LR4F)5B#tqN< zMVX#V0QA1ImrlL5x3k@T0bc;}SPo*naCOwfHVPH8&4%{LjuW;gTU(tGcHl+67%+8q(V+cG8XMlkNg1*{_|6=D;RtW&E84glJnLJVG<7E}jy zZ8&vgP|OWgEa?Y5(gYPt88-FP{cvMQex!c^@$AD-3MLb(mslA1CA)$m7aUuR=pLUd zO29S}<4Snw792`kroN~rPl{k2qL&@v@GLmi8B!z*PAhpLJhOroABIE~f!|&iXxj%P z#K$)I9k{BTlvN1#oN#Pc$qm{ewFw&#Z+k<>Mc_k_A@QR8Z{iEXeE?tV@w2-s=(6(* z#!JYwFbQqJG!X%_{e=w;tB1SA=|<1{<0u~&9PlD>ylmTbZ`cLz&ele>xR%fwwAETx zTct&{A^b<5jZ1G1w8Hp`MFW{+z+Qs_Bk@GT>g=lM(9o(X{75&$fllNFz)wDG8Nd-7 z^&ay;KjRRvgjdFw?SMVnY0chxYZ!00=L=vBtG7~FI$#>XK#Y!%i@I4Yt;MtyQ|hL3 z{znL_rp>2Y9m}9b`nFzrMF7v7YqzHbRtEa%&`}_s2yDULF(2z(5lC;14|6~G58=6m zjA~p6DpAGSKXvW@Y%Th=0K2a3@EPv^#t$2Tz09#27ItAwosX* zbK}aJ19X0R4sb1>XSCY;GR^1T&*yK~@GR0iefU|V482p-!C&#MQertR)1CP|ej**E z`Fz!ajqNR$uK^Ls0sOY@KmaUDWt{PGm!m8>EQ@3*~= z1t7?7(_73?JKAY!>F90m@dBW{r={7OC+Y4Ew)A#|dc2JiynbzPQ^$t(U{|*p>MW>= z@^FW4Y%F=MzFbey(d$^>%B&(V3b&nB;SJV*N3_~+S|O85#6TVzCO6Ay`v}8>K!zJ zw+kW!IqaT|9Fn8nc7r6%E1}5m{xld0W_dV){9wD@jG-`s5NEw7)ZytM%E3L<+H`$K zxYsk3JW?nRwRJ*-I@)P+cpDY;%5hpB?r7G-g%GIUgI^)&2^ut>2HGO|E*1&Ebp^wE zbFcsdwU2IX=;*o@61Ay2Sio_@PZD@z2WF0oI^;{bx%8)(keD6C`jJA3or8G!)@oLhH$kuOz`qPIZi9YL;=hdM&85}pCV|ei zUTwvCCF)X90=1HO-U=KE(6$QrM)6O5Xgz~BI1~*el9|A8Dn`FR5J>ac)BrAk4#ZXj zBJ?vBONH+C!sFIdG*GyNdMXe+uY+3y30}WGL)(aA1#<%uonn=BuVP{yZSOI{VWy9l zDt9$rXRpPJ4S0#=6?}F;qC;-p2Cxj{mu>^G(LO|n(}6zWTBuG()K60fU=0q$l%6kG zp9+TS1IF{?Jf5^3@@+?P%q0-%>mwiBUJ$9AEWAKG4O=2J7>GpiPJawYd^?Pdfmm8X z5*%VISa&a96G&wf=>S{>dMj^K5b7xhE*ez@fn`0pE#|_B^*g~3TViOB-XW#XaDSxF z6^Qa3UA!?HYdhhGcd!j^Nni+XHwmo#RG?~sAWo$uTN^*mWI(fJuu2LZ zjR%(60Ky9iB@M8~!*FK#^2@SI16KtAyCN_o7i4rMDz@dKXpZPmOEpRme89cy=!yU= z6vV{A!l9u6dNqRU>bUGdwwh>|`6I?3Hp?*XV8Es#Q--V>5&<%4MAKY>;3;|*pci?Q z`J>Dp3{{3BU+KWIbgVClUtN+U+x6IGW?Mp{jYlOF;Ll|@2XI?S3@&nQ{>yRZVNqj3 z{RO<7M;YoWMlp&0ZNpnic;MOoM1*ZiBuYI9QJ7xjZYqad*k zEaZm`!ayYLp2l*ph(D-Dv2z%WG~z{ID?J)o1KmT=%l7pZtwrn5+B6(!k)M^?F!Xf< zx?kw(m4NPtPckH*NniG%ocxl@wKdS|UVJO?ziE%Jdr{%JMl z0vYpobf!2?;j!P8mby^XA7M;|cDpSXV%Xs?3SG5=q?ffpdrx2#x=T&9e)tBl)QZ3s zEPc@ccrI!Lw(JOW(((MjwaN63LAzzVQI~W{;NzoAij=d?62vYs}=+#wg5gW1KqgV0nGrh;wD^Dy^cYtA^xm{f5bCcDLBX&H50 zAgHH21!VIp0#WfRY=q?Ffo04QsaEZIup+Q6OTXGqYbX5<31$~BR)VlgMN5K6W(GnB zu@7h|ksE3Q2o!tU?!#ypb01^X*|hywS^TznMRZp_oQJjkux9f3tSnBek!nxR#NC=7RX3qhd_4e zs(?=Gkn*e30a8HNE5cr(8Wt&5BsnpR%G^tnFmY(`uVg{|lrv)6DKs6p{1cyOxLnY$ zBvfJ@nQZ|hHKkTCSQ>H-3oIkEXgCu{qa1_ho~FpTw6Iagc|*NuR4B+$w2*0H)v;A0 zvuFUKgEsATaZbUak&x(l*6<+X%0F#Q5-(r^(VBpv-X@qoi;)H8u^>3gKOb@hhFZ#8 zY!nkpN(u?PrZw+~Nh?>A+FIz;Bs8(xZl<+KX_a=&#cW)5QHmHZXKbpj3eYR;0D)o0 zg+CsCP)x74q9uZDJh4zEp#tfL<^%QO#S&};1)_4Vg5cx!U47Djyk@$p6vM-Gq@NEd zf)tbs_z_%Eg+Mx((azsePZ%adl~}tSGu1^BHze9gi{lp%GQL+Fh{IBI_g2#o9x7Ng zy%6WT@EpgN&rpn)X)UEYWqij~=DV;;yD<83?ZTdV?ZP#yv#Xcw%h(k@ti?y1@nXCGTKb>{Hm&DEX0+67u|bfH$;gLKV&t#C% zPdhVuiFW3ii?uU-b=pG0v3S0=_*+${7M_@YY~ED)aM|Y4&XRiM`zthmbe`s4gLL)6 zVV}Po-_O?kz9m{E)mu7WTj~p!EIPH|MCGxHDb%Yk=|q0be68l9#i#rys*Ww3nm=5* zd0uA);j1dws@9yVRrzYQ3aWo`m3DE)@4Gm9hVSAvRlbXT6+XLfgr}lJt5{u9?>l$C zcCPPh+QL)wPe}SiI~OhlPom(-jav1oGfpfzwqUAqc;4m;s#{yB)%xzz=AW8(f_sD- zzC{((oan?>GY*LPTph4YrIa=?svgWBToa|X%}4L51M8IZm!QUs^j`BdPO`elj)~qdW}qPkZD4u zx5@NNGQC@-_sR4TnLZ=aS7drhre(hs?N!V4{ojb^)$;ioncgJRs7y05{en!tD%0=D z^bwi9B-203v_kgxY?-c*=`}JPl;0?%hjZ9l*dW%eNmFbsd`YoA0BGZ>-`e&IgfPB!W zR;Cxr^a`1pGQB~j0$S7VEP?lo&C2XhjEpYYE70NDm6|bJ(B@OQn)W!skkg59L1&81 zGUCz1N0X?Hoj6gW`paUZ?c zP-4;EDeKA%(e@=QE%mc8*H&zxU-cutXfJ7^4SLw1J>=u7jPxLOe&I}BMs3K@huC&S zB}+HwAG^z4-uaPo^jFapeDl-PVmAccs;UMzlOUfWY#>NKe>sMyfc4W#1u zoWvoII@4*`3tiNLxpYKK-g3~iYlB_w!EnQB+C9^>@0Xwiw+P}HbvUoLJJ_X4EjfOY zmwK9lW}sa+uGc$53MxZV5TfX%J%ZSbqU&$s4Bo3HC}**TY_e!&?HahF6pQegwtYTv zOG38A8}6F+?_4(;y&n7RWXI!oXJ9YGCKJrXS-1(tg?O%fkvM)+0Fwl33GlJ}Yrhsa zDB?!*5#l!xLkyYffrrw^)&5&Kp5>L#xf-jYIy3>e7hfsC{wck5nO-i}(QlundKP}T zcTZ^4Y^kX0V z^dxZEoZ*8#ns&_YGl86E^Muuib~m1J7PElQi41K3vluJI{Qq)#@AvL~5dY{e|2HK+ z_f0)D^-X+!aPPg}nVNdxr4v)HPQCWpi4$Kt^2VF@K7a4M-+b*GQ&R_~eqVa~;@f?< z`>yu+{!i=9=tlZ{dE>_IcYYavozLH;@7&mh59N&9HnL~q#^H^(et-LR2V&zFe5Jm! z(x2hKr+kl;o+>RZ(>n3VlUL`%=dqG%?A-da(#84G#||ASsn+sOA)DCeL)CnK>Ol44 zl2T*=44L?cFZpVG0IQ(}J{4M-R+87I4xmbD=@U)b0%YKGyVk&%Q0J#&?{^+!pfdI0 z{GY0)+fm+xj~=4G;b!_vpAMrNe~k?-H#KdhXXg{`Pi$>!`ny(?;@?K2sfln^;Nz>P zD5VAxW0s$|~0ijpd1pHW_3Qle>P_>|)jMR0B^HQ3BrKwGBO|KIK1ZLlL*UB~e= z?pkC8B*F?21zV(?D8lvvrD2_6TY2iOqA-Q*(kM!1XJ+ZuncXn6i&^BMLBv);TS173 z(z!Peo#*CBBM3xU*sc;KW%(j6e27(6nJQnH7nYS57UMtne9!E1*Xw2Wf!Se`t<0xS zr~Bme>D#^c=GUF0f+O!a@;>$7U;FxveU++Ds86ZSu0N-y>aWy&U%d5#`oINs?*;Yc z3(^n&apb~xKUIEVzD7Mgr{p){=Ut;l7oPCR3+mGs)MqZJFC9_$UHIa^=hRBx?;9Ux zM)hx$v+1I%csZiH*L^ZCrTm?|KBK&8_U5soEd9Fo$bVJWm!n*yY_30WD4WmgDwLnd z@&V;1QI07;nev3P`Fn6d`6;}v{#L)g{AlbwEXvrkn;CZ zjwwH#@`Um;D9{9*#%0A_1Q4T3Tn{q<=2PtQi zEy^p(KSVkAHU0k2p&&)h8W`n=eR`m zI$eJOZ7idYH4L$i2~Kg2D^xdAKiXJE9|Mdq#S9myZlON3v5YzLvc=eWZB8+83PI_O~)LyR%S3>Ub@{Lkxp zOXy++1B@`iDb8_)xnI!rSy)0BeGIUU2~Kc^3tVIFjk^9KI_RN~A;vht3>Ub@{4dgO zEMXaa3^2kNQ_OII>X&rAc`TxX9#%2L7$-Qx73SVVKcIsi`WRq@2~Kg2OH>v50ZUj$ z9|NpoiZfhd?gaH=3CrkXfOVYU440^Gr9LcS87mlIj1yeo8Ve_NeI+cTj{(*(#S9m? z#@s2|hb1gy6(fvsf-_vAgmQc5p#s|IVg+j$VS-bf;|e7l-K*C^2R*D|gfUKVhD(%a zR<{#vEMpZztYeBZT%z)6A39jU8rCtz3>PR7u-;BAVHtf4FvbbaaEa=d*-o^vj6Mcf z#|h4GiE^Ql?l-j2MGt+fVTdtixWwEU>ctXzSi=ZooZt*sm_MuQE24uQ)-c36rkLRZ zB_i6}?mQOJ!3u_$V1`SSm|yoF+UTN(RSYq~43{Wb$6kFlma&QOmKM zj4;JHt}%a(_0dHiYZzgI87^>*h4Z?;5|*)wb)4b?b9d1WbWsM-*z2bV6U=adayhu( zKj>fu1B`Kkb6lhKR@#qctYIA|xIhUe_uk(^2dfxif-_v9T>Q7Uei2>tF~9^fT%cT( zsMkjqeGGAeGhAWeZEQDIu!ad{xWxRg>Gd4+F~B;eI7jt%y`F_7^stH{)-lByE^&?d zchC>$pocZAV~QCraD|0;(l6*?4eOXzb!xiQO`VDO?V--V; zaf)+XW8vLwA9@&Ij2SL5_a54T4tnTg4MU7E#SE9Y#{94A`itnGhgFO)#S9m?#{7G! z4;}QdiUHPff*HWHMdY`VZfF&%Wk0B;F#W}7p_nXv*Ho92F z5M!L+99NhR**xsT94=%9yH3^Bne&QaBAAKK_*1#1{# ziZfhd?vLm%bg_aptm72txWfELsRuo*Vu&ebxWfD&vp$y5#}H$j;2hUj_?WK8!7}<7 zVvJLq;|lYCqU$N5gB7e{gb8N2#QdL94?5^$fOSkU!zHSZ>v}A7(8DT5nBWYTn2Tu- zx>&&g>o~zVuF-1fdK~nyiV-F_#W}7px5IW}2|Wxj!W1)HVs4l1LI*vpVu%UOaD}-h z^$~V)I%y5CKL;KN1A480BiVIv}F46T6 z^CLWAS^CgFZ%>;tW@q z@9OQev5YmW;{@lpMysdScd&v1COE@2T7CK%s~F)F7nmF9<%{THh$${GH`L3Q(8oGX zaE@y%j`VsShM3`%mZKH;+~cquZOQgM)I2RW*8OJkiQId1*?eA~JE6;$nyZ=5(M=v< zK6f|yfXVU9^$O;5c9X-IT+QSkCRej*@1vcsmCgH@{<&NCLjk|pye(q={kdDp{Qdb` z#{5Sshg(zs{yfe~`8lX*i|8=lrCgyLpwIl6a%Ns<{)%$p6T03KRxrTC$a)9meKVFT z-lOZweNt=kKbx}20n3yR$^)yseyO=&%z7ptoKjxkVR_-2h97w>mUYjQu6hnZZ>ev5wHjd0$=i$X(90EAE>AmbH2J5=9ZilI@p@{OLzjNb2fAJhO`dO=^Bmh@ z^3)RVZ}LEs59Vo~#rg2!b#`yp^_%Mj%yj|oIkubiOwMZZU61xTw8KLmYZzjTDQ39D zHEwf6-S68RQTM~;$`Q?VK-(Nq?}x`qj%f1TZ*`6saK3w}IikrwAE_KMrac+1u<&WU zzg(XnyMQG$`E8kU4G+t6>nvw~RM)#d*PZbC z{(N`N{DX4dm8qB9c7NWR|D1k5ll$6~A8!8ZnR-8_>#tFcO#RGHDbMghIWhAesl51+ z%87G-skf_$4qj@0?6F=A_vgtG^QU-NzPx0)hnh3zKhJid$(tQh#u^@!L)UrTo~zVE?Caw-SVX+d%wT!&%KMxKP>kyvs?{hoTE$b zeW|&)`fJ^;!}4*9SG`5bziqwD>*KS#IOulw`# zGV>ql`&KVku3lq%E?2%DoA*a`uihUe^wAY~ zulr$}$LoIB=J6aK@6$e3?(3a$KHJ{ktM|+H{$AY=kGK1KA8syhu2U`YIr+oAzxS|Q ze$H{b#)ESD!k6{_ba8)fUt@lP`*Zv`^Y`cZYvw=Ja{a;E)awWenckn~zIAgwfzA9P zx&D=UT|t@csG02~_czxUT&dR;)Y+aCAFb;QGU~s0{bEP|yqNpu54+yLe82EP*BhAo z=pVDn7hwOreChT2AC>wC@hMM}u|@t##;+0WYvn1^8~;_Fu1x=%c&mJg^&4gSlz6W^ z?~>__6Ztah_saCf-DfHFA(?K9PkpXZ1DU>7oXhiGncjHckH~wd|v zk16#(GJQ&nUMTDRv-T?`X^Tu};@4lI)XQaB-5~YL^K~+Pt@!MplD5fo>6m2`vq62=gRa@6W$Gpw3-dKn zzDfRlrA%)gpTGJ)zrLyWDtTUg%@ZyvyLInzwKU`b)$Yx^RleN*h}3tNjCy&yd_m`% zr8Yf+=1o$%O}=VVsh938W6KDdwt9&?U#xDGf0c}^e2uL8GFj%Vj3IeKmcK_@bN_gp zH>+1kKfXp@-;Ag!JtL1>)H7rq^Bymkuev?2PVT*TRhGG3mc3(dx!3Qt=9H9wRhF>i zxf$u%jOJ-c%kEZhlmAZ3x|_#Os3$(4-dpzOpMOAo*URX1FOug^%JYRXWpDPZJZ?}= zmi0E+iTO$QqN|uY}#b{Y*W%Bp8kJrd(B=ym!*z7 z)hX$#lhT^|w@Rr??cW>r`u7{_+uzFv_3_JPn~uny-;Atkw&MPuE;)Z}4iNdD$T?Z! z4%y3R#0UN?Tyu50SwJ1Tv3B;187cYr(d%DeAC*CkWsE!-Ip+A$n_u_J=a-IdhM>LU z)QK~9-f{Z)(R)sxKYHU!pZs0NHbWSnz4gpJmQ--Z`Qu0LK6l3r=TG{l&z?B{{Ij>8 zJa^~$J8!$|`7)sE4JXc@eZgC=KWfRyuD9PNW7RUwjD9z%%Ce5#bxww)*$k*cZO=KR zwii8TZ#`L4#*e&PMp?Rtvdq~Gv@7p&`qagdRnA|0@qsVDq9&_u2GDu+>9?LfW69vV zr_UTedg8ncO)EpxoI7gWefv+J+zgy_{OD~b&YVAe)Vl6sJ;$y)_+5@&_YG}2cHPB| zlhu!1XZlSFn;r1&`dG=&mYjc!JEa|W$J_CDYCGXheJ9zO>|{Iho#oDYC%0SJE$)_f z-Cb|j->vP2yY<~)l+l&@47fO{eKL%T2FYY5L7-v(^lnVKZvhn{hK~ zrp-xn+RU1>=DfLRE}N^Sd~;GO*UGmFEvr>**{xE`X}PU(%WG9yeyiH5wSrdIidywn z+)7%h3{Nv{Wvy9j-dePltyN3DIjNm%=i7z0)h@Q}cB$>O-FCU{wJUAEU2WIeK|5?m z?RqwgbI)10xsda)* z*oivzPTWa4X=l=zcCyZ_Gw&=q%g(B^?x-Y}?Y1-CQ@{Ep)AJv1@lrU8n1I%U!Qq>H6Jjx7H21 zVK?g5yKy(^rrk+*+ReJN?!3F`F1xGlx~qD*UcOi8S-oP;1T&^wa*NKkaAzS%2PN^q2irf8AGu+#o+F46H$MU=K! zkGxT3qi9qg#iL}DjwYk&C>za2^U-3o9IZy{ks9a5`Eg-vjf-P@TpBxL zcU&HODjxIT`@$v7QP#?x^&o{i_@#dtYhjo0JNnLW2TJIA>=9~WXP zF2;6Tik;Yv%dr<%Vn43NwK#~wIEw3W94B!aPvU8u#j|)GFXCmqir2Af5r&j+@j4{Sdte8fK|{C53F{#&_S{|gp#=14R442&M=fdND8u{5$2%QKUC z*m6RG9N9$D$?S5oNpAMH*ZItF_B30E=Y?Louny>phac*Lm3o)>ni*qf~dbV_>PYcC|0C; zqnW5-y!|B<0H^U~{JRGK93MZ#WQ77Vsy3nEH2!@Q|Nb5S93Q`7Osq&MK<*>@N<1}I zIy($xgfEp&(Eu?|z#C@zs_Ecjg9!isLZnxhz%?QF|9;+q1EH~7>#9OygLMl- zW0^YNdb7*yHg7c7hj#tm4{k=RH$%DG>wFCppq5wr0}zV^R9 zLKGeag_%xseAWY%wT97R9iBR8>xo6)pG-6y59cS$abx#H_LZ?4YC_gJpf>Sub!e>0 z%&)7m9*UHo4vn={1=svG^||oahkgj&8hf70o)g;hMh0v{hdgK_lKV;>jf-_KY;C9y zTU-5MD;)}3zcDwOA2n|?Z{2wC(MM@aL4KsJs{6*mfR6m$7qX7ESd$^^=lR-e(EE{n zyU~c@z4K4_Ywa7w-_V}CclYn{C1Blt>BYf@H>|*=zDW6>0#@&(b)oWuk@DY!#sYOi z4KJ@AymW#0&L08Pv{rq0*ER2nSWoWr?)gVTVnymUF_+AJH6S)$`}ButEQmec-D7~T zBJZhaI5Acg0Q!YNFzvRm^{98RXU#*IY6!&0{xWmT@zg6*YYEj*IA>Ov4;a+#`TrwS z{s?h-S!mD0nfFg!6wY4wu0J$#$Y-%yZ{>`)*nOGtNGfq z=+%)xT|2}v(1$NwR%O7u*S{c=3oUFZKT6+cQRkB8uGQ`4x?r}}9Nt+G$)1Cx^7`y- zB(sdn-0;Z$CFaOPe(Gt{+Bx6)L#X_f%(dpo&MG5w)t-E2WzhO~Rl{@Pk;8w?Tt@S7 z{t|N^Ek!iR+Viy!Kr4qv&d$oznLvale!zOfdu3?<3%=0215gN|eGj$% z{t*2iI`bc)T;tmB<~*6v2d$^W z*0IT-V>M&+)>GEwlV7+}O%|dEQ>6yeWFe*rO%KqFsnO}48~q`xsXk==j3zMz98=}B zeC@lgg%-+(a$l(1$71~m71als9SSLx&pTG*2 zudP@E)nXmWt*-*+eC=a+3|Y_eMEDK>Le}T%?m=}-4nQ@W$k&zw1IA~0B=@cIIgF=0FMD@ik0wm($ntwG z0l#h@ne=43mVX4Yley~JyNHDgt+jrlbrs;ySC8TS?B)16)x7T<*aWNB`n`KD#B(I~ z!9y2#jHzY&eqJuwWh(oZX8>KhZ;j5L0#-o(?w6qP+0g#ql;>;96lJ0{!Gni6<0SKd z)Ldw6ZDYu44TZ)&$E-AW<&7nVkzUfW=MC@fzXinVPy4-h4&jUSME*$Fs(3s+R`KYX zPy17UIJFtMsIa=xFjBYCqL8b;|6W=<^0j}vnpiT4cCz!4{Q$C0nE=n%Ca5I0n};xL z{S+*lJo?9ce$85cwmM{~e5!Tg*sK>eS? z<%dJo{4%QP3zhHBd?b{+scdSs?kD7wSDHn+J%nPlCv#578Y9&PrI>wbYECG3b43V? z$83=GZjfa?lz%8ZcJZM#aew+U-4ET1Q-0{d2j+7ps^9t^7T@8;n6!Id&ddqZI(Z#f z%UWUTe6XVq01P~N3!uR7kwg6srMW@PFSaRICqP|d23bGbwVFsx)d0nQpvc!g^&w*E z*^rg4p(SoX#A;q>byisOCja?Q`Fv>P6;Jl}SdD1ydm>-^5TF|#&e!fi`e?-ZMR;sO z6)Bv%L3TLTj1~3Gi1l!Ita*5(x6X&bt=xfLHJqS2ALo|TocmvZw`4Ao%v@Uru6g&+ zIyiC+bUu==y@J4VwIiVNo;fu2>cdNqlW|f%>cO%yUNIM|%75ZJ2DrWv#ThbUhOaiV zXD#n!zYpf5;1O$BV zD*Eyj)(fFshwcV#8xQ)sI~{9z?%Q==ekGsZ*MA;{>*i&EUwYEoS<&!D$hvt+#CjF2 zy$-c9_T!0j@%IP!;BW56d1M!aCcg>_&DGnhyt~P~Hm&UogAFf((NK|V8+RQxPJ{c_ z#iysLt*1fGU?AQeZ=e3x!Vv8ZRgIRQ~+C)Q$at(M6&1Cj#SjRl(ga zW?v1AUJgmltYTv`WIY*ZT$))NTKcm{&Yy3A61)KOG;{8F#rdOUXeew=1R9r}pZ#@U z^ops=Be`pHKpI~2MCOu^wg2Ak$kI2#?{XNT3uc4)uY=O5a%xSHQ2SXx--8i)5~ExG zgp4#OfL0}%C%1rlaH-vT+UgB`B(pd1~Kz)8lGS- zN7Kl(9t(`+_8}W1b#&?ylXTc4llNd`BNnP)yn+PsuM7hAHIL6@lN2k2n56p~jz@?Q zRT!~X!nszgf1asxLu>YD&RyMJ2XxMw-Du_N)yZ@Ck$N`jY zUtny{QBcEDU@9>Hb1~9iq+SIY8C*o6j6~t#$&X-3YIs;68gm4ffu-?GH^9F;%% zSFD@kheAsa1bAcv;}tbz&b>N17aFvTD!&oRaW#MA54biY?FoP5l`Kp-R5!=}9r84K zE=}46RW#ZBqgRqJt!82JH#THKkfczqoh`^~NRmD@UNMgcKV%*7H?EqO{qxjRxo^?Pa=(^XZbO0ud(gFU_`h9aT ziKecauF7lQMpsBGj}k}AkAM?w*uIKt7PH;E7y5}=G5OHNv}?#zsUe%{w)T(+h=8i$ zgWwLVy?7EUHpwW8mN;cM@&OMPWUNN!>Z>yI3G!|)Bfy-7G*1p=og`~H6e#}#%UTeN ziuW_?A>R+oLm!}d{uu;MUIRj)yhuS6mWK_u9h}bgS{ShoL~@sW{7DS?$~U0LSDpxr zt*Q&Id^v2LZJ03ct;vPn2NUupPcB(udhc5uDSyOzVk95i;Tzfi^N}|{vLhPW=fMZ< zPlUW*JDR@1933jZ$3JC`oa)P5we*q96}wK+z9Vzd$f>eS^_oYr9{_~MKYn=XJ@n1xANKdn!An}_3*-Y?>jPb@-6Czf91>9)Me-T$EO10|FQD9sY_NqhcEu! zFYi1bP!ElqyrapxciBSk-e30ZpQ;Lu56ur+KM(HCXI4>rq1?59_XJkl189vJ_1^cn z#%oBklppi&{{CwEnwe+rdW0Gcj@`7#|HeZe@9t|Mo94(P9?CJTKLy9HG{+wgjwY+k z@xv3RX4TC$CtfKxhkrMF6q`eHG<42rpe_mS)d0r3`?<_T0QcT^@TrqT+Mv9*AXVmx7YOAEM!wTqts3($nyMhQ0sI;Azj4@? z88Ced8nI6#c)Jb%-%G?!N#Mr&}J?h_EX+23J5gK{PmwE5VOPfofvaEje)jA1efVvUchA?T{7d+=>!r`( zuXpzz{2lpYS>_YmpAfYHE2j1UMj8bF4^wm=zAv{-)oNCW37&(>AEEzdzxsJh?3XdE zPZ1k3*IfOxY@<06T2wZEU}AC>9AA*g^XPjy1a`Fj+~F6H_|M1J1^%m_$<8<5IOx$B z!uf|m+G9l374&Dp$eU%^Wl$>pi(qDWAS{<)m8ZwqCfp=_oH3tT^Fze|?Ii(gRUJ^k zjdXPCTu|&&^Xe{pUe#opFuVMj_oJ{1Qv{My1rvnO5!VQ1?Wz9@niR?%z0E&<*E$qWtnr#IiW=$Np-)LTdb$HYN##C6Dfa~8k$+LB2p4U8Vc+vU&*o-VJtTwmN zW`t~B-YHC=YgU=L54y!T^K8ia;{))2`-AU(ID{QTy%8)w3J(spoyKqg>!J@n9qbdA zLZY#c9XXrNd<=Vv_1|C%9tN;KvUGwLL_eDsuqVmBcpVRv*9a4gHU;~KSCi$>I});p z{h_7DXj}g*S_!}<%2{Ob=dX}0R%mQvmGVb@r4AFGR?rC~@LGhdL!q&o;D}1XQ9I=8 zw*9oZZ+`PEmgHT(udgEOZ)a7D^=iO^-aH+!4unVY@aO#%^cGCbCo!eJw}H1Uk)^O` zu|I+351Wl#lWe+^LCoc3x~qMSnC?d>|N4BI-PrOJl|ftiu&eqv?9+}wV=g@~Iv3la z@%c5h6|f$MAwJo~RneSX6;}EZaAxV*(S@`Xx_I{P=Xl?MjbJ>2eaE!zR4$|rz<6>s z(PGVt=c36{E66Wul{eEnom!T!Bz|9 zI){{@w+2rQFB5xw*c@Kjw;KJ!W_)C#tZ(&_>=_X8Gt|5PRw^#C^wbBYsW9;l6=)YRwnS~TeEHg6z8`4En&IgnuYVTvs`{&_y>C96JM||1fTk2^ zXt|sE|9B|(Nq@ffE~*3$wPW9stG!MYjm^&2?qF=|;Aoi0G@xjmD$3V>R25WF!9^kK zDb@8~Oy%=vvq(CE|{zI4%-VSM=-zT|8Fo+~ylA>zon^mXK(`Y2ou7>s(NCS*M` z`J+>e$1eXc%2#i#%3Nw)zi{=|irg;RYkLFx*UU~4%s&&3ix|fvlk<5Setmtu_Sj|U zRj&FGltSMghOs~SJOrIZ2!pAdn_J=BO#2{4Fy?<_epLCc7dl;>a2fbuq(cNwLIq;t zE7|%2&;~~T)kk^OZ_Qlyyvbd_9$39R^pF4zL=dLzF@0X6Yn`({c=F z7v|n-c<9XWXNuf34JUZ=W1>%P_DVma)ax!h$0k41WijZ~KKmJ6K!nATn zQJeJgk7h!!^fmwJ)zISp@oO&d!#;i0$~`J|M!637_Y-8mu2bto`C(S*PS%wlmffv` zb?-liBx9*}_hYCV8ma!B&tt&qz20XvSJ1fPajfzf{!Rw5rYS!<`{p1wYrX-E3|66O ztQ#~@>#^LHKR&*|OIv&L6A>G2irx-1ejs}`U;CT)Lg5{y>G&9whfCcH)sVnhgnXGA zbDMBI;w*<#G(*o|0oq4elP2LU;6z~TeQQAO)a=06@|E}!SiN=bPD z5*wR(9Iv88b<=!+{0Cv{$%u70{KLm^#zCK!HOErtg)JP~9S)s&0Y@t3;Wa1HuaH-@ z5r;D5K7+bA7(VlBDubzdvMe{hrtIOs6%U)k`|H<^M&6Z=SjQqupUyrT99`B(tug~u z(|_5RH!#<0=hNC2aPehiUW(L86nFWjEb%(Uw zk6J%jOp=znZtd*u$m-?)jx@6{Uwb>UBUa@@ zc*G(_M{!>zz+CkPQ0?7&kY@Dg9K!LHIqdDA-S*iFDDV;{TCe2J-VJE& z`dUFOFo8y`Set?k`ABXLjmQ19fR+cQPII6h8b<<2m<3ulwjk;2dFUUa-Eni{{nF9$5fK9J%jIvz{qvZ<`I}6 z^ww!K4KvES`w$upSUK*F!X=o22eA~4HD9{{I0*VPfJT!{`~5z!kILHvx#mj)W4Ghj zJC`F?(|7;9Wt241pL+VUg#P$oZ!oIN8q+!xT>atgI2p?kI_y8nPlTpX{Z;?NB zB0H!2b#u*Csb5W%S$`6!eC;We;0ctdcJ+3hlV9Wy;eu0-?*FR>}1buY9`YXSbgnoz+?l^o~y6T(pR#$M*%gNo&~G) zN8m3?dZ+|v71iHC$<&MZ@=F3~2gqas%i*an0M6agFH}o!0t5vZqJB`ol(4P%7}fs; z3Q@A@CuA0yKdFRF(Fo(j86#Z#06^|PU9bbGNW z0H=vZWGO1iqXxZF^j%Frbd#!LZaRE?G z{u5XL^-g+QsrQW^#lZyZCGr)~o(Vhe_J)`5|1Yev(85XR!3$9XMkE>AIJ3^zeg_$# z;1juSXfkNrZ{XScpqNKP-Ul;vD|6jG?{{Cdeu-cg7B|2Jti$=*uc@jy(r09-9922X zy?b%~Pj*Fx+Vu2eu z)V`6zq#gyomP|f~<1t!RKe-Sm^op18JQU&zDRv6yM*d*K3G1Z@{2Dl>Di4gEPazAn zWQxuS!px}X3y#$^Oq{wGO_)FN(O>J2!Q7|IOzXr{MR??38SJQeede0SGq1tXkcs2# z6B&4B_r5W8E*D#81mcMdq;|h|@6oA3MgyGT9 zcmYrNvd0i*l4~YU2E_JY#CmqkTi!cA0da8CNnI!#J0JK=@8=Jg7J`{>MWBu~NK%r) z5gKChI35pvc*ILu4dBkC`|b zjT|V`RkBZ6`wyZil2?Sf;XvF%BqojY$eVLh=j|igKb)U9^8zgTkw4B&zd~_wA8N6l zCDO0pV)M+er!)80jYclQp6eKU$)0XLTv3A!#RRoO(gI$;pW^HmuTb&a0v+3~X7 z6B(~M2({xP0ysSdg{XtxKAgdM>j}i_tvQx?KlK1b-0ure3pyKi%>?zVg1M1>8CeLf zLG2mj2lEnvcQC4WZh}vFR7RZEM=l`2{8fm8ecs4cn%47EHG#$tlL>h+(71*?jlaTJ z-G;W`fXf2hg(bifFc-Q23Y@}RoO=UmA|R-zW)SA2iJcOo&X~!a_*quHUy~ZUwDhBPuf> zL4`d)MU(7ql)yM@n4nIPoRt&Res-O}LcE`YZ{d^K&5+o6Q(T6hRn6obuuL&%81YX9 zRx5x^nlz#x9)S?%4x%UD$Sfib_(MydCa;}$FI118L_Sm5hbc9+6w@mIkoD84uLNPe ztk4Ywtw(d+9&V<^dWfQ#&LcAz6fUqn$E1wSo0_BIg%DUtUMlJ%_yV466=x^&MMbNM ze;&S0>i^H6AJKorQ(B{=km(kX69`&e7y5!$;KI5{`BOpb)(bC=lphRQkqZ|_%AX^p zu^2-JJ+WY9*EJVW6l!+X>f0}>fYraBCbzlf;nc4%=9ruH(omQ zKj}im*W3tIR^RX(St{_g=WwEkidaQ_h^eur*q(i40c?h|*S;4=&E7rtfW}zJs(4>L zzT`S7o)y8CR%lbm3d41`5wJRLc@H202-v%cH2h82r!!ul1P}AIS;h*JFKD9+MgUU}}M69mW?A@+}B0q#bIqmvx>s5==ZV90m5fAqtMtIpk8w+Z6sgZL@uDECvx zQ_-@N8?5^o{GvouKM*XeEXFjs+1^{xb^CnK%-BaG`M#`u9e@ z_IC)bfSU^ELtsI71z2z{KoC?6v+==D`LpIdh?VJVM8Duo-wm7gMdHNjo?h>spW|D| zYHp9@TAm1v#P&kf1ka4bykKC|rj_|x*P zeC=NYt92H(^62LnTXrvy+ySHX0eBs;^gjdgsC;Nk$ZA24x)YNZ(=tt2*A0IvVPpbS zfJ!??VpC|j`+1(Zhl4wevEXmUg3lib{s;C5X!{Q^5`gi)G{$+upW0z$8y}2P$OUj9 z4jDyg8u4q)lm_Tp@19qwxg)T)h`DTS-OAP$1CDZy;2q(y*$op@Ki9Fuww|OD5bHG# z?b}a_$+g|7v z1aVI1!<)FYI2O->K7V9#9_*jtHBi5gP;>iDI>$Q`&fPHEKmPdsSBlP-5T2Aj78-fk zll`?hI)L@-pdT@6o%Gxyn6@7mV4C1jp z&*E>x1YPi;Wv`$9Y|7XE7M@$2k0#+_01xp6VmTSiZSf#8gUZ;6uCK!K-CH;GLnW*e zB&=98(bUnv*r%RFdK~{wVgq#?O%y1!$LdOQl_MgQ_I}+Ex2aYeC}JHUHKv)e1(3Ol zcU#Y1i#B}T&%PhfHZ0l{XN3lT7Q_QF+<4S7FXYGX2bUnvKSj~C$ehUh4NapTqbqy` z;-~n6X)*l35`Zc1%Q!$WZ)nC0(~c6gNQEx}*j?uR7$&%Pu))R_dMtKV=t%Gj(6yL2 zv^haT0j8m4IA8mD`j+b+g(*L|9Ybb4i{9DPJG(i|bv`w^=Q;1_zd^4sW#7UV(ybVT zO}hOF;KD$V7ld2_AIR6fjNSO2iJj+I$06~j5xjBglY{`3u>WQU4beUEK;GkpX70t& zC2eE&I%~Z|wSuT+-cOT@%!^H-Bc$|Uuio$$=D8F4_XPbeY6ENBCURIf_;WYfEHLNp z;P`)nKmUs~%8}r=6@TiS$etl&$52ej`mv!Up;X=vG!3`RWlrdy5wzN}x6~X7*7Tzy z)<=jcMj`^CjJ4-$=d*JR*km3=tO@2~@H8oaCCNj35E<$k>Ee+2_U^6a6gldbo>8V)6y7+x0_$_Om zN?*`t?s~yE-IDt|I@L4}ms4)`bi_hk*cesNS~X-}jQp|k_6re`RMFD#@by;UsPDS5 zz@tl`WuZm0ui#h$8-TDiH*9qvlA)=l#kvmRflqoX4>CFb_s{>w9Qe$O3gIS6uaopk zlHM!nkfgf#`+lvy9g_5ENne!oKP9brLBU-h=@Ln=k~Adgt&;Xjx?R$7NxvlN=LPQ} zd45{bUrG9kq<@yQ<~OSS#gh6Zy+zVNNrxr9OVV#hdPve2BrOv@+%0t6DQQyDE=ku) z`fZ`3UY<4omKE{y*zZ)yJ(B)HQVqZ4x9VF&(mqLVm-MeB{i>u7Ncyy-3nhJ9KMVe= zByE@U7D@Xh-7e{FNxv-Vqe6d~;5#YLugJ5eyEW6Dj-}ScGF|2!1pXWIGA(ZRvCc&t5&d*lj}jpzEm6ts$TSTyTJ?bit zXeNMS#6X-lq4J4QE$J<52L>}Sg;?d^ zD5KFeuq~D%pv}>qt&Vn@Vp|5{?NNowkq?e?6^%a_?-eM87v;^_R2rR7&({wO4yp?3 zxhXp^*c;jr?~M$k^>`8A)qu1|2V)r}eh&IuaUnjGNNf!b5g`gsXrMRN98K}~V*JB# zbT5q|Z5|v*DhX3?)HQA{A>EVu5D<)84dkixcXW_K)ErLZinH0Cg?|tr8W>xB7U=I}QE!RGvxRm^-bnYrh*9;mUIqVDvm_P*PxRRN zVoeAi0}Z`|sy#KZZ6GtSJ(gYxeBcYro>(fw%9o!}9S=O0^s^c7g>dNEEBIQX>8)bW zXt?zQy_x7(Bn?}MRiznj@#vVsm50Er#s${ zl~_Th3yZSGkN&mBuq>xD&51!}$uJ%^bBG|ePIxZqeg&G9#lp{uJ}h-jDQ);@I2wqS zSSB^llja$t=us7%l&gHO6tk9=F7*t;wET*3s`9%M-SL4Qyz)qQy8zz|k;F=+DY5Z1 z4@T4J*622Sy#!y)!DN55X)qQS{Tt}j=BSc`w!S{-6_EoPC(Lt@XbYEvf0Va2+7r_Y z4fkKxM`Z(O8D+5)dOOi{IG)Tp`m3f#AeP>mAp_OHUs^?(7Q&$UTa4T8uS1vF@X9`d zh5?5mZz^BpkEUPez$diAR(N254ysWiSo(0g(1U6O)oNwuV?9S-VmFbFt`CB^f^A^;vuhxOg(8{~ozC#Ysc3u)*+zD| zC47~B2bvvv4)SI%;|ihXGmS60EmoBSujEeXmxrh2wMz|eQ1qYnEQ56^PG2JE`e6{+LE!jLZ&TqrZ)hqnk@6qY^o1)q%exopFnSOG_H^f zi0UWu*&@)HEDuCC7+f%?*jTdL;SLolNPh+s>6ksI3jHT~UD*YBnQ@;Xa${x^+Y0JL z(+f*7My75`8}3Y(JzsdqF6O7$R4#TZeCQ_Yv9^?2bnX80evDdoujhbo9~g?!9$WQW z+sCZ@f zm_F72Y4jl}9JRAx&M|&9Ur3B?V??)0lQSGIC_@`wQK&lVXczo*j}sWh4cX?E^b>%h zHneIGId{zq!aQAm$vgu(S?6t;>y4=mg4CxyZJ+_FOrE>rcpIF`L8rK1;4|=$&CRxr zNR%2^hrdWBfGtO)#MlsR+YyI3tMbur#T>`FMtp|6U?qm>*R+jy@ddfF+ZBc=JlZd! zwIsn4o@Sc&cFT%>%BOkn%2xeFzdAGMuY++moi@1Io2h&yhgy9X@SEhf(ek}htwZ1& zEvM2`RUZv1sP;kV#clTLBK>Vi^wM@dks9o^O)+W&A08i6r%h~Ox2XG#0#_GRBdQ+t zAAB$I8-hMohs`{qiaxa3v$Z9WO~^5l<&D%azUMqR+(2 z=Ga8o<3Qss7P9IB)zba8;^I|P`OD`#^za21pv|a_Q-Za_$ zRcZi}Hagf6+ZKY)$n6g@Gnr^lzv7d&Gtm!KEfgK>%OuDfEPHw)Ots6-LD4)+uH=IO zCH6SsQ+^z$Oej36q3JwUs+{`Ie#fX93<32TsA9(df? zT}v~dro%RS7>N&^FsSlLj#3BB+ zJT;N$DDBiw;2Y4Wc@e-07f+KVCwxor4%9KGDqrT;Gz_)*vaUO<$D6pxd|@@Xc3?}1 zKgOOfyeTv>^A#SR5b-RwJJIZ5hD=i>1-iVsKL))ZRx20T^&sc0D`=OA5|wZ7KeZZ> zd|GbQ#8BH64UhIq_Wd-Eoc6L37Ve+8y)*E+^E11*=}DeR@50KV3`LK&Z}oGa7s3Y@ z0Bg<># zI6N+DVPJU3h3dXcO%T9DF zgSw^isq(3DYK6`|9CF)_ZC7Ez#bP}m4s6vf5Zbfp#(~%lr(cV?Z2Pg;O{x2<)CjBW z&LkE}oiF=Y@>vw}2@fwGaOG)brFUZ@59a1XDicWbXgvI^1VoQlaNB0;A{_UQ^CuZc zJ&3eWYIquwOsr7Fo!`YAqyz;y=0)-Z1X>rO=3d)RZbUHau zABJ!0=y>JuKAOupdOZ0X~ z@DgjA6R8vy7uRa4+fBs#So^lMw_snH0a&aTJ1BDe$Vbtk)qW=0H!x_QxfbZ>-LN8* z4h;iC_C{CL=kjR>+EE@HgvpT^=wXH9$Pdv8i+dNS>1VuTA`w{*K68F)r@%W0-VR#& zXyvo*D>a`xV<|9_utGm;1;_Q^mnAa|drJkW$FGnt3!$`Ak`F0%@)hNJhd>)vEQ1iL zE%ZlDEj6A%b90!cN;DbWJTQm_A(rlhJV0O-T{D(PV(~4qzCg|c0*8$&>UPAEP&Y1m zr2NL__O&=Lqh+~(pAMg36ph+4JQ|3`XfE}O$ z$1}AhL5@5&$%L+ge+HYwrfeUMNL~HGaPbUa*Q>K#HGYmt(vIX0(2OA$yuIUcm9NbX z4yJoju~@t_nSwzM%&u}psI$F5AZ+%0JPW)~{cx;dBD?mtC}-P+J!@%9WZsRY`v+v3 zsqt$#Ii+e(V5xG7OEFwq4-SynfOGRj$s|%c3ALkr zRnF(!rTIm}QBtoBssN{gCHb8=t?W|Y_XhxAKE6Sg{#n^0$oxr3PsrAXh+J6 zI#yC&?GH-p6?Lqnp6*!5I7quQbg+O&TVx7BA%88jcma7KpY)efo}E4YvED4UNL#RU zB`|?7VlFt=s^5am!9Y5?Ejb9ESf)Qw2oG_$BV;-oa^Y!D!EGAP zgm6$UV&$$c<=Eb3wIiaaKF5TV_E&rFiu&CFYaKf-x8H>HHqAryn<6=2h&l9)=6-|&VS#d&t3gB_eG22ln{w%(y^Sv^w`VU%M37LthqX%y9^C;O zQBgZ2Via!CBj%fT>x35ZEU85%5syAhED=;UD2U^Kqfc7NF8!{=gw8SNmwIN4U0#;*?aN)04;dBH%E ze0WBj)}1|mw3sk!1dg7&66*qCZ6ZoOlp}|TDOoF+0lGgZC&xWzAqCCgQ>f?I_Xc`t zap8TGp2!Y3&ev;&BY()LaSQoGYN5eGzTPpb{+70*^2wOhWo~+fPwbUVJNlvW*JTHK zsfUI39E(OFUn%>-vpVQ59yaa#D!{SQoJK5kdt9z4DfAuHUFA53#Fh(@5+6q(krd>b0~Jkp_E*B zWF{h12>UM;ELSM+j^nTrE^RHAx*dCR3;pg%U8paU+BGSeU{#N2g<1F=DMYEtN@v%XUUOjn;zKGbk&v%uz;6OWjD+{5YcD36UBQ88SnT8(T4sLRE= zm~q^cz}hUc>C*zMN0XKvB2eKS+OiHa8^KlV7`OA;!=rr045yAMgISo2^4zPupMnRg zg4;V+$ZwY`1X6E{BV?+;r(k>wpSTRb3bAJ<7wh)6z-h&?RT>ZP!rAZYhLaGYb%Q&T z{ZJBi{bocy1BZM3(5`YMD3@5F|2m(X%|-YfyVOE0yT5`@HbyF3g%Q|vbNzyoPv_gA zRYmQo{F&h8Py#Ku@f4V-^Mfhau7zwH-f^_yqH|p;+DoxlR89pN56L)%65G!(#2jet z{FZ2Ht0*I9v0bh&8E8E1gIiqV3%8jL4R_I1$nR)tchH6W#MT(1DvLU#@vHJuevv;9 z^U|h^9o$KdA#~BB7KlPu1aEd5Ifx-u_OtRZ6v-K8P6Qrc@K?QqV-SvjZug>9nQr+F&c9e>-r0U^n4MO4yqoU~pPs3^AQ_Q8ep*nkF z-D|@LGfwg!((XPlRwNLqc zSOxMN3P|Hsnn%SB&={2FE8n&|zhFzb^Ow28Fk>e~npspzBd?nOik<4VB-!fgi2-+7L zPohH$_**%uzpbyx7IfM}i#Ri!ezCex3~OXJTPo2a>D$MT@P54@GFf z0oRL^k-HqdovFNQBPusGwYMvyvtUN3{)g;xx_RIz75;>Kw#j*(9azKkcE@pn5}S8@ zII8KP7>Lef!q&Gf(XG5vV3!CG{&0QDCz7!}w4asWb;obQ*^uJ`Sy8!Ns`3X?sf5JI zNsOz?Ps9_V8|8U>;rW73zX0UN$E-y#f5@?Z7kXK3wNj#J$M$w#-#__At-`P!4+=R@iUtX%An!r zLY#PzZjl_x|vU;w>aL}p}2^t_;5MM=jr8&Ul>rsZPgbHIs2K-jry*5U;R@U5gWL ziduq3R`fP=JPL_ni6C)1q^E_!{H&Y@j!~0#RlY0chv6~1wAIefH?3{!XyKWQYomiZ zOXSBcr-(&Ws_I3|uAtuNxYUE{$4$EYzllGx;RbG^%lgzc6)%Rc2AXw_3(9oifm|Na zeGNzPp5%RCSC1U8Fo?p_G>C1k3V@Z0lF#?r2e$P%?orT4@cjy$j$om1-FI)sJ)SI) z*q%sclPYpiD>Q{z;RPJuUvEnm#) zJ5;zG-dDj#QpNlaP3?n-2P`f+yciW7C7gAx4*sZIB*VHZhP zbVBHGCl#(Q1Tv^%W`>O)Lk5i%#yu!4`KliB`Lzz1n^K{W?-p5CKI@t3;!+78V%!tB z0xZH&sK@c^w#eA|BBx5U)S^IZTM0euuuDMzn1a*tg7zdI_KBH7^sbFp@^yoS{4BzP zRd|tF*NCsc1LlMh6t%AyVZ$SzaA?I+$fxV5IJSa?q}!mHj&i6Y9Js3Cuo-NZqa_Mn zp!L{Q5BZLJ=#KaXp%WpxF@#7dv?a@4p?%WGg<&Y0od~t-7=F1B~?DuI1A2dFtVv5!u zj3?Rubj1V;Kw4IiB3O1iU0A$mQpmJ%5ah5q6WVIiu zU>PYX)%^%>gThQFaM&5c)dYwjT!_*DbJK;=(! zB^;+$=7?%>jF)zpLGD!ZbW7Y>jyK!5#7y`ZMn1&ML9*f-InmvUz^#AixLj4ztG}*? z{6uQ2&ei>mB(PhF4t6E9yGp-CN$6;4#R|A35<^I>i*G8QPMRfK!$-H+5}-;{``8tM z1ylsJMgwVkmhEy3=R1|hagHYZRc<+Pdla>g#gin>Hnucf1M!yV5KFwfAL@c2zpaQl zZbvSQx|jOA_1PJ22@(T2GDFc#F=ea^itIkhcN>HXUfl~*Z*Fn&N3*{xAtO>W4p62= z0<7@y9C59bZhmmNgWrlKf^pP$S$&RtdbxtV(^mQ9jpX1pC1eFQ3qC4$yh{wisp~1F z%Q`~Eb7LnQz?4eJ0gM~2u;RM&OI5bJyb~eu31TE12$RVSiguq(glOO zWpU#rU1lZ+;PQz*wBX9SZFPWtF}shmtj zRjL-3f?c8AKt=%D~x2nQaS>?Qfr+GD^!tv#mlIRH^~ zsokzt%__gh4nw`a$ese6%U+jf?j_#d78^{4%oPt4ba9JNsk$T_m(-*m&U>aymYo`B0?x=CmlEj;>hu z+xbehfNP0tMrmlaee80@=l{mO0Us3H4EBp%USyxx`Le*#e0A}sZ<}m!MZd~Hb`vze zVz$r;xFO2ygeS^z`_ASUm18Bdi>WOLvPC4L07>XaA1y&qo}nR;Y$03UeClkB23z&_qg#3r?lWmKJDtEY%=Q7 zLjiur0PalLi>IC6g-x9}W^jX^F0$(pRruhN>)FaaB$`eIc~$`iZVQR1)AXq*1|?!5 zDymrMFTA%xuRyB3LVocIQe0lVQb;+!7|pfNy4#iVG~aP_(98KQRWwaKoIz5v+Qm!3 z0NCKDt%tLH)o+(OQ}-Ly)uct-3$A}V@7EA&efvwn;H^1y<%&NFzmD~#jhqVjb>-t# zoN##;oEE4lqZfd1K`TxY$dP1k zrwXAfLbr;1DuqyeWFW>LaDb3M6)u&u+A<Enpq2DP;ep1n zNu918?N_0$7L}`edQEh5QmvHka#7kg_Tu`wyp+%)Ja8P+J343L7y0E780dQMtczc& zf%XBq+RYy~ezm!AGmAS_)L+18Hvx{8RAGDdXlZwhZ)w7YBg4JyR?X9kC4j zu8v_Y>L2M3CG;}Gpdaw^4oJ9GPVROAuluOn#m*h?n?Gt#6WpI36fcctpLE?3B4L&^1DF2=aI%T+9QAe-dqSmK*5 z7oA)LP$&=Lodj~74a%jE4_zk9Oqk{v-S92FSmlOy-_#YP5!@_s;zh6vHt+WRI8kVY zcFA0K+#gic9qmwgF*jWJQQj(B9vU3wns?*ZN`%V=mbhMwhZZ5V(JO{@;N$lm5a+e_ zSDw)ld`>ueO8|S)XTZZ|7fi^0yu4&aIJrhzOt;;RtO`!`>)>PiKwRCHq3Z^kA$oan zz=_|N93TkiZ;z`>gv1Y$F!l0d`}m`@o;t!Imbh40=r{Z^gVBL)MH1mGFS_SgG(Tt! z(T>c&L{0(UN#_j-b&J5(GkU(D+|f_=Rb1(m3l?%E6t4Nw9Y+lCj2tcWN8f-bxktzS z>W*)XCw9c4q~HhEal&NKu?5(xbPl_@u*p<&x-kAAokB1=5dgV4F+@g)R?`?4Eattaj)=KPjbS$&e5&1O}oV>x)o&qz%=?#4d#5#`VTIo_|3Mbgb8wJ@Z zt64?kF$0|Ku_525+_Fcd8R3gewbl&FQ*rCybXy-!q{0Y0O$6Ydwq6l-qJyo+mMA&U z={$2f%%x^wQ9aUu%0hDEbNQ3w@3iAm`!rd5!e$FJs>l)TFU@Qwfw@F;p3fDr0??@< zoH$YszoFm-gK6F^3gEvB8dhlCif1y`WeFY@wx-qy$wvy4-fh+WBc5tL=OT0;Il* z(+F>acg}u0hqHZEE*w!?W)&c#U5+*$+Aj%xEQfLupcS^j?V!LgRu3`ZoBbvaEiW_< zP$)CPDYaqa(&Ey9#P?;TG5Ky6(^Vubhq2no=^u_(5Ygp zYd<>Ld1tt$oigTbe>Cc?8%%7*OA;MNTMquATx3A8P1n})S}0c@k(u&U?Sh;a*8_31 zpTX;b6jx@#LuV-p#O9CCrw{Rq^J!tQg8-c4BK7Dp54BmSr%cc8u)WCl6;3N1a99qq zF_v+X61lDID92Hii?rf62HvrVu#2dv-$|hP0{$rZFVY`&{@PfqmwvkjivY#I>2}rP zrnQK?8l73H`bWPXqX!f=4E9QDU*cT1sQtouw`{EFcpFsecGP*d^W;e3*M}-JDb$#A z<2HZ8Y4=<$m_$-vmt(FL$_R%lSH}yqSYy}DccWB3Df0f=up-!<~ib-PHui{M#FI5vkR?J>tgh*^Mt9K&u?t?8ok zJeJ9#b6bcBAJx%MlBicFDZWv@L$TQHAz!VlbayFbFRIRRglGtUiIZ6^fQ~UNB*94%_AC|H4NRP4MpdV3SSI-ba`IIy}=oPqby#I=)IaVZL|v zXEXS1tvI&~0~8@I%5c~8m6o%}+x?PqRaJKG&T-`1*p4t8=(-fPKWhFt#v890hqVQj z!j}zgIp{_}nX-7aMWgzq+$ZvSR9X3O1$*1(IDS6K(LU{6?4MK;nN|@m3Xkk<-hsf@ zj5a77tQLD$X-jSn{Bo45dB{Hur%H)mim}B|ophNMAGaSz!IJ$)XNmkmmcmaBFv{uR z!9Q^!7vqzWaR9jMlQ)3xWU4M9o~JO+okkQxORMCvR=kZP9t6)y>N8Y#Wr#kvdxC}$&ORDCtF+XQQp9- zd^KRO1MtFeXM4!U2%mdGMV%{K665(8sOO?~G8GxELZfJUamGPQeGS zq6KxJt_`O{2G!iq#X>*m5ffA`WjNGN_hB1D@+12Th-VLeQZNzMy~M)6FWFTTIpEl0 zME5wZC=T05jVs}yTW~0GnEI-oM2cV?qL&>ZcorOM4{MSYr?os0o@v2KgCS8x;kVZX zI`+W`ao8rm16P-mvI^s#6T)`2+@Kv&o3H`#wl{QKIX)B_f*0j~5nmYY9r$98pWRhO zmz`fUUP`8wNoWgZ2p%wdzp%bxWwKL6H@e;*NBOwmfES75W!sK>!wz_7wy|N+ZN9ZI zvSPiyOv3kZ@_qVt48$8&Ze5Yynf4)~mt?{>0A(aGx+|*j6XM1WW59?T4aQ0%YpgJO zjY0fJA2&XF&9g$6UC}!@sH)m<=wHLitPkVBL7F~+M_#EcYE>ZEhddzlPl4&4S>0`=3g_42EIhA~HF z8`7TPTkh+lU?p(Cw;5;791gn7m)<&%WIpg8)S2^93V};xGd{QmX%$4Zl#hJqNtj-~ zM4#>^HGg(H* z=JRjo^LH4=+mhz#!_O*Z=wVd{f7Q1t!E#p8;e6ghAV{m{ZfI@3Y88k{Y{75iZt;P2 zsZ3#B&A4d89u^;PiJsrb4L)@9XEEhT_0@S*xnJoF&qi53#wu&H#snFJ zVs_kI42AMYTl4iBTY@cZ9XFR$r~2VmY5`wv=x*yWi$IXwVm61ut!SsYxvjgk%MF0? zuI46pp3vPHZ0_y|cexuSc=P(;#g{+}Rau zK~dXUaH0qV^;LNnTyu^xo#EDXT&b-&*xBg-DDV^f*w{q;08877JAiB%k9Koi zu#^Btd9b6!Yz-DM4CPH`^Yz`+^t&V2+11wJBwG3#>h21FUoK*SClGAvUgyeG@Md=) zTr^57N5Z#Y>y6=#w$>ImWkh$#Y+V=J*xJ?=Uh5t-g|`DD1Uc-SjvSJs?$!WFnp;AV z-+40_3TC-Df&5^r*@U481R>65SGdj9L6n1gsI~FNwn(>YD0!q%9&Txe2(`7+=n4jCJOgNpnZ zYOCRsPDk}mRr_EaZi#8VU9|2LvHu;$=Sm(QTIcxoBZwf@Mtgc_Pi`-CR8AJ3Zy@c9 z_Tu&aQbPIgv0(kYYLzdQji-IsD$rYbdlg}>a@3_!)DT#n6Wd}K)Pe0VY_`BC=!wP| zVsi|Q&^x3w8s=kRT-6{6LwfnjE?%JRWIVMido-U7fHj@-5v7T3jBgNcL-8&Du&;Wq z>WofF@-}>$6`H~@$F?tD% z);7GIga=&Nq=vCM+DjCsR}94Ym26b6HIqnhO~nU&)7CVMILf8_2HR1#>5@=J914r= zD_hQ$7{7y@*Rz~2XRV{g*CaW{;^pj_5$1HY-stSY3Fouj4SGqPaDP04R9a%J^gJ;9b6 z{ov3bdh7mlr?I45?OTppH%Z@y`L>Bk+{ygTlHEUw9UVd+{yV<71B; zzV67_U(>f$&-Dp5A3n={ow#a&83~c%CL9~KH4I7(@n<>q9X!Ld0>QqIn)TtLR)%*h zPz(CbfU3*nsb=V^9It4s2n5A4U$6RQGhcIC%ay(*+$&K%whS-xZOhUxq0{<9zwLpU zf!iMaKGo^VRZGkO)e^Sjv3F=Go*^DxwQ2=*?EkPu?vJ#nMgmPP=WUp5etla~(PTf} zh4rPgn`J>@^|H*D$n?ijI|kA*AIXr9w2RU_stYo7HbO0M5UeyjkGOjbn}asG13kWL z!o45%Euqy3x{ie^8sDjqUB1F+LKEA2PAre9m=EVKIDhMvVG+@w(T`zNW>)LUOrRb9 zH7raYE{xcAa`*bK`rro}u2NXFlnK@y(k`7e~tNPqxL+ieJ^r~z02yk;QKb|fW)A&) zMhT?qfr8(GOPUa#0%o-Hm()`WG*QKLI7})BN!*ZXC#}K{AP{`7);G{w3Z(O=+g>k88iLvnX1t%9AKX0N2 zO4xJZT;sx3)y9P@Yfqnl^4#OziR$G1P4n743+EaOd*>MoyXF`RS5+AcS1vex-pQJz z=e*g*dA;v9&Rcbvah|8nm`6Bj=NPpI&OPltS$%xo#GGW+rrGVY>XGlAWq5mM8{Sn& zSI$d%yp{NVf#LNmFsi8D;3JvT9G^W=nXK4UUSHPE_!dutue#ExUUiXC z?OABdqWYIr8<%Cgp38dA@m#j5+H;v_mdEZ}JIZI38M9WF)q5_UXIz}IjEj56jf=a+ zjEh%|8W(%+G-^)*=F)lK%bnoM?MBV%b571bK6j!jIeXJAs(;ZO<08)&jCrT$oSc1J zQ-}QdvyAzxYK-}xSCF0xk5SQt`~`E21?caBu35%{Rh5R~81k8y=Yp3t;HB4C_<7+a zk4*>0<_6Hv4jQg=kImc)V=j0%cjc_4=lm+;{I2=N`K#s{=XZe97$uc=F7j%O^Y4|s zcg->0%5?B%+?$ddOQT2R5nBMcEVKjm-A@EIq zK8(Df8w}(4uXK)K`~-Oh;D$~X^1ksq!}uoPZgS+khP+YaP51c>;lO8;q}NIMB}wm< zbVyPKZ5a3cT75et>C=+FDCvJnTJeH{yFk(I zw4}e1^c6|}ENRVeRQro1^-Fq-q=S+UOL~{2-;nf>q%TNXCVaSC=(tnTq@-Pvu9fuL zLPxzkYyK@O;^#4p5q<8F^cRwX`iIGOZr!mepS*3Bz;=ag_6Flp9TL_ zlD12Fi=_RMZkKeoq+gcwQK7#~@ST+BSL9jKeR~;pjX2cH4#vokBHy?PZ&`ULhKtM` zy^1~)3~kb|t%kdqj6jJ>FpZlT5@rP*L)vfWxPfzFm*BTPyZF0~5qYUnVlQw8hqYf` zw$<-(`g8uVvMZLt)(Fi>pzxT%zrH31gpZWd`%EGfMwHr#H*5Zvp(qt#W1pfo(SvK3 zDL!}liO#_j^~^B7@1eK<2@d0!6C=Nf_L+)~%pe{6!J5)PxAMMO>*?34j(k4Bu zH@@lND}eN%PE4_n?B;$`D~9nBwcp8}4Rvw}Z^3%wLdq24_F2Eax*yA zMc5whF3}w<{CvBSDJ?CKVZ2zmzN-^RRbZOnkRW1;GkvR~&;u}+g0JNMfMHx8>}U-} z8dlOF6UjA75T8Gg(P3}hoxu)Wnxy{np|Vr7Eg5&|ubC#N6neCZ<*9R^*QhO{(`PB? z`tWKPJQpC)i0vVlfqE$rfn#OmpCRV&X5dD%J*+9%Kr$F6A0zGw#iATn_GlUMAlEnI zbek-E{K^X~X;^@Y;fOqYTtSfc%66<6#tnoE9g_X2v9%J*W<4wSF41<~{PNo}? zGLBDh8UkWGDSjU~Tl?=j3-F8U}Z-ED_dyGF4-87wfq^_i=X8bq?KfR&L zxYzrE&E^<~#Tdo|cCV>IoIJKHgtH9{3h50Q7$Sh)SGV4%F_6U!;jI{CtZEwA^#+cK zI&pZQL|Uu$|KFxx|JK*{;UE3w|0d+~?TJSx{t2J&ef{g-n3#Cx=O-s#oOtP_lPAA? z^p#h?{?ymM{!cIc!^FgaiQkpqaqbcw@t9Ju^KEGkZ_PaihzlG1o(sym> zz=v{n+`ePah7HLLpZM4?s zDK9_fH|8P(pF4~O#)LW#sTOP{ttC;kT3H{a^t zM9+m!Z(n??-~X|-D8;`G0l%Mc&BDhsYgXB;Sq2Pt@^+QYo;|Cq8rkPmR+g0+Mg=~V zctjC4Z&i@njCy0(^BL?$-gx5ekNk^qkMTX@-;4*&{?M2(_8UhY+?+RZdE-#t zcqk7(OnLI>oQI9T9OHs21D5{MImUPLv+vCt-_ILA$QuVe#*zGk|50U}Mtkm$&N%*v z;U^ZAOYv!WX7(Yk=22B%DdqL@Ok~riU7o>L{v_qON}fmMS;q<7EzjEjHzCjS1pcHv z&zEQ8G1Y#xJTH`Iz2EiAvscPD$umTQKg05Tt~}o@&)CZFXP-QuFVDy2d4W7n%5$we z!{A|lT_Dd3<@sIm+$hhy|3=m*++D+%M0I<#|+|-z(2|%k!oVg?C8OyCnUlq!W@pE9q%Tt2$LZ zpQQDY`Xz0bv|rL;Nxv-VHzl2r^jS&IN?O$=_$6(Wv|ZAqq@$94S<-Jxx=+%hlAe_G ztfV#Ff?v``N!uk&N;)d(-ICrT>2XOXB{gmoe3CXw+Ae8Q(osq8mh`BkCnY^CY1Mkc zCuzN;AxZz=_UbTu8%2s=@$iFrZRz zl1&`gB<`LhI3+35Qi@9p3{Z%H0-kf`#q(}ZfGMWMZw=wpa6&T)xrH1DB)XrqHZ zHZjHwmnh+&dOu+e9rQ8880VN{fpSxYDi14Yqk}%SFvSd)xJL5=`-?SfpodM2FvSI~ zaD%1$DHm;YF~A5@%y5ZoG#{WmtYHIvY+-_P%yEsTM|o(Yi%pDhjyV=65%SS-vCu{b zeGD^LyU2bOI)M*vy_K5Y@mk$h8SUj85U?>ROME%h7JZ8VTu_p zagC*iRC!gbql*DXnBW|9EKnjabzHEDb#$?b2`;ce^AXCy8aB|w09%;g0t=KJ<)~g& zY@m-VOmKlKG(N7@FJlcG=wXN{=D5M~CF+3<^f1H-Q(Rzya+`>{E@2HF^s$9=T%p_q zakPE~8|YyRQ(Rzya=W%V&R9bin;2t;OWa`jaaE3u4*D439G57!aj5O1jV`t@#Raah z6tF(l(Zdj9TwsB6d!X7r*3rWd6I|jNOP^5d*U-TxM!3KN&7W86Rnf%|W1M4-8?>HO z>)YsHfGtdLjybN;d`gv5#wym)#Q-CmV~zzHpH$_Qu!ar>7~vdqEKok$I65w6tYQN_ z46ubM=D5aEQ13heEf*CGxgQZZFSH(KI7+?!yOfkbHuF?FQD%Zj~df3Dm z=a^%G#;>Sy%4nm5KDIE%Ij+$7Jmp{w8|Y$y31*mMfyNiuKeW-sCPtWIhD$8a{8h@s z8rIQ4A45zq!vc+8V}G%NHEf`ZJ~lDNIWBO8YczjdZKr~D^stE$rntZruCdgjJhah4 zA47~V#Raa>{0-U_t5`=5Lridv3tZtE&EKS4tf7M*HZj5k7q~*>x7csA(Zdj9oMVm~ zEPYXxQ$+`x7-NPj++gXqSsxqdVTds;RdZpm0QCGdf3DWQ_OLV=I^REH{YrGyPQY0!!GAh?QpH+Jl9ITqyInqdd+wA=VZHl zN4>v~=R5lIk>j7==zK?i&T(44qdzAx?@`;a&_)M+Y+{TVF7egQcXWQEKc~|9j{f{r z=U2OYM;+f?zN6aV^_K70`tKeLF~uC$SQ@DPtYQOwjBt)i++caA*0<5cCdRnHHI_%L zhaR>t#T6Q3wR{EZ7+``q8WWaB2Sc3W5;s_$s`cs^V1fm{-f}ekxyflcnmJSZf3HJXVhB`;rIi1eib$(g5EO?dv>H=Yu+D)%ROnzR&JSwVu9TpuDff zy-P}+yXu@(=eq&*bE!w5uYVX}f*Iym;4Vj0?YzqodEb3b`C8|Q`aYmtj;M~uwUQ(1 ze7Dk4^?J2(#F*>d)#ivg|9rV}#EkkBSb9daM-4q}VTJ`-f2x+RV-q7xF~{S%Wx;gw z&r~@tG{>}9{-iw9X1<3f<(eV$Ps=w`mdkOC=AWy2>-@9Icms7F8ZiEH=b|y?F7SCd zDbvlls;7lE>Kyg7{M2Xp79P)2W2PU^RWqjRe6?WQ__C@`1y9ReU6y;L^VcTZiE)lg zH2#8i#2PxN^IME&sV<-CIpb@5UQYZKRsWYOFRqgJzSNw!LcQwf;)~6X1J;Z1c%GaxeTApx%jQ>A zdtGhLTxI<_>b%+2;~3#dIrN%4o#_-T2!d`ZdC z-*GzcwirL2d)JwMTJG($T!a~J@M?2$>u*#&Ps_(`maC9|ztEiAW4#D-H2+p@_oN(M z=jT+F_T+t9IBu*US0wS>?6zTc(wQchpf^YM6YA2EG_$8-D*(~sx*<$qAy zz1DL58uil8EjJi{v*-K)?eJ>l{VjbQo>uRZ({lfWiO$6<(L0a)%$Ai z2dJ^WLq6{?uI~?MGQPV{K((`eUi_urClJ%FC*3bFXa0+Q&itzH8(@3KpEJMK?;j{H zc>l-B7y7(-v6z2Gd{f_Z9f;N2K?Y`vCO)1+Ulp3g+xjj<3{x1_k9`zJIZ= z-e3B;`P1$x(kHHIXl`?#S>~U%q(y85!RC^>-S^KgsY)?0>gm z{QGtp@##G&PlhA$U*z@ne>05bcKBVg{q3;$JvT{xWcYi<>%UL7DZ}3?{y@zzF3Rw2 z;@$FkQidJzo(~wtXJk0K*)Z<=e#7{Z3~z0omHNo=*8h>$*JRi@Cts<4i_}YoOX7dY z>l-q>5kGIscddWjFuovu`GbaG$?#Xix7;p$SIDp>J}j?>48L)H-Xh;FFZ(9VR2HQ< zo5B@8XN)s4);M9h_kT<`u6y1@DdCK9y-aV(Q0z+|So%xlWjxtGV?4Fp2tU`o^?fpQ zxA9}f$K>~ij31SuJETv|J7xS1`F*<#Z-2ge-GBV|w%oVMt8ISMWp6#2E8n6o|E?(Z zXzD%k<@RT!yho)c;|Jx7IvkOJG47MLx>ss*<*|9O?R)c4`#!h4H9KYOEYHyPO;fH&&TTHaf7{jD6-4(bQafp-ubga^?TpTVBi^I*K*(rA_om$84)H{ui({Vdq z$L|E4W+&{lI#DO?B%QP~?_`}tC+{pft4`5bcjOzCx@Nc3EqASMrCaURx^}nTZFHTk z+x5DBH|RFIVYk(dx^Xw@rqVr4)?IY-?y|e;7TtAMzCo#H_Da2S&+1ir)n2V<_v*by z&*`~6ujluIUb7eWTD_|z!a-{g4dOvENC)#lHdqYu!E&$~6od6ZzByoM4ok!G&>B{T)nRRD z59`Cm&>6ZzZ|Dz$VRIM`Tf=A=50ha!oDZ|%Vwew?!_}}Du7{hUF)~M`QF&yIDx>PC zHnKtl(N5QB$3P-I`G>S*bC>_m5*=RA!N6XP_RE*Z6&Bz#=+xo6Ow37XQl40o z%A`7}P3%d1(wI0Ccj8U_Nib%(ho{ zb9;4;&A1eoV=J!2)wmYhaXoItPVB~B?8iaejKjDUM{yh{aT?F#EMCNUyo^_I5wGJ- zY_!dGsa|rACFgW3XLTy)btY$aF6Z`2&hE9G z-^QVNSdw$xlC!)j=eaFsdPB~2SI%}{&iAIA@hv&$V>##Rlq3it^>R4z-IUNz?=Q=0c&?1*j)#9*MT?v{|l%i_hu)7Yt>8}I!8N=OX8@ta3cApRIJ|}$HKPP;nekA{D?$`eUeV|iM diff --git a/Compiled/badcalls.ini b/Compiled/badcalls.ini index e4ce0bd..ac194ce 100644 --- a/Compiled/badcalls.ini +++ b/Compiled/badcalls.ini @@ -1,5 +1,6 @@ [ntos] NtClose +NtInitiatePowerAction NtRaiseHardError NtReleaseKeyedEvent NtPropagationComplete diff --git a/LICENSE.md b/LICENSE.md index 3e1525a..a089817 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ -Copyright (c) 2016 - 2022, NtCall64 Project +Copyright (c) 2016 - 2023, NtCall64 Project Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/NtCall64.sha256 b/NtCall64.sha256 index d5f4c6b..b250db9 100644 --- a/NtCall64.sha256 +++ b/NtCall64.sha256 @@ -1,45 +1,2 @@ -ddc4a319b3ce482f7e57cd8291994045c41ad62fbcb5a26b03b69a713bea2e4a *Compiled\badcalls.ini -723e1dee6c66b9cbce5dfb87e489ebb70b41e607971393f391b8dba53e6b8734 *Compiled\NtCall64.exe -9c41705a8efa0c845867b4b7d6f9771f2172c15d55e1f00f5de6ef3e4509693b *Source\NtCall64.sln -fad664ec0d0c25531e5564889edeadfca4d47efe763d6536afeaf2d2eedd64d6 *Source\NtCall64\blacklist.c -b48096900363f68a5eb0b395c9b86b133497f1a5725bf481dbe230d39802c906 *Source\NtCall64\blacklist.h -dd32fab74b8aa7a2ac673ee4a6c76e4e852ee0bf9e1a6e0f31ca5f443a87557a *Source\NtCall64\fuzz.c -9d985200820ae2fb844af24010a3addf38492d2d04c760716ed97494b620b847 *Source\NtCall64\fuzz.h -e19447618ecf1721c7f7c94df27ebe78662c0966f0bb86af7399bbbfb7c493c4 *Source\NtCall64\global.h -648ac51015c09a80c88aa4ffe1cc51d8dd08109a5d8ba06473e6ee68a751a475 *Source\NtCall64\log.c -c1f0eb28ee9abc0c371c0ba6a1208b3d5821b20eace4a5a61aab821dbacb9a33 *Source\NtCall64\log.h -5c2b48a253a178a79af61e713e16faeff3cab99f705ac92b57614556960fcdd8 *Source\NtCall64\main.c -0078fbdb03efa638ecf840f776afd4fc4f69e0e96c6bd48363a51350f4321266 *Source\NtCall64\ntos.h -d1130a87d31c6f62387dcfd5ce1449a68c8dad2bc62674d1cc887804758615ae *Source\NtCall64\resource.h -dc8498bc0d0bd32ae2afe115bc5e5a4f885e0aa3608f28693d423fddff151789 *Source\NtCall64\resource.rc -3957bcebe3741c99439bbcd0a4a56643ae5e5dae7139a25e2fea2f0c27ba784d *Source\NtCall64\syscall.asm -062ac9e7119cb058554ec698e9f025e2976dae1a8a838bd5fbd443bdde763148 *Source\NtCall64\tables.h -8b6fb6ce675dd79d355ab39bfe05cb4d9ca08c5ffe9268c838be7b37982e2f76 *Source\NtCall64\util.c -86726b76f7e3456e4a827d43f3db5fce751e571c5969c6902607d5b95dd5e168 *Source\NtCall64\util.h -6461b2932f106c395720cdcaaa834dc181bb1672646ce50984b318c719f50541 *Source\NtCall64\wfuzzer.vcxproj -80f43d7f81eec7648ef4dde1dc4c39b2635becdf64c359441a35512f4bcf5c95 *Source\NtCall64\wfuzzer.vcxproj.filters -5bb622e3b2e91f8ccc320d1cac51113009a3845c05d3de39c3a28b62f627c1f5 *Source\NtCall64\wfuzzer.vcxproj.user -53a7ce27591e040b63880a3dd326b8ba8c97a0fa34d5e2d32aba89a0147434f6 *Source\NtCall64\hde\hde64.c -e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\NtCall64\hde\hde64.h -f8e6a0be357726bee35c7247b57408b54bb38d94e8324a6bb84b91c462b2be30 *Source\NtCall64\hde\pstdint.h -b774446d2f110ce954fb0a710f4693c5562ddbd8d56fe84106f2ee80db8b50a2 *Source\NtCall64\hde\table64.h -893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\NtCall64\minirtl\cmdline.c -bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\NtCall64\minirtl\cmdline.h -2a08385892845104b4f07d693ca395eba3a09e4aa89ad791be3807919316ed67 *Source\NtCall64\minirtl\minirtl.h -d7fbfd69df3840022dab1f8f2d529ce04abac8cee0234448bfd0a67feb6aea22 *Source\NtCall64\minirtl\rtltypes.h -0320808115d42f04f63a382e8f386aa9bc77ba879892f5ccc94c40378b5131c8 *Source\NtCall64\minirtl\strtou64.c -f4763588a79859ba8a84e3be35fa1e4b0b8bf95f547a4fee5ae4612978c0787b *Source\NtCall64\minirtl\strtoul.c -e56e67b10a67f0d5ef4128c7ab0c6cb9ba9966916720525edfa6abf3101dfe13 *Source\NtCall64\minirtl\u64tohex.c -4d15af5a22467795c5367c3956746d01424795784f62ca3f30e4619c063338a5 *Source\NtCall64\minirtl\u64tostr.c -f81c975acd016c97776dd3a8e3218e148682b0336ff3fcd77fad6d9b86ddf107 *Source\NtCall64\minirtl\ultohex.c -9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\NtCall64\minirtl\ultostr.c -c1405b280bacc7566ccd041a74461de3f8496128fd71e39368905cf8d95268f6 *Source\NtCall64\minirtl\_filename.c -9e3f1386bfb64dbaa3cbb12fd3bf51c734872c2fdf15cf1aaeca52a515767519 *Source\NtCall64\minirtl\_filename.h -83772aa217508279294d91af5cfabec9b5e00b836a2e2f5fe37cf1ebc2905a52 *Source\NtCall64\minirtl\_strcat.c -2a67c7690ec6df8e233207116b0e4fe76c02ae43595d9e606e123572b6ac88a1 *Source\NtCall64\minirtl\_strcmp.c -ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\NtCall64\minirtl\_strcmpi.c -969b35213fa23ff50a169e5498a97f28bc6f5820b447b78ec9dc6910dd8cc3e8 *Source\NtCall64\minirtl\_strcpy.c -27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\NtCall64\minirtl\_strend.c -60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\NtCall64\minirtl\_strlen.c -97e0720ed22d2d99e8148aab7ab2cb2cc3df278225669828b2d8d4d9ef856d94 *Source\NtCall64\minirtl\_strncmp.c -0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\NtCall64\minirtl\_strncpy.c +83a3c4632f0f685a56a5c0c54531eba10f32533c74590a011efe439c8a13d83e *Compiled\badcalls.ini +aec6ca2f29b1c474ea1aa8e9a620a557be4391aa951ce35fcc98f45788cf8182 *Compiled\NtCall64.exe diff --git a/README.md b/README.md index bb45ef7..709e228 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ NTCALL64 -help[-win32k][-log][-call Id][-pc Value][-wt Value][-s] * -call Id - fuzz syscall by supplied id (id can be from any table ntos/win32k); * -pc Value - set pass count for each syscall (maximum value is limited to ULONG64 max value), default value 65536; * -wt Value - set wait timeout for calling threads in seconds (except single syscall fuzzing), default value is 30; +* -start Id - Fuzz syscall table starting from given syscall id, mutual exclusive with -call; * -s - Attempt to run program from LocalSystem account. @@ -62,6 +63,7 @@ Example of badcalls.ini (default config shipped with program) 

[ntos]
 NtClose
+NtInitiatePowerAction
 NtRaiseHardError
 NtReleaseKeyedEvent
 NtPropagationComplete
@@ -98,6 +100,7 @@ This program may crash the operation system, affect it stability, which may resu
 * [win32k!NtUserCreateActivationObject](https://gist.githubusercontent.com/hfiref0x/23a2331588e7765664f50cac26cf0637/raw/49457ef5e30049b6b4ca392e489aaceaafe2b280/NtUserCreateActivationObject.cpp)
 * [win32k!NtUserOpenDesktop](https://gist.githubusercontent.com/hfiref0x/6e726b352da7642fc5b84bf6ebce0007/raw/8df05220f194da4980f401e15a0efdb7694deb26/NtUserOpenDesktop.c)
 * [win32k!NtUserSetWindowsHookEx](https://gist.github.com/hfiref0x/8ecfbcc0a7afcc9917cef093ef3a18b2)
+* [win32k!NtUserInitialize -> win32kbase!Win32kBaseUserInitialize] (https://gist.github.com/hfiref0x/f731e690e6155c6763b801ce0e497db7)
 * [nt!NtLoadEnclaveData](https://gist.githubusercontent.com/hfiref0x/1ac328a8e73d053012e02955d38e36a8/raw/b26174f8b7b68506d62308ce4327dfc573b8aa26/main.c)
 * [nt!NtCreateIoRing](https://gist.github.com/hfiref0x/bd6365a7cfa881da0e9c9e7a917a051b)
 * [nt!NtQueryInformationCpuPartition](https://gist.github.com/hfiref0x/48bdc12241d0a981a6da473e979c8aff)
@@ -106,13 +109,11 @@ This program may crash the operation system, affect it stability, which may resu
 # Build
 
 NTCALL64 comes with full source code written in C with tiny assembler usage.
-In order to build from source you need Microsoft Visual Studio 2015 and later versions.
+In order to build from source you need Microsoft Visual Studio 2017 and later versions.
 
 ## Instructions
 
 * Select Platform ToolSet first for project in solution you want to build (Project->Properties->General): 
-  * v120 for Visual Studio 2013;
-  * v140 for Visual Studio 2015; 
   * v141 for Visual Studio 2017;
   * v142 for Visual Studio 2019;
   * v143 for Visual Studio 2022.
@@ -123,6 +124,6 @@ In order to build from source you need Microsoft Visual Studio 2015 and later ve
 
 # Authors
 
-(c) 2016 - 2022 NTCALL64 Project
+(c) 2016 - 2023 NTCALL64 Project
 
 Original NtCall by Peter Kosyh aka Gloomy (c) 2001, http://gl00my.chat.ru/ 
diff --git a/Source/NtCall64/fuzz.c b/Source/NtCall64/fuzz.c
index 39dd314..9b83687 100644
--- a/Source/NtCall64/fuzz.c
+++ b/Source/NtCall64/fuzz.c
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2016 - 2021
+*  (C) COPYRIGHT AUTHORS, 2016 - 2023
 *
 *  TITLE:       FUZZ.C
 *
-*  VERSION:     1.35
+*  VERSION:     1.37
 *
-*  DATE:        21 Feb 2021
+*  DATE:        04 Aug 2023
 *
 *  Fuzzing routines.
 *
@@ -23,11 +23,20 @@
 #ifdef __cplusplus 
 extern "C" {
 #endif
-    NTSTATUS ntSyscallGate(ULONG ServiceId, ULONG ArgumentCount, ULONG_PTR *Arguments);
+    NTSTATUS ntSyscallGate(ULONG ServiceId, ULONG ArgumentCount, ULONG_PTR* Arguments);
 #ifdef __cplusplus
 }
 #endif
 
+#define FUZZDATA_COUNT 13
+const ULONG_PTR FuzzData[FUZZDATA_COUNT] = {
+    0x0000000000000000, 0x000000000000ffff, 0x000000000000fffe, 0x00007ffffffeffff,
+    0x00007ffffffefffe, 0x00007fffffffffff, 0x00007ffffffffffe, 0x0000800000000000,
+    0x8000000000000000, 0xffff080000000000, 0xfffff80000000000, 0xffff800000000000,
+    0xffff800000000001
+};
+
+
 /*
 * FuzzEnumWin32uServices
 *
@@ -36,69 +45,62 @@ extern "C" {
 * Enumerate win32u module services to the table.
 *
 */
-_Success_(return != 0)
 ULONG FuzzEnumWin32uServices(
     _In_ HANDLE HeapHandle,
-    _In_ LPVOID Module,
-    _Out_ PWIN32_SHADOWTABLE * Table
+    _In_ LPVOID ModuleBase,
+    _Inout_ PWIN32_SHADOWTABLE* Table
 )
 {
-    PIMAGE_NT_HEADERS           NtHeaders;
-    PIMAGE_EXPORT_DIRECTORY		exp;
-    PDWORD						FnPtrTable, NameTable;
-    PWORD						NameOrdTable;
-    ULONG_PTR					fnptr, exprva, expsize;
-    ULONG						c, n, result;
-    PWIN32_SHADOWTABLE			NewEntry;
+    ULONG i, j, result = 0, exportSize;
+    PBYTE fnptr;
+    PDWORD funcTable, nameTableBase;
+    PWORD nameOrdinalTableBase;
+    PWIN32_SHADOWTABLE w32kTableEntry;
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
 
-    NtHeaders = RtlImageNtHeader(Module);
-    if (NtHeaders->OptionalHeader.NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_EXPORT)
-        return 0;
+    pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(ModuleBase,
+        TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &exportSize);
 
-    exprva = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
-    if (exprva == 0)
-        return 0;
+    if (pImageExportDirectory) {
 
-    expsize = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
+        nameTableBase = (PDWORD)RtlOffsetToPointer(ModuleBase, pImageExportDirectory->AddressOfNames);
+        nameOrdinalTableBase = (PUSHORT)RtlOffsetToPointer(ModuleBase, pImageExportDirectory->AddressOfNameOrdinals);
+        funcTable = (PDWORD)RtlOffsetToPointer(ModuleBase, pImageExportDirectory->AddressOfFunctions);
 
-    exp = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)Module + exprva);
-    FnPtrTable = (PDWORD)((ULONG_PTR)Module + exp->AddressOfFunctions);
-    NameTable = (PDWORD)((ULONG_PTR)Module + exp->AddressOfNames);
-    NameOrdTable = (PWORD)((ULONG_PTR)Module + exp->AddressOfNameOrdinals);
+        result = 0;
 
-    result = 0;
+        for (i = 0; i < pImageExportDirectory->NumberOfFunctions; ++i) {
 
-    for (c = 0; c < exp->NumberOfFunctions; ++c)
-    {
-        fnptr = (ULONG_PTR)Module + FnPtrTable[c];
-        if (*(PDWORD)fnptr != 0xb8d18b4c) //mov r10, rcx; mov eax
-            continue;
+            fnptr = (PBYTE)RtlOffsetToPointer(ModuleBase, funcTable[nameOrdinalTableBase[i]]);
+            if (*(PDWORD)fnptr != 0xb8d18b4c) //mov r10, rcx; mov eax
+                continue;
 
-        NewEntry = (PWIN32_SHADOWTABLE)HeapAlloc(HeapHandle,
-            HEAP_ZERO_MEMORY, sizeof(WIN32_SHADOWTABLE));
+            w32kTableEntry = (PWIN32_SHADOWTABLE)HeapAlloc(HeapHandle,
+                HEAP_ZERO_MEMORY, sizeof(WIN32_SHADOWTABLE));
 
-        if (NewEntry == NULL)
-            break;
+            if (w32kTableEntry == NULL)
+                break;
 
-        NewEntry->Index = *(PDWORD)(fnptr + 4);
+            w32kTableEntry->Index = *(PDWORD)(fnptr + 4);
 
-        for (n = 0; n < exp->NumberOfNames; ++n)
-        {
-            if (NameOrdTable[n] == c)
+            for (j = 0; j < pImageExportDirectory->NumberOfNames; ++j)
             {
-                _strncpy_a(&NewEntry->Name[0],
-                    sizeof(NewEntry->Name),
-                    (LPCSTR)((ULONG_PTR)Module + NameTable[n]),
-                    sizeof(NewEntry->Name));
+                if (nameOrdinalTableBase[j] == i)
+                {
+                    _strncpy_a(&w32kTableEntry->Name[0],
+                        sizeof(w32kTableEntry->Name),
+                        (LPCSTR)RtlOffsetToPointer(ModuleBase, nameTableBase[j]),
+                        sizeof(w32kTableEntry->Name));
 
-                break;
+                    break;
+                }
             }
-        }
 
-        ++result;
+            ++result;
 
-        *Table = NewEntry;
-        Table = &NewEntry->NextService;
+            *Table = w32kTableEntry;
+            Table = &w32kTableEntry->NextService;
+        }
     }
 
     return result;
@@ -138,17 +140,18 @@ PCHAR FuzzResolveW32kServiceNameById(
 * Locate KiServiceTable in mapped ntoskrnl copy.
 *
 */
-BOOL FuzzFindKiServiceTable(
-    _In_ ULONG_PTR MappedImageBase,
+BOOLEAN FuzzFindKiServiceTable(
+    _In_ PVOID MappedImageBase,
     _In_ PRAW_SERVICE_TABLE ServiceTable
 )
 {
-    ULONG_PTR             SectionPtr = 0;
-    IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader((PVOID)MappedImageBase);
+    ULONG_PTR SectionPtr = 0;
+    PBYTE ptrCode = (PBYTE)MappedImageBase;
+    IMAGE_NT_HEADERS* NtHeaders = RtlImageNtHeader(MappedImageBase);
     IMAGE_SECTION_HEADER* SectionTableEntry;
-    ULONG                 c, p, SectionSize = 0, SectionVA = 0;
+    ULONG c, p, SectionSize = 0, SectionVA = 0;
 
-    const BYTE  KiSystemServiceStartPattern[] = { 0x45, 0x33, 0xC9, 0x44, 0x8B, 0x05 };
+    const BYTE KiSystemServiceStartPattern[] = { 0x45, 0x33, 0xC9, 0x44, 0x8B, 0x05 };
 
     SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +
         sizeof(ULONG) +
@@ -164,7 +167,7 @@ BOOL FuzzFindKiServiceTable(
 
             {
                 SectionVA = SectionTableEntry->VirtualAddress;
-                SectionPtr = (ULONG_PTR)(MappedImageBase + SectionVA);
+                SectionPtr = (ULONG_PTR)RtlOffsetToPointer(MappedImageBase, SectionVA);
                 SectionSize = SectionTableEntry->Misc.VirtualSize;
                 break;
             }
@@ -191,14 +194,14 @@ BOOL FuzzFindKiServiceTable(
         return FALSE;
 
     p += 3;
-    c = *((PULONG)(MappedImageBase + p + 3)) + 7 + p;
-    ServiceTable->CountOfEntries = *((PULONG)(MappedImageBase + c));
+    c = *((PULONG)(ptrCode + p + 3)) + 7 + p;
+    ServiceTable->CountOfEntries = *((PULONG)(ptrCode + c));
     p += 7;
-    c = *((PULONG)(MappedImageBase + p + 3)) + 7 + p;
-    ServiceTable->StackArgumentTable = (PBYTE)MappedImageBase + c;
+    c = *((PULONG)(ptrCode + p + 3)) + 7 + p;
+    ServiceTable->StackArgumentTable = (PBYTE)ptrCode + c;
     p += 7;
-    c = *((PULONG)(MappedImageBase + p + 3)) + 7 + p;
-    ServiceTable->ServiceTable = (LPVOID*)(MappedImageBase + c);
+    c = *((PULONG)(ptrCode + p + 3)) + 7 + p;
+    ServiceTable->ServiceTable = (LPVOID*)(ptrCode + c);
 
     return TRUE;
 }
@@ -211,23 +214,23 @@ BOOL FuzzFindKiServiceTable(
 * Locate shadow table info in mapped win32k copy.
 *
 */
-BOOL FuzzFindW32pServiceTable(
-    _In_ HMODULE MappedImageBase,
+BOOLEAN FuzzFindW32pServiceTable(
+    _In_ PVOID MappedImageBase,
     _In_ PRAW_SERVICE_TABLE ServiceTable
 )
 {
     PULONG ServiceLimit;
 
-    ServiceLimit = (ULONG*)GetProcAddress(MappedImageBase, "W32pServiceLimit");
+    ServiceLimit = (ULONG*)supLdrGetProcAddressEx(MappedImageBase, "W32pServiceLimit");
     if (ServiceLimit == NULL)
         return FALSE;
 
     ServiceTable->CountOfEntries = *ServiceLimit;
-    ServiceTable->StackArgumentTable = (PBYTE)GetProcAddress(MappedImageBase, "W32pArgumentTable");
+    ServiceTable->StackArgumentTable = (PBYTE)supLdrGetProcAddressEx(MappedImageBase, "W32pArgumentTable");
     if (ServiceTable->StackArgumentTable == NULL)
         return FALSE;
 
-    ServiceTable->ServiceTable = (LPVOID*)GetProcAddress(MappedImageBase, "W32pServiceTable");
+    ServiceTable->ServiceTable = (LPVOID*)supLdrGetProcAddressEx(MappedImageBase, "W32pServiceTable");
     if (ServiceTable->ServiceTable == NULL)
         return FALSE;
 
@@ -242,23 +245,21 @@ BOOL FuzzFindW32pServiceTable(
 * Fuzzing procedure, building parameters list and using syscall gate.
 *
 */
-void DoSystemCall(
+VOID DoSystemCall(
     _In_ ULONG ServiceId,
     _In_ ULONG ParametersInStack,
     _In_ PVOID LogParams
 )
 {
-    ULONG		c;
-    ULONG_PTR	Arguments[MAX_PARAMETERS];
-    ULONG64     u_rand;
+    ULONG c;
+    ULONG_PTR args[MAX_PARAMETERS];
 
-    RtlSecureZeroMemory(Arguments, sizeof(Arguments));
+    RtlSecureZeroMemory(args, sizeof(args));
 
     ParametersInStack /= 4;
 
     for (c = 0; c < ParametersInStack + 4; c++) {
-        u_rand = __rdtsc();
-        Arguments[c] = fuzzdata[u_rand % SIZEOF_FUZZDATA];
+        args[c] = FuzzData[__rdtsc() % FUZZDATA_COUNT];
     }
 
     if (g_ctx.LogEnabled) {
@@ -266,12 +267,11 @@ void DoSystemCall(
         FuzzLogCallParameters((PNTCALL_LOG_PARAMS)LogParams,
             ServiceId,
             ParametersInStack + 4,
-            (ULONG_PTR*)&Arguments);
+            (ULONG_PTR*)&args);
 
     }
 
-    ntSyscallGate(ServiceId, ParametersInStack + 4, Arguments);
-
+    ntSyscallGate(ServiceId, ParametersInStack + 4, args);
 }
 
 /*
@@ -282,57 +282,56 @@ void DoSystemCall(
 * Build shadow table service names list.
 *
 */
-BOOL FuzzLookupWin32kNames(
-    _In_ LPWSTR ModuleName,
-    _Inout_ NTCALL_CONTEXT *Context
+BOOLEAN FuzzLookupWin32kNames(
+    _Inout_ NTCALL_CONTEXT* Context
 )
 {
-    ULONG                   BuildNumber = 0, i;
-    ULONG_PTR               MappedImageBase = Context->SystemImageBase;
-    PIMAGE_NT_HEADERS       NtHeaders = RtlImageNtHeader((PVOID)MappedImageBase);
-    PRAW_SERVICE_TABLE      ServiceTable = &Context->ServiceTable;
-    ULONG_PTR	            Address;
-    CHAR                  **lpServiceNames;
+    ULONG dwBuildNumber = 0, i;
+    PVOID MappedImageBase = Context->SystemModuleBase;
+    PIMAGE_NT_HEADERS NtHeaders = RtlImageNtHeader((PVOID)MappedImageBase);
+    PRAW_SERVICE_TABLE ServiceTable = &Context->ServiceTable;
+    ULONG_PTR Address;
+    PCHAR* lpServiceNames;
 
-    DWORD64  *pW32pServiceTable = NULL;
-    CHAR    **Names = NULL;
-    PCHAR     pfn;
+    DWORD64* pW32pServiceTable = NULL;
+    PCHAR* pszNames = NULL;
+    PCHAR pfn;
 
-    IMAGE_IMPORT_BY_NAME *ImportEntry;
+    IMAGE_IMPORT_BY_NAME* ImportEntry;
 
     HMODULE win32u = NULL;
     ULONG win32uLimit;
     PWIN32_SHADOWTABLE ShadowTable = NULL;
 
-    PCHAR ServiceName;
+    PCHAR lpServiceName;
 
     hde64s hs;
 
-    if (!GetImageVersionInfo(ModuleName, NULL, NULL, &BuildNumber, NULL)) {
-        ConsoleShowMessage("[!] Failed to query win32k.sys version information.\r\n",
-            FOREGROUND_RED | FOREGROUND_INTENSITY);
-        return FALSE;
-    }
+#ifdef _DEBUG
+    dwBuildNumber = g_ctx.OsVersion.dwBuildNumber;
+#else
+    dwBuildNumber = g_ctx.OsVersion.dwBuildNumber;
+#endif
 
-    switch (BuildNumber) {
+    switch (dwBuildNumber) {
 
-    case 7600:
-    case 7601:
+    case NT_WIN7_RTM:
+    case NT_WIN7_SP1:
         if (ServiceTable->CountOfEntries != W32pServiceTableLimit_7601)
             return FALSE;
-        Names = (CHAR**)W32pServiceTableNames_7601;
+        pszNames = (CHAR**)W32pServiceTableNames_7601;
         break;
 
-    case 9200:
+    case NT_WIN8_RTM:
         if (ServiceTable->CountOfEntries != W32pServiceTableLimit_9200)
             return FALSE;
-        Names = (CHAR**)W32pServiceTableNames_9200;
+        pszNames = (CHAR**)W32pServiceTableNames_9200;
         break;
 
-    case 9600:
+    case NT_WIN8_BLUE:
         if (ServiceTable->CountOfEntries != W32pServiceTableLimit_9600)
             return FALSE;
-        Names = (CHAR**)W32pServiceTableNames_9600;
+        pszNames = (CHAR**)W32pServiceTableNames_9600;
         break;
 
     default:
@@ -341,9 +340,7 @@ BOOL FuzzLookupWin32kNames(
         break;
     }
 
-    lpServiceNames = (CHAR**)HeapAlloc(GetProcessHeap(),
-        HEAP_ZERO_MEMORY,
-        ServiceTable->CountOfEntries * sizeof(PCHAR));
+    lpServiceNames = (CHAR**)supHeapAlloc(ServiceTable->CountOfEntries * sizeof(PCHAR));
 
     if (lpServiceNames == NULL)
         return FALSE;
@@ -357,24 +354,21 @@ BOOL FuzzLookupWin32kNames(
     // If win32k version below 10240 copy them from predefined array.
     // Otherwise lookup them dynamically.
     //
-    if (BuildNumber < 10240) {
-        if (Names == NULL)
+    if (dwBuildNumber < NT_WIN10_THRESHOLD1) {
+        if (pszNames == NULL)
             return FALSE;
 
         for (i = 0; i < ServiceTable->CountOfEntries; i++) {
-            lpServiceNames[i] = Names[i];
+            lpServiceNames[i] = pszNames[i];
         }
     }
     else {
 
-        //
-        // 
-        //
-        if (BuildNumber >= 14393) {
+        if (dwBuildNumber >= NT_WIN10_REDSTONE1) {
 
-            win32u = LoadLibraryEx(TEXT("win32u.dll"), NULL, 0);
+            win32u = GetModuleHandle(TEXT("win32u.dll"));
             if (win32u == NULL) {
-                ConsoleShowMessage("[!] Failed to load win32u.dll.\r\n",
+                ConsoleShowMessage("[!] Failed to reference win32u.dll.\r\n",
                     FOREGROUND_RED | FOREGROUND_INTENSITY);
                 return FALSE;
             }
@@ -391,10 +385,10 @@ BOOL FuzzLookupWin32kNames(
 
         for (i = 0; i < ServiceTable->CountOfEntries; i++) {
 
-            ServiceName = "UnknownName";
+            lpServiceName = "UnknownName";
 
-            if (BuildNumber <= 10586) {
-                pfn = (PCHAR)(pW32pServiceTable[i] - NtHeaders->OptionalHeader.ImageBase + MappedImageBase);
+            if (dwBuildNumber <= NT_WIN10_THRESHOLD2) {
+                pfn = (PCHAR)(pW32pServiceTable[i] - NtHeaders->OptionalHeader.ImageBase + (ULONG_PTR)MappedImageBase);
                 hde64_disasm((void*)pfn, &hs);
                 if (hs.flags & F_ERROR) {
 
@@ -403,24 +397,23 @@ BOOL FuzzLookupWin32kNames(
 
                     break;
                 }
-                Address = MappedImageBase + *(ULONG_PTR*)(pfn + hs.len + *(DWORD*)(pfn + (hs.len - 4)));
+                Address = (ULONG_PTR)MappedImageBase + *(ULONG_PTR*)(pfn + hs.len + *(DWORD*)(pfn + (hs.len - 4)));
                 if (Address) {
-                    ImportEntry = (IMAGE_IMPORT_BY_NAME *)Address;
-                    ServiceName = ImportEntry->Name;
+                    ImportEntry = (IMAGE_IMPORT_BY_NAME*)Address;
+                    lpServiceName = ImportEntry->Name;
                 }
             }
-            else if (BuildNumber >= 14393) {
+            else if (dwBuildNumber >= NT_WIN10_REDSTONE1) {
 
-                ServiceName = FuzzResolveW32kServiceNameById(i + 0x1000, ShadowTable);
-                if (ServiceName == NULL) ServiceName = "UnknownName";
+                lpServiceName = FuzzResolveW32kServiceNameById(i + W32SYSCALLSTART, ShadowTable);
+                if (lpServiceName == NULL)
+                    lpServiceName = "UnknownName";
 
             }
-            lpServiceNames[i] = ServiceName;
+            lpServiceNames[i] = lpServiceName;
         }
     }
 
-    if (win32u) FreeLibrary(win32u);
-
     return TRUE;
 }
 
@@ -438,7 +431,7 @@ DWORD WINAPI FuzzThreadProc(
 {
     ULONG64 i, c;
     HMODULE hUser32 = NULL;
-    CALL_PARAM *Context = (CALL_PARAM*)Parameter;
+    CALL_PARAM* Context = (CALL_PARAM*)Parameter;
 
     if (Context->Syscall >= W32SYSCALLSTART)
         hUser32 = LoadLibrary(TEXT("user32.dll"));
@@ -469,7 +462,7 @@ void PrintServiceInformation(
     _In_opt_ LPCSTR ServiceName,
     _In_ BOOL BlackListed)
 {
-    CHAR *pLog;
+    CHAR* pLog;
     CHAR szConsoleText[4096];
     WORD wColor = 0;
 
@@ -507,7 +500,7 @@ void PrintServiceInformation(
 *
 */
 VOID FuzzRunThreadWithWait(
-    _In_ CALL_PARAM *CallParams
+    _In_ CALL_PARAM* CallParams
 )
 {
     HANDLE hThread;
@@ -541,18 +534,18 @@ VOID FuzzRunThreadWithWait(
 *
 */
 VOID FuzzRun(
-    _In_ NTCALL_CONTEXT *Context
+    _In_ NTCALL_CONTEXT* Context
 )
 {
     BOOL probeWin32k = Context->ProbeWin32k, bSkip = FALSE;
-    BLACKLIST *BlackList = &Context->BlackList;
-    ULONG_PTR hNtdll = Context->hNtdll;
+    BLACKLIST* BlackList = &Context->BlackList;
+    PVOID ntdllBase = Context->NtdllBase;
     PRAW_SERVICE_TABLE ServiceTable = &Context->ServiceTable;
     ULONG c, sid;
 
     CALL_PARAM CallParams;
 
-    PCHAR  ServiceName, pLog;
+    PCHAR lpServiceName, pLog;
 
     CHAR szOut[MAX_PATH * 2];
 
@@ -568,22 +561,22 @@ VOID FuzzRun(
         // Query service name.
         //
         if (probeWin32k) {
-            sid = Context->SingleSyscallId - W32SYSCALLSTART;
-            ServiceName = Context->Win32pServiceTableNames[sid];
+            sid = Context->u1.SingleSyscallId - W32SYSCALLSTART;
+            lpServiceName = Context->Win32pServiceTableNames[sid];
         }
         else {
-            sid = Context->SingleSyscallId;
-            ServiceName = (PCHAR)PELoaderGetProcNameBySDTIndex(hNtdll, sid);
+            sid = Context->u1.SingleSyscallId;
+            lpServiceName = supLdrGetProcNameBySDTIndex(ntdllBase, sid);
         }
 
         //
         // Output service information to console.
         //
         _strcpy_a(szOut, "\tProbing #");
-        ultostr_a(Context->SingleSyscallId, _strend_a(szOut));
+        ultostr_a(Context->u1.SingleSyscallId, _strend_a(szOut));
         pLog = _strcat_a(szOut, "\t");
-        if (ServiceName) {
-            _strncpy_a(pLog, MAX_PATH, ServiceName, MAX_PATH);
+        if (lpServiceName) {
+            _strncpy_a(pLog, MAX_PATH, lpServiceName, MAX_PATH);
         }
         else {
             _strcpy_a(pLog, "Unknown");
@@ -595,7 +588,7 @@ VOID FuzzRun(
         // Setup service call parameters and call it in separate thread.
         //
         CallParams.ParametersInStack = Context->ServiceTable.StackArgumentTable[sid];
-        CallParams.Syscall = Context->SingleSyscallId;
+        CallParams.Syscall = Context->u1.SingleSyscallId;
         CallParams.ThreadTimeout = INFINITE;
         CallParams.NumberOfPassesForCall = Context->SyscallPassCount;
         CallParams.LogParams = &g_Log;
@@ -604,22 +597,30 @@ VOID FuzzRun(
     }
     else {
 
-        for (c = 0; c < ServiceTable->CountOfEntries; c++) {
+        c = 0;
+        if (Context->ProbeFromSyscallId) {
+            if (Context->ProbeWin32k)
+                c = Context->u1.StartingSyscallId - W32SYSCALLSTART;
+            else
+                c = Context->u1.StartingSyscallId;
+        }
+
+        for (; c < ServiceTable->CountOfEntries; c++) {
 
             //
             // Query service name.
             //
             if (probeWin32k) {
-                ServiceName = Context->Win32pServiceTableNames[c];
+                lpServiceName = Context->Win32pServiceTableNames[c];
                 sid = W32SYSCALLSTART + c;
             }
             else {
-                ServiceName = (PCHAR)PELoaderGetProcNameBySDTIndex(hNtdll, c);
+                lpServiceName = supLdrGetProcNameBySDTIndex(ntdllBase, c);
                 sid = c;
             }
 
-            if (ServiceName) {
-                bSkip = BlackListEntryPresent(BlackList, (LPCSTR)ServiceName);
+            if (lpServiceName) {
+                bSkip = BlackListEntryPresent(BlackList, (LPCSTR)lpServiceName);
             }
 
             //
@@ -627,7 +628,7 @@ VOID FuzzRun(
             //
             PrintServiceInformation(ServiceTable->StackArgumentTable[c] / 4,
                 sid,
-                ServiceName,
+                lpServiceName,
                 bSkip);
 
             if (bSkip) {
diff --git a/Source/NtCall64/fuzz.h b/Source/NtCall64/fuzz.h
index 0b0a74f..2f10f02 100644
--- a/Source/NtCall64/fuzz.h
+++ b/Source/NtCall64/fuzz.h
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2016 - 2021
+*  (C) COPYRIGHT AUTHORS, 2016 - 2023
 *
 *  TITLE:       FUZZ.H
 *
-*  VERSION:     1.35
+*  VERSION:     1.37
 *
-*  DATE:        21 Feb 2021
+*  DATE:        04 Aug 2023
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -17,30 +17,21 @@
 #pragma once
 
 #define W32SYSCALLSTART     0x1000
-#define MAX_PARAMETERS		32
-#define SIZEOF_FUZZDATA		13
+#define MAX_PARAMETERS      32
 
 #define FUZZ_THREAD_TIMEOUT_SEC (30)
 #define FUZZ_PASS_COUNT         (64) * (1024)
 
-static const ULONG_PTR fuzzdata[SIZEOF_FUZZDATA] = {
-    0x0000000000000000, 0x000000000000ffff, 0x000000000000fffe, 0x00007ffffffeffff,
-    0x00007ffffffefffe, 0x00007fffffffffff, 0x00007ffffffffffe, 0x0000800000000000,
-    0x8000000000000000, 0xffff080000000000, 0xfffff80000000000, 0xffff800000000000,
-    0xffff800000000001
-};
-
 VOID FuzzRun(
     _In_ NTCALL_CONTEXT *Context);
 
-BOOL FuzzLookupWin32kNames(
-    _In_ LPWSTR ModuleName,
+BOOLEAN FuzzLookupWin32kNames(
     _Inout_ NTCALL_CONTEXT *Context);
 
-BOOL FuzzFindW32pServiceTable(
-    _In_ HMODULE MappedImageBase,
+BOOLEAN FuzzFindW32pServiceTable(
+    _In_ PVOID MappedImageBase,
     _In_ PRAW_SERVICE_TABLE ServiceTable);
 
-BOOL FuzzFindKiServiceTable(
-    _In_ ULONG_PTR MappedImageBase,
+BOOLEAN FuzzFindKiServiceTable(
+    _In_ PVOID MappedImageBase,
     _In_ PRAW_SERVICE_TABLE ServiceTable);
diff --git a/Source/NtCall64/global.h b/Source/NtCall64/global.h
index 9bb2365..2bae109 100644
--- a/Source/NtCall64/global.h
+++ b/Source/NtCall64/global.h
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2016 - 2021
+*  (C) COPYRIGHT AUTHORS, 2016 - 2023
 *
 *  TITLE:       GLOBAL.H
 *
-*  VERSION:     1.35
+*  VERSION:     1.37
 *
-*  DATE:        21 Feb 2021
+*  DATE:        04 Aug 2023
 *
 *  Global definitions.
 *
@@ -41,12 +41,13 @@
 #include 
 #include 
 #include "ntos.h"
+#include "ntbuilds.h"
 #include "hde\hde64.h"
 #include "minirtl\minirtl.h"
 #include "minirtl\_filename.h"
 #include "minirtl\cmdline.h"
 #include "blacklist.h"
-#include "util.h"
+#include "sup.h"
 #include "log.h"
 
 #pragma comment(lib, "Version.lib")
@@ -66,29 +67,37 @@ typedef struct _CALL_PARAM {
 } CALL_PARAM, *PCALL_PARAM;
 
 typedef struct _NTCALL_CONTEXT {
-    BOOL LogEnabled;
-    BOOL ProbeWin32k;
-    BOOL ProbeSingleSyscall;
-    BOOL IsUserInAdminGroup;
-    BOOL IsLocalSystem;
-    BOOL IsElevated;
-    ULONG SingleSyscallId;
+    BOOLEAN LogEnabled;
+    BOOLEAN ProbeWin32k;
+    BOOLEAN ProbeSingleSyscall;
+    BOOLEAN ProbeFromSyscallId;
+    BOOLEAN IsUserFullAdmin;
+    BOOLEAN IsLocalSystem;
+    BOOLEAN IsElevated;
+    union {
+        ULONG SingleSyscallId;
+        ULONG StartingSyscallId;
+    } u1;
     ULONG ThreadWaitTimeout;
     ULONG64 SyscallPassCount;
-    ULONG_PTR hNtdll;
-    ULONG_PTR SystemImageBase;
-    CHAR **Win32pServiceTableNames;
+    PVOID NtdllBase;
+    PVOID SystemModuleBase;
+    PCHAR *Win32pServiceTableNames;
     RAW_SERVICE_TABLE ServiceTable;
     BLACKLIST BlackList;
-    WCHAR szSystemDirectory[MAX_PATH + 1];
+    RTL_OSVERSIONINFOW OsVersion;
 } NTCALL_CONTEXT, *PNTCALL_CONTEXT;
 
 typedef struct _NTCALL_FUZZ_PARAMS {
-    BOOL EnableLog;
-    BOOL LogToFile;
-    BOOL ProbeWin32k;
-    BOOL ProbeSingleSyscall;
-    ULONG SingleSyscallId;
+    BOOLEAN LogEnabled;
+    BOOLEAN LogToFile;
+    BOOLEAN ProbeWin32k;
+    BOOLEAN ProbeSingleSyscall;
+    BOOLEAN ProbeFromSyscallId;
+    union {
+        ULONG SingleSyscallId;
+        ULONG StartingSyscallId;
+    } u1;
     ULONG ThreadWaitTimeout;
     ULONG64 SyscallPassCount;
     WCHAR szLogDeviceOrFile[MAX_PATH + 1];
diff --git a/Source/NtCall64/log.c b/Source/NtCall64/log.c
index d61dbdf..dec2f63 100644
--- a/Source/NtCall64/log.c
+++ b/Source/NtCall64/log.c
@@ -27,15 +27,15 @@
 * Open port/file for logging.
 *
 */
-BOOL FuzzOpenLog(
+BOOLEAN FuzzOpenLog(
     _In_ LPWSTR LogDeviceFileName,
     _In_ PNTCALL_LOG_PARAMS LogParams
 )
 {
-    HANDLE	hFile;
-    CHAR	szWelcome[128];
-    DWORD	bytesIO;
-    DWORD   openFlags = OPEN_EXISTING;
+    HANDLE hFile;
+    CHAR szWelcome[128];
+    DWORD bytesIO;
+    DWORD openFlags = OPEN_EXISTING;
 
     if (LogParams->LogToFile) openFlags = CREATE_ALWAYS; //always overwrite existing log file.
 
diff --git a/Source/NtCall64/log.h b/Source/NtCall64/log.h
index ad35a93..ae70cad 100644
--- a/Source/NtCall64/log.h
+++ b/Source/NtCall64/log.h
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2016 - 2021
+*  (C) COPYRIGHT AUTHORS, 2016 - 2023
 *
 *  TITLE:       LOG.H
 *
-*  VERSION:     1.35
+*  VERSION:     1.37
 *
-*  DATE:        21 Feb 2021
+*  DATE:        04 Aug 2023
 *
 *  Log support header file.
 *
@@ -24,7 +24,7 @@ typedef struct _NTCALL_LOG_PARAMS {
     HANDLE LogHandle;
 } NTCALL_LOG_PARAMS, * PNTCALL_LOG_PARAMS;
 
-BOOL FuzzOpenLog(
+BOOLEAN FuzzOpenLog(
     _In_ LPWSTR LogDeviceFileName,
     _In_ PNTCALL_LOG_PARAMS LogParams);
 
diff --git a/Source/NtCall64/main.c b/Source/NtCall64/main.c
index 6ac75d7..9999a2e 100644
--- a/Source/NtCall64/main.c
+++ b/Source/NtCall64/main.c
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2016 - 2022
+*  (C) COPYRIGHT AUTHORS, 2016 - 2023
 *
 *  TITLE:       MAIN.C
 *
-*  VERSION:     1.36
+*  VERSION:     1.37
 *
-*  DATE:        04 Sep 2022
+*  DATE:        04 Aug 2023
 *
 *  Program entry point.
 *
@@ -28,25 +28,27 @@
 #define PARAM_WAITTIMEOUT   TEXT("-wt")
 #define PARAM_HELP          TEXT("-help")
 #define PARAM_LOCALSYSTEM   TEXT("-s")
+#define PARAM_SYSCALL_START TEXT("-start")
 
 #define DEFAULT_LOG_PORT    TEXT("COM1")
 #define DEFAULT_LOG_FILE    TEXT("ntcall64.log")
 
 #define WELCOME_BANNER      "NtCall64, Windows NT x64 syscall fuzzer, based on NtCall by Peter Kosyh.\r\n"
-#define VERSION_BANNER      "Version 1.3.6 from 04 Sep 2022\r\n\n"
+#define VERSION_BANNER      "Version 1.3.7 from 04 Aug 2023\r\n\n"
 
 //
 // Help output.
 //
 #define T_HELP	"Usage: -help [-win32k][-log [-pname][-ofile]][-call Id][-pc Value][-wt Value][-s]\r\n\
   -help     - Show this help information;\r\n\
-  -log      - Enable logging to file last call parameters;\r\n\
+  -log      - Enable logging to file last call parameters, use -ofile to specify file otherwise COM port will be used;\r\n\
   -pname    - Port name for logging, default COM1 (-log enabled required, mutual exclusive with -ofile);\r\n\
   -ofile    - File name for logging, default ntcall64.log (-log enabled required, mutual exclusive with -pname);\r\n\
   -win32k   - Fuzz win32k graphical subsystem table, otherwise fuzz ntos table;\r\n\
   -call Id  - Fuzz syscall by supplied numeric  (can be from any table). All blacklists are ignored;\r\n\
   -pc Value - Set number of passes for each service to , default value 65536;\r\n\
   -wt Value - Set wait timeout for calling threads in seconds (except single syscall fuzzing), default value is 30;\r\n\
+  -start Id - Fuzz syscall table starting from given syscall id, mutual exclusive with -call;\r\n\
   -s        - Attempt to run program from LocalSystem account.\r\n\n\
 Example: ntcall64.exe -win32k -log"
 
@@ -133,36 +135,40 @@ void FuzzInitPhase2(
     BOOL probeWin32k = Context->ProbeWin32k;
     ULONG d;
 
+    NTSTATUS ntStatus;
+    UNICODE_STRING usModule;
+
     WCHAR szBuffer[MAX_PATH * 2];
 
     ConsoleShowMessage("[+] Entering FuzzInitPhase2()\r\n",
         FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
 
-    _strcpy(szBuffer, Context->szSystemDirectory);
+    _strcpy(szBuffer, L"\\systemroot\\system32\\");
     if (probeWin32k) {
-        _strcat(szBuffer, TEXT("\\win32k.sys"));
+        _strcat(szBuffer, TEXT("win32k.sys"));
     }
     else {
-        _strcat(szBuffer, TEXT("\\ntoskrnl.exe"));
+        _strcat(szBuffer, TEXT("ntoskrnl.exe"));
     }
 
-    Context->SystemImageBase = (ULONG_PTR)LoadLibraryEx(szBuffer, NULL, 0);
+    RtlInitUnicodeString(&usModule, szBuffer);
+
+    ntStatus = supMapImageNoExecute(&usModule, &Context->SystemModuleBase);
 
-    if (Context->SystemImageBase == 0) {
-        ConsoleShowMessage("[!] Could not preload system image, abort!\r\n",
-            FOREGROUND_RED | FOREGROUND_INTENSITY);
+    if (!NT_SUCCESS(ntStatus) || (Context->SystemModuleBase == NULL)) {
+        supShowNtStatus("[!] Could not preload system image, abort!\r\n", ntStatus);
         return;
     }
 
     if (probeWin32k) {
 
-        if (!FuzzFindW32pServiceTable((HMODULE)Context->SystemImageBase, &Context->ServiceTable)) {
+        if (!FuzzFindW32pServiceTable(Context->SystemModuleBase, &Context->ServiceTable)) {
             ConsoleShowMessage("[!] Could not find W32pServiceTable, abort!\r\n",
                 FOREGROUND_RED | FOREGROUND_INTENSITY);
             return;
         }
 
-        if (!FuzzLookupWin32kNames(szBuffer, Context)) {
+        if (!FuzzLookupWin32kNames(Context)) {
             ConsoleShowMessage("[!] Win32k names query error, abort!\r\n",
                 FOREGROUND_RED | FOREGROUND_INTENSITY);
             return;
@@ -170,14 +176,14 @@ void FuzzInitPhase2(
     }
     else {
 
-        Context->hNtdll = (ULONG_PTR)GetModuleHandle(TEXT("ntdll.dll"));
-        if (Context->hNtdll == 0) {
-            ConsoleShowMessage("[!] Ntdll not found, abort!\r\n",
+        Context->NtdllBase = (PVOID)GetModuleHandle(TEXT("ntdll.dll"));
+        if (Context->NtdllBase == NULL) {
+            ConsoleShowMessage("[!] NTDLL not found, abort!\r\n",
                 FOREGROUND_RED | FOREGROUND_INTENSITY);
             return;
         }
 
-        if (!FuzzFindKiServiceTable(Context->SystemImageBase, &Context->ServiceTable)) {
+        if (!FuzzFindKiServiceTable(Context->SystemModuleBase, &Context->ServiceTable)) {
             ConsoleShowMessage("[!] KiServiceTable not found, abort!\r\n",
                 FOREGROUND_RED | FOREGROUND_INTENSITY);
             return;
@@ -189,7 +195,7 @@ void FuzzInitPhase2(
     //
     if (Context->ProbeSingleSyscall) {
 
-        d = Context->SingleSyscallId;
+        d = Context->u1.SingleSyscallId;
 
         if (Context->ProbeWin32k) {
             d -= W32SYSCALLSTART;
@@ -207,7 +213,7 @@ void FuzzInitPhase2(
 
     FuzzRun(Context);
 
-    FreeLibrary((HMODULE)Context->SystemImageBase);
+    NtUnmapViewOfSection(NtCurrentProcess(), Context->SystemModuleBase);
 
     ConsoleShowMessage("[-] Leaving FuzzInitPhase2()\r\n",
         FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
@@ -225,14 +231,12 @@ VOID FuzzInitPhase1(
     _In_ NTCALL_FUZZ_PARAMS* FuzzParams
 )
 {
+    BOOLEAN LogEnabled = FALSE;
     BOOLEAN bWasEnabled = FALSE;
     WORD wColor = 0;
     UINT i;
 
-    BOOL LogEnabled = FALSE;
     CHAR szOut[MAX_PATH * 2];
-    RTL_OSVERSIONINFOW osver;
-
 
     ConsoleShowMessage("[+] Entering FuzzInitPhase1()\r\n",
         FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
@@ -242,8 +246,8 @@ VOID FuzzInitPhase1(
     if (g_ctx.IsLocalSystem)
         ConsoleShowMessage("[+] LocalSystem account\r\n", 0);
 
-    if (g_ctx.IsUserInAdminGroup) {
-        ConsoleShowMessage("[+] User is admin\r\n", 0);
+    if (g_ctx.IsUserFullAdmin) {
+        ConsoleShowMessage("[+] User is with admin privileges\r\n", 0);
 
         if (g_ctx.IsElevated) {
             ConsoleShowMessage("[+] NtCall64 runs elevated.\r\n", 0);
@@ -253,13 +257,6 @@ VOID FuzzInitPhase1(
         }
     }
 
-    RtlSecureZeroMemory(g_ctx.szSystemDirectory, sizeof(g_ctx.szSystemDirectory));
-    if (!GetSystemDirectory(g_ctx.szSystemDirectory, MAX_PATH)) {
-        ConsoleShowMessage("[!] Could not query system directory, abort!\r\n",
-            FOREGROUND_RED | FOREGROUND_INTENSITY);
-        return;
-    }
-
     //
     // Show current directory.
     //
@@ -279,17 +276,17 @@ VOID FuzzInitPhase1(
     //
     // Show version logo if possible.
     //
-    osver.dwOSVersionInfoSize = sizeof(osver);
-    RtlGetVersion(&osver);
+    g_ctx.OsVersion.dwOSVersionInfoSize = sizeof(g_ctx.OsVersion);
+    RtlGetVersion(&g_ctx.OsVersion);
 
     _strcpy_a(szOut, "[~] Windows version: ");
-    ultostr_a(osver.dwMajorVersion, _strend_a(szOut));
-    ultostr_a(osver.dwMinorVersion, _strcat_a(szOut, "."));
-    ultostr_a(osver.dwBuildNumber, _strcat_a(szOut, "."));
+    ultostr_a(g_ctx.OsVersion.dwMajorVersion, _strend_a(szOut));
+    ultostr_a(g_ctx.OsVersion.dwMinorVersion, _strcat_a(szOut, "."));
+    ultostr_a(g_ctx.OsVersion.dwBuildNumber, _strcat_a(szOut, "."));
     _strcat_a(szOut, "\r\n");
     ConsoleShowMessage(szOut, 0);
 
-    if (FuzzParams->EnableLog) {
+    if (FuzzParams->LogEnabled) {
 
         g_Log.LogHandle = INVALID_HANDLE_VALUE;
         g_Log.LogToFile = FuzzParams->LogToFile;
@@ -304,9 +301,17 @@ VOID FuzzInitPhase1(
             ConsoleShowMessage(szOut, FOREGROUND_RED | FOREGROUND_INTENSITY);
 
         }
-        else
-            ConsoleShowMessage("[+] Logging is enabled\r\n",
+        else {
+            _strcpy_a(szOut, "[+] Logging is enabled, output will be written to ");
+
+            WideCharToMultiByte(CP_ACP, 0, FuzzParams->szLogDeviceOrFile, -1, 
+                _strend_a(szOut), MAX_PATH, NULL, NULL);
+
+            _strcat_a(szOut, "\r\n");
+            
+            ConsoleShowMessage(szOut,
                 FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
+        }
 
         g_ctx.LogEnabled = LogEnabled;
 
@@ -319,9 +324,9 @@ VOID FuzzInitPhase1(
     // Handle single system call.
     //
     if (FuzzParams->ProbeSingleSyscall) {
-        g_ctx.ProbeWin32k = (FuzzParams->SingleSyscallId >= W32SYSCALLSTART);
+        g_ctx.ProbeWin32k = (FuzzParams->u1.SingleSyscallId >= W32SYSCALLSTART);
         g_ctx.ProbeSingleSyscall = TRUE;
-        g_ctx.SingleSyscallId = FuzzParams->SingleSyscallId;
+        g_ctx.u1.SingleSyscallId = FuzzParams->u1.SingleSyscallId;
     }
     else {
         g_ctx.ProbeWin32k = FuzzParams->ProbeWin32k;
@@ -344,6 +349,18 @@ VOID FuzzInitPhase1(
     _strcat_a(szOut, "\r\n");
     ConsoleShowMessage(szOut, 0);
 
+    //
+    // Show probe from syscall id.
+    //
+    g_ctx.ProbeFromSyscallId = FuzzParams->ProbeFromSyscallId;
+    g_ctx.u1.StartingSyscallId = FuzzParams->u1.StartingSyscallId;
+    if (g_ctx.ProbeFromSyscallId) {
+        _strcpy_a(szOut, "[+] Starting syscall id ");
+        ultostr_a(g_ctx.u1.StartingSyscallId, _strend_a(szOut));
+        _strcat_a(szOut, "\r\n");
+        ConsoleShowMessage(szOut, 0);
+    }
+
     //
     // Assign much possible privileges if can.
     //
@@ -393,7 +410,7 @@ VOID FuzzInitPhase1(
     }
 
     if (g_ctx.Win32pServiceTableNames)
-        HeapFree(GetProcessHeap(), 0, g_ctx.Win32pServiceTableNames);
+        supHeapFree(g_ctx.Win32pServiceTableNames);
 
     ConsoleShowMessage("[-] Leaving FuzzInitPhase1()\r\n",
         FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
@@ -413,8 +430,10 @@ VOID FuzzInitPhase0(
 {
     ULONG rLen;
     NTCALL_FUZZ_PARAMS fuzzParams;
+    HANDLE hToken;
+    NTSTATUS ntStatus;
 
-    TCHAR szTextBuf[MAX_PATH + 1];
+    WCHAR szTextBuf[MAX_PATH + 1];
 
     do {
 
@@ -426,22 +445,42 @@ VOID FuzzInitPhase0(
         fuzzParams.SyscallPassCount = FUZZ_PASS_COUNT;
 
         RtlSecureZeroMemory(&g_ctx, sizeof(g_ctx));
-        g_ctx.IsLocalSystem = IsLocalSystem();
-        if (g_ctx.IsLocalSystem) {
-            g_ctx.IsElevated = TRUE;
-            g_ctx.IsUserInAdminGroup = TRUE;
+
+        ntStatus = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken);
+        if (NT_SUCCESS(ntStatus)) {
+
+            ntStatus = supIsLocalSystem(hToken, &g_ctx.IsLocalSystem);
+            if (NT_SUCCESS(ntStatus)) {
+                if (g_ctx.IsLocalSystem) {
+                    g_ctx.IsElevated = TRUE;
+                    g_ctx.IsUserFullAdmin = TRUE;
+                }
+                else {
+                    g_ctx.IsUserFullAdmin = supUserIsFullAdmin(hToken);
+                    if (g_ctx.IsUserFullAdmin) {
+                        g_ctx.IsElevated = supIsClientElevated(NtCurrentProcess());
+                    }
+                }
+            }
+            else {
+                supShowNtStatus("[!] Failed to query process token information\r\n", ntStatus);
+                return;
+            }
+
+            NtClose(hToken);
         }
         else {
-            g_ctx.IsUserInAdminGroup = IsUserInAdminGroup();
-            if (g_ctx.IsUserInAdminGroup) {
-                g_ctx.IsElevated = IsElevated(NULL);
-            }
+            supShowNtStatus("[!] Failed to open self process token\r\n", ntStatus);
+            return;
         }
 
-        if (GetCommandLineOption(PARAM_LOCALSYSTEM, FALSE, NULL, 0, NULL)) {
+        //
+        // -s (System) param.
+        //
+        if (supGetCommandLineOption(PARAM_LOCALSYSTEM, FALSE, NULL, 0, NULL)) {
             if (g_ctx.IsLocalSystem == FALSE) {
-                if (g_ctx.IsUserInAdminGroup == FALSE) {
-                    ConsoleShowMessage("[~] Administrative privileges reqruied for this operation\r\n", 0);
+                if (g_ctx.IsUserFullAdmin == FALSE) {
+                    ConsoleShowMessage("[~] Administrative privileges are required for this operation\r\n", 0);
                     break;
                 }
                 if (g_ctx.IsElevated == FALSE) {
@@ -449,7 +488,7 @@ VOID FuzzInitPhase0(
                     break;
                 }
                 ConsoleShowMessage("[~] Restarting as LocalSystem\r\n", 0);
-                RunAsLocalSystem();
+                supRunAsLocalSystem();
                 break;
             }
             //
@@ -457,19 +496,31 @@ VOID FuzzInitPhase0(
             //
         }
 
-        fuzzParams.ProbeWin32k = GetCommandLineOption(PARAM_WIN32K, FALSE, NULL, 0, NULL);
-        fuzzParams.EnableLog = GetCommandLineOption(PARAM_LOG, FALSE, NULL, 0, NULL);
-        if (fuzzParams.EnableLog) {
+        //
+        // -win32k param.
+        //
+        fuzzParams.ProbeWin32k = supGetCommandLineOption(PARAM_WIN32K, FALSE, NULL, 0, NULL);
+
+        //
+        // -log param.
+        //
+        fuzzParams.LogEnabled = supGetCommandLineOption(PARAM_LOG, FALSE, NULL, 0, NULL);
+        if (fuzzParams.LogEnabled) {
 
             _strcpy(fuzzParams.szLogDeviceOrFile, DEFAULT_LOG_PORT);
             fuzzParams.LogToFile = FALSE;
 
             //
-            // Check log port name.
+            // Check log port name (-pname).
             //
             rLen = 0;
             RtlSecureZeroMemory(szTextBuf, sizeof(szTextBuf));
-            if (GetCommandLineOption(PARAM_LOGPORT, TRUE, szTextBuf, sizeof(szTextBuf) / sizeof(TCHAR), &rLen)) {
+            if (supGetCommandLineOption(PARAM_LOGPORT,
+                TRUE, 
+                szTextBuf, 
+                RTL_NUMBER_OF(szTextBuf), 
+                &rLen)) 
+            {
                 if (rLen) {
                     _strcpy(fuzzParams.szLogDeviceOrFile, szTextBuf);
                 }
@@ -477,11 +528,16 @@ VOID FuzzInitPhase0(
             else {
 
                 //
-                // Check log file name.
+                // Check log file name (-ofile).
                 //
                 rLen = 0;
                 RtlSecureZeroMemory(szTextBuf, sizeof(szTextBuf));
-                if (GetCommandLineOption(PARAM_LOGFILE, TRUE, szTextBuf, sizeof(szTextBuf) / sizeof(TCHAR), &rLen)) {
+                if (supGetCommandLineOption(PARAM_LOGFILE,
+                    TRUE, 
+                    szTextBuf, 
+                    RTL_NUMBER_OF(szTextBuf),
+                    &rLen)) 
+                {
                     if (rLen) {
                         _strcpy(fuzzParams.szLogDeviceOrFile, szTextBuf);
                     }
@@ -494,15 +550,45 @@ VOID FuzzInitPhase0(
             }
         }
 
+        //
+        // -call (SyscallId) param.
+        //
         RtlSecureZeroMemory(szTextBuf, sizeof(szTextBuf));
-        if (GetCommandLineOption(PARAM_SYSCALL, TRUE, szTextBuf, sizeof(szTextBuf) / sizeof(TCHAR), NULL))
+        if (supGetCommandLineOption(PARAM_SYSCALL,
+            TRUE, 
+            szTextBuf, 
+            RTL_NUMBER_OF(szTextBuf), 
+            NULL))
         {
             fuzzParams.ProbeSingleSyscall = TRUE;
-            fuzzParams.SingleSyscallId = _strtoul(szTextBuf);
+            fuzzParams.u1.SingleSyscallId = _strtoul(szTextBuf);
+        }
+
+        if (fuzzParams.ProbeSingleSyscall == FALSE) {
+            //
+            // -start (SyscallId) param.
+            //
+            RtlSecureZeroMemory(szTextBuf, sizeof(szTextBuf));
+            if (supGetCommandLineOption(PARAM_SYSCALL_START,
+                TRUE,
+                szTextBuf,
+                RTL_NUMBER_OF(szTextBuf),
+                NULL))
+            {
+                fuzzParams.ProbeFromSyscallId = TRUE;
+                fuzzParams.u1.StartingSyscallId = _strtoul(szTextBuf);
+            }
         }
 
+        //
+        // -pc (PassCount) param.
+        //
         RtlSecureZeroMemory(szTextBuf, sizeof(szTextBuf));
-        if (GetCommandLineOption(PARAM_PASSCOUNT, TRUE, szTextBuf, sizeof(szTextBuf) / sizeof(TCHAR), NULL))
+        if (supGetCommandLineOption(PARAM_PASSCOUNT,
+            TRUE, 
+            szTextBuf, 
+            RTL_NUMBER_OF(szTextBuf), 
+            NULL))
         {
             fuzzParams.SyscallPassCount = strtou64(szTextBuf);
         }
@@ -515,8 +601,15 @@ VOID FuzzInitPhase0(
             break;
         }
 
+        //
+        // -wt (WaitTimeout) param.
+        //
         RtlSecureZeroMemory(szTextBuf, sizeof(szTextBuf));
-        if (GetCommandLineOption(PARAM_WAITTIMEOUT, TRUE, szTextBuf, sizeof(szTextBuf) / sizeof(TCHAR), NULL))
+        if (supGetCommandLineOption(PARAM_WAITTIMEOUT,
+            TRUE, 
+            szTextBuf, 
+            RTL_NUMBER_OF(szTextBuf),
+            NULL))
         {
             fuzzParams.ThreadWaitTimeout = _strtoul(szTextBuf);
         }
@@ -554,7 +647,7 @@ UINT NtCall64Main()
 
         do {
 
-            if (GetCommandLineOption(PARAM_HELP, FALSE, NULL, 0, NULL)) {
+            if (supGetCommandLineOption(PARAM_HELP, FALSE, NULL, 0, NULL)) {
                 ConsoleShowMessage(T_HELP, 0);
                 break;
             }
diff --git a/Source/NtCall64/minirtl/strtou64.c b/Source/NtCall64/minirtl/strtou64.c
index 1ec829c..fad5eb3 100644
--- a/Source/NtCall64/minirtl/strtou64.c
+++ b/Source/NtCall64/minirtl/strtou64.c
@@ -11,7 +11,7 @@ unsigned long long strtou64_a(char *s)
 	while (*s != 0) {
 		c = *s;
 		if (_isdigit_w(c))
-			a = (a*10)+(c-'0');
+			a = (a*10)+((unsigned long long)c-'0');
 		else
 			break;
 		s++;
@@ -30,7 +30,7 @@ unsigned long long strtou64_w(wchar_t *s)
 	while (*s != 0) {
 		c = *s;
 		if (_isdigit_w(c))
-			a = (a*10)+(c-L'0');
+			a = (a*10)+((unsigned long long)c-L'0');
 		else
 			break;
 		s++;
diff --git a/Source/NtCall64/minirtl/strtoul.c b/Source/NtCall64/minirtl/strtoul.c
index 3250d74..4fcd0bb 100644
--- a/Source/NtCall64/minirtl/strtoul.c
+++ b/Source/NtCall64/minirtl/strtoul.c
@@ -1,49 +1,39 @@
 #include "rtltypes.h"
 
-#define ULONG_MAX_VALUE 0xffffffffUL
-
 unsigned long strtoul_a(char *s)
 {
-    unsigned long long  a = 0;
-    char                c;
-
-    if (s == 0)
-        return 0;
-
-    while (*s != 0) {
-        c = *s;
-        if (_isdigit_a(c))
-            a = (a*10)+(c-'0');
-        else
-            break;
-
-        if (a > ULONG_MAX_VALUE)
-            return ULONG_MAX_VALUE;
-
-        s++;
-    }
-    return (unsigned long)a;
+	unsigned long	a = 0;
+	char			c;
+
+	if (s == 0)
+		return 0;
+
+	while (*s != 0) {
+		c = *s;
+		if (_isdigit_a(c))
+			a = (a*10)+(c-'0');
+		else
+			break;
+		s++;
+	}
+	return a;
 }
 
 unsigned long strtoul_w(wchar_t *s)
 {
-    unsigned long long	a = 0;
-    wchar_t			c;
-
-    if (s == 0)
-        return 0;
-
-    while (*s != 0) {
-        c = *s;
-        if (_isdigit_w(c))
-            a = (a * 10) + (c - L'0');
-        else
-            break;
-
-        if (a > ULONG_MAX_VALUE)
-            return ULONG_MAX_VALUE;
-
-        s++;
-    }
-    return (unsigned long)a;
+	unsigned long	a = 0;
+	wchar_t			c;
+
+	if (s == 0)
+		return 0;
+
+	while (*s != 0) {
+		c = *s;
+		if (_isdigit_w(c))
+			a = (a*10)+(c-L'0');
+		else
+			break;
+		s++;
+	}
+	return a;
 }
diff --git a/Source/NtCall64/ntbuilds.h b/Source/NtCall64/ntbuilds.h
new file mode 100644
index 0000000..f92204d
--- /dev/null
+++ b/Source/NtCall64/ntbuilds.h
@@ -0,0 +1,90 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2021 - 2023
+*
+*  TITLE:       NTBUILDS.H
+*
+*  VERSION:     1.18
+*
+*  DATE:        21 Jul 2023
+*
+*  Windows NT builds definition file.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+//
+// Defines for Major Windows NT release builds
+//
+
+// Windows 7 RTM
+#define NT_WIN7_RTM             7600
+
+// Windows 7 SP1
+#define NT_WIN7_SP1             7601
+
+// Windows 8 RTM
+#define NT_WIN8_RTM             9200
+
+// Windows 8.1
+#define NT_WIN8_BLUE            9600
+
+// Windows 10 TH1
+#define NT_WIN10_THRESHOLD1     10240
+
+// Windows 10 TH2
+#define NT_WIN10_THRESHOLD2     10586
+
+// Windows 10 RS1
+#define NT_WIN10_REDSTONE1      14393
+
+// Windows 10 RS2
+#define NT_WIN10_REDSTONE2      15063
+
+// Windows 10 RS3
+#define NT_WIN10_REDSTONE3      16299
+
+// Windows 10 RS4
+#define NT_WIN10_REDSTONE4      17134
+
+// Windows 10 RS5
+#define NT_WIN10_REDSTONE5      17763
+
+// Windows 10 19H1
+#define NT_WIN10_19H1           18362
+
+// Windows 10 19H2
+#define NT_WIN10_19H2           18363
+
+// Windows 10 20H1
+#define NT_WIN10_20H1           19041
+
+// Windows 10 20H2
+#define NT_WIN10_20H2           19042
+
+// Windows 10 21H1
+#define NT_WIN10_21H1           19043
+
+// Windows 10 21H2
+#define NT_WIN10_21H2           19044
+
+// Windows 10 22H2
+#define NT_WIN10_22H2           19045
+
+// Windows Server 2022
+#define NT_WINSRV_21H1          20348
+
+// Windows 11 21H2
+#define NT_WIN11_21H2           22000
+
+// Windows 11 22H2
+#define NT_WIN11_22H2           22621
+
+// Windows 11 Active Develepment Branch
+#define NT_WIN11_23H2           22631
+#define NT_WIN11_24H2           25905 //canary (24H2)
diff --git a/Source/NtCall64/resource.rc b/Source/NtCall64/resource.rc
index fe710be035bc52cadd9efddcf521e7f5656ff6ed..594a216ac5e16896d5301ea0e8408a3140c5b172 100644
GIT binary patch
delta 94
zcmZ3Wxj=J+3^%tqgARicgE4~vgT-WZZe3*l=6LS6Oh5rWxB__r-N`L{I~a{816iB1
W`1u%lk)#=vCST+c-8@TxjRgQ=X%dnE

delta 94
zcmZ3Wxj=J+3^%tKgARic5E?L8PFCmEMdojg=YGos6wre!kQdOM+`_km(P%P|wKdwFileVersionMS);
-                    if (MinorVersion)
-                        *MinorVersion = LOWORD(pFileInfo->dwFileVersionMS);
-                    if (Build)
-                        *Build = HIWORD(pFileInfo->dwFileVersionLS);
-                    if (Revision)
-                        *Revision = LOWORD(pFileInfo->dwFileVersionLS);
-                }
-            }
-            HeapFree(GetProcessHeap(), 0, vinfo);
-        }
-    }
-    return bResult;
-}
-
 VOID ConsoleInit(
     VOID)
 {
@@ -153,40 +95,44 @@ VOID ConsoleShowMessage(
 }
 
 /*
-* GetCommandLineOption
+* supGetCommandLineOption
 *
 * Purpose:
 *
 * Parse command line options.
 *
 */
-BOOL GetCommandLineOption(
-    _In_ LPCTSTR OptionName,
-    _In_ BOOL IsParametric,
-    _Out_writes_opt_z_(ValueSize) LPTSTR OptionValue,
+BOOLEAN supGetCommandLineOption(
+    _In_ LPCWSTR OptionName,
+    _In_ BOOLEAN IsParametric,
+    _Out_writes_opt_z_(ValueSize) LPWSTR OptionValue,
     _In_ ULONG ValueSize,
     _Out_opt_ PULONG ParamLength
 )
 {
-    BOOL    bResult;
-    LPTSTR	cmdline = GetCommandLine();
-    TCHAR   Param[MAX_PATH + 1];
-    ULONG   rlen;
-    int		i = 0;
+    BOOLEAN bResult;
+    LPWSTR cmdline = GetCommandLine();
+    WCHAR szParam[MAX_PATH + 1];
+    ULONG rlen;
+    INT	i = 0;
 
     if (ParamLength)
         *ParamLength = 0;
 
-    RtlSecureZeroMemory(Param, sizeof(Param));
-    while (GetCommandLineParam(cmdline, i, Param, MAX_PATH, &rlen))
+    RtlSecureZeroMemory(szParam, sizeof(szParam));
+    while (GetCommandLineParam(
+        cmdline, 
+        i, 
+        szParam, 
+        MAX_PATH, 
+        &rlen)) 
     {
         if (rlen == 0)
             break;
 
-        if (_strcmp(Param, OptionName) == 0)
-        {
+        if (_strcmp(szParam, OptionName) == 0) {
             if (IsParametric) {
-                bResult = GetCommandLineParam(cmdline, i + 1, OptionValue, ValueSize, &rlen);
+                bResult = (BOOLEAN)GetCommandLineParam(cmdline, i + 1, OptionValue, ValueSize, &rlen);
                 if (ParamLength)
                     *ParamLength = rlen;
                 return bResult;
@@ -200,83 +146,85 @@ BOOL GetCommandLineOption(
     return FALSE;
 }
 
-
 /*
-* IsUserInAdminGroup
+* supUserIsFullAdmin
 *
 * Purpose:
 *
-* Returns TRUE if current user is in admin group.
+* Tests if the current user is admin with full access token.
 *
 */
-BOOLEAN IsUserInAdminGroup(
-    VOID
+BOOLEAN supUserIsFullAdmin(
+    _In_ HANDLE hToken
 )
 {
     BOOLEAN bResult = FALSE;
-    HANDLE hToken;
+    NTSTATUS status;
+    DWORD i, Attributes;
+    ULONG ReturnLength = 0;
+
+    PTOKEN_GROUPS pTkGroups;
+
+    SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY;
+    PSID adminGroup = NULL;
+
+    do {
+        if (!NT_SUCCESS(RtlAllocateAndInitializeSid(
+            &ntAuthority,
+            2,
+            SECURITY_BUILTIN_DOMAIN_RID,
+            DOMAIN_ALIAS_RID_ADMINS,
+            0, 0, 0, 0, 0, 0,
+            &adminGroup)))
+        {
+            break;
+        }
 
-    ULONG returnLength, i;
-
-    PSID pSid = NULL;
-
-    PTOKEN_GROUPS ptg = NULL;
-
-    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
-
-    if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
-
-        GetTokenInformation(hToken, TokenGroups, NULL, 0, &returnLength);
-
-        ptg = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (SIZE_T)returnLength);
-        if (ptg) {
-
-            if (GetTokenInformation(hToken,
-                TokenGroups,
-                ptg,
-                returnLength,
-                &returnLength))
-            {
-                if (AllocateAndInitializeSid(&NtAuthority,
-                    2,
-                    SECURITY_BUILTIN_DOMAIN_RID,
-                    DOMAIN_ALIAS_RID_ADMINS,
-                    0,
-                    0,
-                    0,
-                    0,
-                    0,
-                    0,
-                    &pSid))
-                {
-                    for (i = 0; i < ptg->GroupCount; i++) {
-                        if (EqualSid(pSid, ptg->Groups[i].Sid)) {
+        status = NtQueryInformationToken(hToken, TokenGroups, NULL, 0, &ReturnLength);
+        if (status != STATUS_BUFFER_TOO_SMALL)
+            break;
+
+        pTkGroups = (PTOKEN_GROUPS)supHeapAlloc((SIZE_T)ReturnLength);
+        if (pTkGroups == NULL)
+            break;
+
+        status = NtQueryInformationToken(hToken, TokenGroups, pTkGroups, ReturnLength, &ReturnLength);
+        if (NT_SUCCESS(status)) {
+            if (pTkGroups->GroupCount > 0)
+                for (i = 0; i < pTkGroups->GroupCount; i++) {
+                    Attributes = pTkGroups->Groups[i].Attributes;
+                    if (RtlEqualSid(adminGroup, pTkGroups->Groups[i].Sid))
+                        if (
+                            (Attributes & SE_GROUP_ENABLED) &&
+                            (!(Attributes & SE_GROUP_USE_FOR_DENY_ONLY))
+                            )
+                        {
                             bResult = TRUE;
                             break;
                         }
-                    }
-
-                    FreeSid(pSid);
                 }
-            }
-
-            HeapFree(GetProcessHeap(), 0, ptg);
         }
-        CloseHandle(hToken);
+        supHeapFree(pTkGroups);
+
+    } while (FALSE);
+
+    if (adminGroup != NULL) {
+        RtlFreeSid(adminGroup);
     }
+
     return bResult;
 }
 
 /*
-* IsElevated
+* supIsClientElevated
 *
 * Purpose:
 *
 * Returns TRUE if process runs elevated.
 *
 */
-BOOL IsElevated(
-    _In_opt_ HANDLE ProcessHandle
+BOOLEAN supIsClientElevated(
+    _In_ HANDLE ProcessHandle
 )
 {
     HANDLE hToken = NULL, processHandle = ProcessHandle;
@@ -284,10 +232,6 @@ BOOL IsElevated(
     ULONG BytesRead = 0;
     TOKEN_ELEVATION te;
 
-    if (ProcessHandle == NULL) {
-        processHandle = GetCurrentProcess();
-    }
-
     te.TokenIsElevated = 0;
 
     Status = NtOpenProcessToken(processHandle, TOKEN_QUERY, &hToken);
@@ -303,78 +247,46 @@ BOOL IsElevated(
 }
 
 /*
-* PELoaderGetProcNameBySDTIndex
+* supLdrGetProcNameBySDTIndex
 *
 * Purpose:
 *
 * Return name of service from ntdll by given syscall id.
 *
 */
-PCHAR PELoaderGetProcNameBySDTIndex(
-    _In_ ULONG_PTR MappedImageBase,
+PCHAR supLdrGetProcNameBySDTIndex(
+    _In_ PVOID ModuleBase,
     _In_ ULONG SDTIndex
 )
 {
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
+    PULONG nameTableBase;
+    PUSHORT nameOrdinalTableBase;
+    PULONG funcTable;
+    PBYTE pfn;
+    ULONG c, exportSize;
+
+    pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(ModuleBase,
+        TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &exportSize);
+
+    if (pImageExportDirectory) {
+
+        nameTableBase = (PDWORD)RtlOffsetToPointer(ModuleBase, pImageExportDirectory->AddressOfNames);
+        nameOrdinalTableBase = (PUSHORT)RtlOffsetToPointer(ModuleBase, pImageExportDirectory->AddressOfNameOrdinals);
+        funcTable = (PDWORD)RtlOffsetToPointer(ModuleBase, pImageExportDirectory->AddressOfFunctions);
+
+        for (c = 0; c < pImageExportDirectory->NumberOfNames; c++) {
+            pfn = (PBYTE)RtlOffsetToPointer(ModuleBase, funcTable[nameOrdinalTableBase[c]]);
+            if (*((PULONG)pfn) == 0xb8d18b4c)
+                if (*((PULONG)(pfn + 4)) == SDTIndex)
+                    return (PCHAR)RtlOffsetToPointer(ModuleBase, nameTableBase[c]);
+        }
 
-    PIMAGE_NT_HEADERS       nthdr = RtlImageNtHeader((PVOID)MappedImageBase);
-    PIMAGE_EXPORT_DIRECTORY ExportDirectory;
-
-    ULONG_PTR   ExportDirectoryOffset;
-    PULONG      NameTableBase;
-    PUSHORT     NameOrdinalTableBase;
-    PULONG      Addr;
-    PBYTE       pfn;
-    ULONG       c;
-
-    ExportDirectoryOffset =
-        nthdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
-
-    if (ExportDirectoryOffset == 0)
-        return NULL;
-
-    ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(MappedImageBase + ExportDirectoryOffset);
-    NameTableBase = (PULONG)(MappedImageBase + (ULONG)ExportDirectory->AddressOfNames);
-    NameOrdinalTableBase = (PUSHORT)(MappedImageBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
-    Addr = (PULONG)(MappedImageBase + (ULONG)ExportDirectory->AddressOfFunctions);
-
-    for (c = 0; c < ExportDirectory->NumberOfNames; c++) {
-        pfn = (PBYTE)(MappedImageBase + Addr[NameOrdinalTableBase[c]]);
-        if (*((PULONG)pfn) == 0xb8d18b4c)
-            if (*((PULONG)(pfn + 4)) == SDTIndex)
-                return (PCHAR)(MappedImageBase + NameTableBase[c]);
     }
 
     return NULL;
 }
 
-/*
-* supHeapAlloc
-*
-* Purpose:
-*
-* Wrapper for RtlAllocateHeap.
-*
-*/
-FORCEINLINE PVOID supHeapAlloc(
-    _In_ SIZE_T Size)
-{
-    return RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Size);
-}
-
-/*
-* supHeapFree
-*
-* Purpose:
-*
-* Wrapper for RtlFreeHeap.
-*
-*/
-FORCEINLINE BOOL supHeapFree(
-    _In_ PVOID Memory)
-{
-    return RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Memory);
-}
-
 /*
 * supPrivilegeEnabled
 *
@@ -495,9 +407,9 @@ NTSTATUS supIsLocalSystem(
     _In_ HANDLE hToken,
     _Out_ PBOOLEAN pbResult)
 {
-    BOOLEAN                  bResult = FALSE;
-    NTSTATUS                 status = STATUS_UNSUCCESSFUL;
-    PSID                     SystemSid = NULL, TokenSid = NULL;
+    BOOLEAN bResult = FALSE;
+    NTSTATUS status = STATUS_UNSUCCESSFUL;
+    PSID SystemSid = NULL, TokenSid = NULL;
     SID_IDENTIFIER_AUTHORITY NtAuth = SECURITY_NT_AUTHORITY;
 
     TokenSid = supQueryTokenUserSid(hToken);
@@ -701,7 +613,7 @@ PVOID supGetSystemInfo(
         &returnedLength)) == STATUS_INFO_LENGTH_MISMATCH)
     {
         supHeapFree(buffer);
-        bufferSize *= 2;
+        bufferSize <<= 1;
 
         if (bufferSize > SI_MAX_BUFFER_LENGTH)
             return NULL;
@@ -734,11 +646,10 @@ BOOL supEnablePrivilege(
     _In_ BOOL fEnable
 )
 {
-    BOOL             bResult = FALSE;
-    NTSTATUS         status;
-    ULONG            dummy;
-    HANDLE           hToken;
-    TOKEN_PRIVILEGES TokenPrivileges;
+    NTSTATUS status;
+    ULONG dummy;
+    HANDLE hToken;
+    TOKEN_PRIVILEGES tkPrivs;
 
     status = NtOpenProcessToken(
         NtCurrentProcess(),
@@ -746,25 +657,24 @@ BOOL supEnablePrivilege(
         &hToken);
 
     if (!NT_SUCCESS(status)) {
-        return bResult;
+        return FALSE;
     }
 
-    TokenPrivileges.PrivilegeCount = 1;
-    TokenPrivileges.Privileges[0].Luid.LowPart = PrivilegeName;
-    TokenPrivileges.Privileges[0].Luid.HighPart = 0;
-    TokenPrivileges.Privileges[0].Attributes = (fEnable) ? SE_PRIVILEGE_ENABLED : 0;
-    status = NtAdjustPrivilegesToken(hToken, FALSE, &TokenPrivileges,
+    tkPrivs.PrivilegeCount = 1;
+    tkPrivs.Privileges[0].Luid.LowPart = PrivilegeName;
+    tkPrivs.Privileges[0].Luid.HighPart = 0;
+    tkPrivs.Privileges[0].Attributes = (fEnable) ? SE_PRIVILEGE_ENABLED : 0;
+    status = NtAdjustPrivilegesToken(hToken, FALSE, &tkPrivs,
         sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PULONG)&dummy);
     if (status == STATUS_NOT_ALL_ASSIGNED) {
         status = STATUS_PRIVILEGE_NOT_HELD;
     }
-    bResult = NT_SUCCESS(status);
     NtClose(hToken);
-    return bResult;
+    return NT_SUCCESS(status);
 }
 
 /*
-* RunAsLocalSystem
+* supRunAsLocalSystem
 *
 * Purpose:
 *
@@ -773,7 +683,7 @@ BOOL supEnablePrivilege(
 * Note: Elevated instance required.
 *
 */
-VOID RunAsLocalSystem(
+VOID supRunAsLocalSystem(
     VOID
 )
 {
@@ -1011,25 +921,168 @@ HANDLE supGetCurrentProcessToken(
 }
 
 /*
-* IsLocalSystem
+* supMapImageNoExecute
 *
 * Purpose:
 *
-* Returns TRUE if current user is LocalSystem.
+* Map image with SEC_IMAGE_NO_EXECUTE.
 *
 */
-BOOLEAN IsLocalSystem(
-    VOID
+NTSTATUS supMapImageNoExecute(
+    _In_ PUNICODE_STRING ImagePath,
+    _Out_ PVOID* BaseAddress
 )
 {
-    BOOLEAN bResult = FALSE;
-    HANDLE hToken;
+    NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
+    SIZE_T fileSize = 0;
+    HANDLE hFile = NULL, hSection = NULL;
+    OBJECT_ATTRIBUTES obja;
+    IO_STATUS_BLOCK iost;
+    LARGE_INTEGER li;
 
-    hToken = supGetCurrentProcessToken();
-    if (hToken) {
-        supIsLocalSystem(hToken, &bResult);
-        NtClose(hToken);
+    *BaseAddress = NULL;
+
+    do {
+
+        InitializeObjectAttributes(&obja, ImagePath,
+            OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+        RtlSecureZeroMemory(&iost, sizeof(iost));
+        ntStatus = NtCreateFile(&hFile,
+            SYNCHRONIZE | FILE_READ_DATA,
+            &obja,
+            &iost,
+            NULL,
+            0,
+            FILE_SHARE_READ,
+            FILE_OPEN,
+            FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
+            NULL,
+            0);
+
+        if (!NT_SUCCESS(ntStatus))
+            break;
+
+        obja.ObjectName = NULL;
+
+        ntStatus = NtCreateSection(&hSection,
+            SECTION_MAP_READ,
+            &obja,
+            NULL,
+            PAGE_READONLY,
+            SEC_IMAGE_NO_EXECUTE,
+            hFile);
+
+        if (!NT_SUCCESS(ntStatus))
+            break;
+
+        li.QuadPart = 0;
+
+        ntStatus = NtMapViewOfSection(hSection,
+            NtCurrentProcess(),
+            BaseAddress,
+            0,
+            0,
+            &li,
+            &fileSize,
+            ViewShare,
+            0,
+            PAGE_READONLY);
+
+        if (!NT_SUCCESS(ntStatus))
+            break;
+
+    } while (FALSE);
+
+    if (hFile) NtClose(hFile);
+    if (hSection) NtClose(hSection);
+    return ntStatus;
+}
+
+/*
+* supLdrGetProcAddressEx
+*
+* Purpose:
+*
+* Simplified GetProcAddress reimplementation.
+*
+*/
+LPVOID supLdrGetProcAddressEx(
+    _In_ LPVOID ImageBase,
+    _In_ LPCSTR RoutineName
+)
+{
+    PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
+    USHORT OrdinalNumber;
+    PULONG NameTableBase;
+    PUSHORT NameOrdinalTableBase;
+    PULONG Addr;
+    LONG Result;
+    ULONG High, Low, Middle = 0;
+
+    union {
+        PIMAGE_NT_HEADERS64 nt64;
+        PIMAGE_NT_HEADERS32 nt32;
+        PIMAGE_NT_HEADERS nt;
+    } NtHeaders;
+
+    if (!NT_SUCCESS(RtlImageNtHeaderEx(RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK,
+        ImageBase, 0, &NtHeaders.nt)))
+    {
+        return NULL;
     }
 
-    return bResult;
+    if (NtHeaders.nt == NULL) {
+        return NULL;
+    }
+
+    if (NtHeaders.nt->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) {
+
+        ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlOffsetToPointer(ImageBase,
+            NtHeaders.nt64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
+
+    }
+    else if (NtHeaders.nt->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) {
+
+        ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlOffsetToPointer(ImageBase,
+            NtHeaders.nt32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
+    }
+    else
+    {
+        return NULL;
+    }
+
+    NameTableBase = (PULONG)RtlOffsetToPointer(ImageBase, (ULONG)ExportDirectory->AddressOfNames);
+    NameOrdinalTableBase = (PUSHORT)RtlOffsetToPointer(ImageBase, (ULONG)ExportDirectory->AddressOfNameOrdinals);
+    Low = 0;
+    High = ExportDirectory->NumberOfNames - 1;
+    while (High >= Low) {
+
+        Middle = (Low + High) >> 1;
+
+        Result = _strcmp_a(
+            RoutineName,
+            (char*)RtlOffsetToPointer(ImageBase, NameTableBase[Middle]));
+
+        if (Result < 0) {
+            High = Middle - 1;
+        }
+        else {
+            if (Result > 0) {
+                Low = Middle + 1;
+            }
+            else {
+                break;
+            }
+        }
+    }
+    if (High < Low)
+        return NULL;
+
+    OrdinalNumber = NameOrdinalTableBase[Middle];
+    if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions)
+        return NULL;
+
+    Addr = (PULONG)RtlOffsetToPointer(ImageBase, (ULONG)ExportDirectory->AddressOfFunctions);
+    return (LPVOID)RtlOffsetToPointer(ImageBase, Addr[OrdinalNumber]);
 }
diff --git a/Source/NtCall64/sup.h b/Source/NtCall64/sup.h
new file mode 100644
index 0000000..ae3b645
--- /dev/null
+++ b/Source/NtCall64/sup.h
@@ -0,0 +1,68 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2016 - 2023
+*
+*  TITLE:       SUP.H
+*
+*  VERSION:     1.37
+*
+*  DATE:        04 Aug 2023
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+typedef struct _WIN32_SHADOWTABLE {
+    ULONG Index;
+    CHAR Name[256];
+    struct _WIN32_SHADOWTABLE *NextService;
+} WIN32_SHADOWTABLE, *PWIN32_SHADOWTABLE;
+
+#define supHeapAlloc(Size) RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Size)
+#define supHeapFree(Memory) RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Memory)
+
+VOID supShowNtStatus(
+    _In_ LPCSTR lpText,
+    _In_ NTSTATUS Status);
+
+VOID ConsoleInit(
+    VOID);
+
+VOID ConsoleShowMessage(
+    _In_ LPCSTR lpMessage,
+    _In_opt_ WORD wColor);
+
+BOOLEAN supGetCommandLineOption(
+    _In_ LPCWSTR OptionName,
+    _In_ BOOLEAN IsParametric,
+    _Out_writes_opt_z_(ValueSize) LPWSTR OptionValue,
+    _In_ ULONG ValueSize,
+    _Out_opt_ PULONG ParamLength);
+
+NTSTATUS supIsLocalSystem(
+    _In_ HANDLE hToken,
+    _Out_ PBOOLEAN pbResult);
+
+BOOLEAN supUserIsFullAdmin(
+    _In_ HANDLE hToken);
+
+VOID supRunAsLocalSystem(VOID);
+
+BOOLEAN supIsClientElevated(
+    _In_ HANDLE ProcessHandle);
+
+PCHAR supLdrGetProcNameBySDTIndex(
+    _In_ PVOID MappedImageBase,
+    _In_ ULONG SDTIndex);
+
+NTSTATUS supMapImageNoExecute(
+    _In_ PUNICODE_STRING ImagePath,
+    _Out_ PVOID* BaseAddress);
+
+LPVOID supLdrGetProcAddressEx(
+    _In_ LPVOID ImageBase,
+    _In_ LPCSTR RoutineName);
diff --git a/Source/NtCall64/util.h b/Source/NtCall64/util.h
deleted file mode 100644
index 055be88..0000000
--- a/Source/NtCall64/util.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*******************************************************************************
-*
-*  (C) COPYRIGHT AUTHORS, 2016 - 2022
-*
-*  TITLE:       UTIL.H
-*
-*  VERSION:     1.36
-*
-*  DATE:        04 Sep 2022
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#pragma once
-
-typedef struct _WIN32_SHADOWTABLE {
-    ULONG Index;
-    CHAR Name[256];
-    struct _WIN32_SHADOWTABLE *NextService;
-} WIN32_SHADOWTABLE, *PWIN32_SHADOWTABLE;
-
-BOOL GetImageVersionInfo(
-    _In_ LPWSTR lpFileName,
-    _Out_opt_ ULONG *MajorVersion,
-    _Out_opt_ ULONG *MinorVersion,
-    _Out_opt_ ULONG *Build,
-    _Out_opt_ ULONG *Revision);
-
-VOID ConsoleInit(
-    VOID);
-
-VOID ConsoleShowMessage(
-    _In_ LPCSTR lpMessage,
-    _In_opt_ WORD wColor);
-
-BOOL GetCommandLineOption(
-    _In_ LPCTSTR OptionName,
-    _In_ BOOL IsParametric,
-    _Out_writes_opt_z_(ValueSize) LPTSTR OptionValue,
-    _In_ ULONG ValueSize,
-    _Out_opt_ PULONG ParamLength);
-
-BOOLEAN IsLocalSystem(VOID);
-BOOLEAN IsUserInAdminGroup(VOID);
-VOID RunAsLocalSystem(VOID);
-
-BOOL IsElevated(
-    _In_opt_ HANDLE ProcessHandle);
-
-PCHAR PELoaderGetProcNameBySDTIndex(
-    _In_ ULONG_PTR MappedImageBase,
-    _In_ ULONG SDTIndex);
diff --git a/Source/NtCall64/wfuzzer.vcxproj b/Source/NtCall64/wfuzzer.vcxproj
index 30dd8dd..3f139eb 100644
--- a/Source/NtCall64/wfuzzer.vcxproj
+++ b/Source/NtCall64/wfuzzer.vcxproj
@@ -158,7 +158,7 @@
     
     
     
-    
+    
   
   
     
@@ -172,10 +172,11 @@
     
     
     
+    
     
     
     
-    
+    
   
   
     
diff --git a/Source/NtCall64/wfuzzer.vcxproj.filters b/Source/NtCall64/wfuzzer.vcxproj.filters
index 72f5d0b..4d0fc1f 100644
--- a/Source/NtCall64/wfuzzer.vcxproj.filters
+++ b/Source/NtCall64/wfuzzer.vcxproj.filters
@@ -24,7 +24,7 @@
     
       Source Files
     
-    
+    
       Source Files
     
     
@@ -95,7 +95,7 @@
     
       Header Files
     
-    
+    
       Header Files
     
     
@@ -134,6 +134,9 @@
     
       Header Files
     
+    
+      Header Files
+    
   
   
     
diff --git a/Source/NtCall64/wfuzzer.vcxproj.user b/Source/NtCall64/wfuzzer.vcxproj.user
index 4967d14..66da31c 100644
--- a/Source/NtCall64/wfuzzer.vcxproj.user
+++ b/Source/NtCall64/wfuzzer.vcxproj.user
@@ -1,7 +1,7 @@
 
 
   
-    -win32k
+    -win32k -start 4993
     WindowsLocalDebugger