From a75699b90403c3e2e50fe6aab718fc6192dd96ea Mon Sep 17 00:00:00 2001
From: haskal <haskal@awoo.systems>
Date: Sun, 26 Jul 2020 03:18:08 -0400
Subject: [PATCH] delay slot note

---
 2020/3kctf/babym1ps/README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/2020/3kctf/babym1ps/README.md b/2020/3kctf/babym1ps/README.md
index 23e48c8..b7353a8 100644
--- a/2020/3kctf/babym1ps/README.md
+++ b/2020/3kctf/babym1ps/README.md
@@ -80,7 +80,11 @@ stored in a register `ra` rather than directly on the stack. so instead of most
 epilogue being able to work as a ROP gadget, only epilogues that pop `ra` from the stack and then
 return are applicable. there are also some gadgets involving the temp register `t9` - which is used
 by MIPS compilers to load certain library function calls from `gp` or other registers. so it's
-really a mix of both return- and call-oriented programming.
+really a mix of both return- and call-oriented programming. another important thing about MIPS is
+that each branch/jump has a _delay slot_, the instruction directly after the branch gets executed
+before the branch/jump gets taken, and also if it's not taken. the delay slots are prefixed in
+ghidra with `_`. this means useful gadget operations can actually come after the corresponding
+`jalr`, for example.
 
 it turns out pwntools is fairly useless for MIPS ROP, and i also tried a port of some IDA scripts to
 ghidra <https://github.com/tacnetsol/ghidra_scripts> but these didn't really turn up good results,