diff --git a/README.md b/README.md
index 742d17b..247e0f0 100644
--- a/README.md
+++ b/README.md
@@ -297,7 +297,7 @@ We can use a bug in printf that uses the printf string as the output address of
 will then write `3` (number of characters to this point) into that address.
 
 ```
-     add
+     address of unlock door
     /
 ----
 603a256e61256e
@@ -308,3 +308,26 @@ will then write `3` (number of characters to this point) into that address.
 
 ## Novosibirsk
 
+This is the second exercise where we can exploit a printf vulnerability. The key insight we've
+gained while playing with different inputs is that '%n' writes the number of characters written so
+far to the address defined by the two initial characters. We can use this insight to replace the
+HSM-2 interrupt `0x7e` with the door unlock interrupt `0x7f`.
+
+To build the attack, the first to characters must point to `0x44c8` where
+`0x7e` is located. Then, we must make the string exactly long enough so that
+the final number of characters is `0x7f`. Finally, we add `%n` to trigger the
+attack.
+
+```
+      address of HSM-2 interrupt ID
+     /                      '%n'
+    /                     /
+----                 -----
+c844 + '61' * 0x7d + 256e
+       -----------
+                  \ Make numbers
+```
+
+## Algiers
+
+