diff --git a/README.md b/README.md
index f864e00..22c97d1 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,7 @@
- [五、高级篇](doc/5_advanced.md)
- [六、附录](doc/6_appendix.md)
- - [6.1 更多工具](doc/6.1_moretools.md)
- - [6.1.1 terminal commands](doc/6.1.1_commands.md)
- - 书籍,博客和文章
+ - [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md)
+ - [6.2 更多 Windows 工具](doc/6.2_wintools.md)
+ - [6.3 博客、文章和书籍](doc/6.3_books&blogs.md)
+ - [6.4 习题 write-up](doc/6.4_writeup.md)
diff --git a/doc/6.1.1_commands.md b/doc/6.1.1_commands.md
deleted file mode 100644
index 333c5e5..0000000
--- a/doc/6.1.1_commands.md
+++ /dev/null
@@ -1 +0,0 @@
-# 6.1 Terminal Commands
diff --git a/doc/6.1_Linuxtools.md b/doc/6.1_Linuxtools.md
new file mode 100644
index 0000000..b7a5027
--- /dev/null
+++ b/doc/6.1_Linuxtools.md
@@ -0,0 +1,53 @@
+# 6.1 更多 Linux 工具
+
+- [strings](#strings)
+- [xxd](#xxd)
+
+## strings
+**strings**命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列,以换行符或空字符结束。strings命令对识别随机对象文件很有用。
+
+#### 重要参数
+```text
+-d --data Only scan the data sections in the file
+-t --radix={o,d,x} Print the location of the string in base 8, 10 or 16
+-e --encoding={s,S,b,l,B,L} Select character size and endianness:
+ s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
+```
+
+#### 常见用法
+组合使用 *strings* 和 *grep*。
+
+在 **ret2lib** 攻击中,得到字符串的偏移:
+```text
+strings -t x /lib32/libc-2.24.so | grep /bin/sh
+```
+
+检查是否使用了 **UPX** 加壳
+```text
+strings [executable] | grep -i upx
+```
+
+#### 练习
+[strings_crackme](../source/Reverse/strings_crackme)
+
+[flag_pwnablekr](../source/Reverse/flag_pwnablekr)
+
+
+## xxd
+**xxd**的作用就是将一个文件以十六进制的形式显示出来。
+
+#### 重要参数:
+```text
+-g number of octets per group in normal output. Default 2 (-e: 4).
+-i output in C include file style.
+-l len stop after octets.
+-u use upper case hex letters.
+```
+
+#### 常见用法
+```text
+xxd -g1
+```
+
+#### 练习
+[xxd_crackme](../source/Reverse/xxd_crackme) (使用 *strings* 再做一次)
diff --git a/doc/6.1_moretools.md b/doc/6.1_moretools.md
deleted file mode 100644
index e4664c1..0000000
--- a/doc/6.1_moretools.md
+++ /dev/null
@@ -1 +0,0 @@
-# 更多工具
diff --git a/doc/6.2_wintools.md b/doc/6.2_wintools.md
new file mode 100644
index 0000000..45fe5b4
--- /dev/null
+++ b/doc/6.2_wintools.md
@@ -0,0 +1,5 @@
+# 6.1.2 更多 Windows 工具
+
+- [wxHexEditor](#wxhexeditor)
+
+## wxHexEditor
diff --git a/doc/6.3_books&blogs.md b/doc/6.3_books&blogs.md
new file mode 100644
index 0000000..bc4156e
--- /dev/null
+++ b/doc/6.3_books&blogs.md
@@ -0,0 +1,10 @@
+# 博客、文章和书籍
+
+## 博客
+
+## 文章
+
+## 书籍
+- Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson
+- The Shellcoder's Handbook: Discovering and Exploiting
+Security Holes, 2nd Edition by Chris Anley et al
diff --git a/doc/6.4_writeup.md b/doc/6.4_writeup.md
new file mode 100644
index 0000000..9242971
--- /dev/null
+++ b/doc/6.4_writeup.md
@@ -0,0 +1,73 @@
+# 6.4 习题答案
+
+- 一、基础知识篇
+ - [1.1 ctf 介绍]
+
+- 二、工具篇
+ - [2.1 gdb/peda]
+ - [2.2 ollydbg]
+ - [2.3 windbg]
+ - [2.4 radare2]
+ - [2.5 IDA Pro]
+ - [2.6 pwntools]
+
+- 三、分类专题篇
+ - [3.1 Reverse]
+ - [3.2 Crypto]
+ - [3.3 Pwn]
+ - [3.4 Web]
+ - [3.5 Misc]
+ - [3.6 Mobile]
+
+- 四、技巧篇
+
+- 五、高级篇
+
+- 六、附录
+ - [6.1 更多 Linux 工具]
+ - [6.2 更多 Windows 工具]
+ - [6.3 博客、文章和书籍]
+ - [6.4 习题 write-up]
+
+## 6.1 更多 Linux 工具
+#### Strings - strings_crackme
+```text
+[firmy@Reverse]$ strings -e L strings_crackme
+w0wgreat
+```
+
+#### Strings - flag_pwnablekr
+```text
+[firmy@Reverse]$ ./flag_pwnablekr
+I will malloc() and strcpy the flag there. take it.
+[firmy@Reverse]$ strings flag_pwnablekr | grep UPX
+UPX!
+$Info: This file is packed with the UPX executable packer http://upx.sf.net $
+$Id: UPX 3.08 Copyright (C) 1996-2011 the UPX Team. All Rights Reserved. $
+UPX!
+UPX!
+[firmy@Reverse]$ upx -d flag_pwnablekr
+ Ultimate Packer for eXecutables
+ Copyright (C) 1996 - 2017
+UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
+ File size Ratio Format Name
+ -------------------- ------ ----------- -----------
+ 883745 <- 335288 37.94% linux/amd64 flag_pwnablekr
+Unpacked 1 file.
+[firmy@Reverse]$ strings flag_pwnablekr | grep -i upx
+UPX...? sounds like a delivery service :)
+```
+
+#### xxd - xxd_crackme
+```text
+[firmy@Reverse]$ xxd -g1 xxd_crackme
+......
+00001020: 00 00 00 00 67 30 30 64 4a 30 42 21 00 00 00 00 ....g00dJ0B!....
+......
+```
+```text
+[firmy@Reverse]$ strings -d xxd_crackme
+......
+g00dJ0B!
+......
+```
diff --git a/source/Reverse/flag_pwnablekr b/source/Reverse/flag_pwnablekr
new file mode 100755
index 0000000..bfe60ff
Binary files /dev/null and b/source/Reverse/flag_pwnablekr differ
diff --git a/source/Reverse/strings_crackme b/source/Reverse/strings_crackme
new file mode 100755
index 0000000..904868d
Binary files /dev/null and b/source/Reverse/strings_crackme differ
diff --git a/source/Reverse/xxd_crackme b/source/Reverse/xxd_crackme
new file mode 100755
index 0000000..61917fa
Binary files /dev/null and b/source/Reverse/xxd_crackme differ