diff --git a/2020/3kctf/babym1ps/README.md b/2020/3kctf/babym1ps/README.md
index 23e48c8..b7353a8 100644
--- a/2020/3kctf/babym1ps/README.md
+++ b/2020/3kctf/babym1ps/README.md
@@ -80,7 +80,11 @@ stored in a register `ra` rather than directly on the stack. so instead of most
 epilogue being able to work as a ROP gadget, only epilogues that pop `ra` from the stack and then
 return are applicable. there are also some gadgets involving the temp register `t9` - which is used
 by MIPS compilers to load certain library function calls from `gp` or other registers. so it's
-really a mix of both return- and call-oriented programming.
+really a mix of both return- and call-oriented programming. another important thing about MIPS is
+that each branch/jump has a _delay slot_, the instruction directly after the branch gets executed
+before the branch/jump gets taken, and also if it's not taken. the delay slots are prefixed in
+ghidra with `_`. this means useful gadget operations can actually come after the corresponding
+`jalr`, for example.
 
 it turns out pwntools is fairly useless for MIPS ROP, and i also tried a port of some IDA scripts to
 ghidra <https://github.com/tacnetsol/ghidra_scripts> but these didn't really turn up good results,