--- a/slides/slides03.tex	Wed Oct 07 00:44:12 2015 +0100
+++ b/slides/slides03.tex	Wed Oct 07 10:14:04 2015 +0100
@@ -297,12 +297,29 @@
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
+\frametitle{C-Library Functions}
+
+\begin{itemize}
+\item copy everything up to the zero byte
+\end{itemize}\medskip
+
+{\small
+\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
+  
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
 \frametitle{Payloads}
 
 \begin{itemize}
 \item the idea is that you store some code in the buffer (the payload)
 \item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
+\item normally you want to start a shell\pause
 \item difficulty is to guess the right place where to ``jump''
 \end{itemize}
   
@@ -392,6 +409,46 @@
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Why BOAs Work?}
+
+\begin{itemize}
+\item stack grows from higher addresses to lower addresses
+\item library functions copy memory until a zero-byte is 
+encountered
+\end{itemize}
+
+\begin{center}
+\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{2mm}}c@{}}
+\small
+\begin{tikzpicture}[scale=0.45]
+  %\draw[step=1cm] (-3,-3) grid (3,3);
+  \draw[line width=1mm] (-2, -3) rectangle (2,3);
+  \draw[line width=1mm] (-2,1) -- (2,1);
+  \draw[line width=1mm] (-2,-1) -- (2,-1);
+  \draw (0,2) node {\tt text};
+  \draw (0,0) node {\tt heap};
+  \draw (0,-2) node {\tt stack};
+
+  \draw (-2.7,3) node[anchor=north east] 
+     {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
+  \draw (-2.7,-3) node[anchor=south east] 
+     {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
+  \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
+
+  \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
+  \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
+  \draw[|->, line width=1mm] (2.5,-3.09) -- (2.5,-1);
+  \end{tikzpicture}
+&  
+\raisebox{1.3cm}{\footnotesize
+\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
+\end{tabular}  
+\end{center}  
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
@@ -462,6 +519,26 @@
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
+\frametitle{In my Examples I Cheated}
+
+I compiled the programs with
+
+\begin{center}
+\begin{tabular}{l@{\hspace{1mm}}l}
+\pcode{/usr/bin/gcc} & \pcode{-ggdb -O0}\\
+                     & \pcode{-fno-stack-protector}\\
+                     & \pcode{-mpreferred-stack-boundary=2}\\
+                     & \pcode{-z execstack} 
+\end{tabular}
+\end{center}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
 \frametitle{NIST Statistics about BOA}
 
 \begin{center}