From e3f9a751964dc0cacd5938638720682dac48ffa7 Mon Sep 17 00:00:00 2001
From: xerox <xerox@back.engineering>
Date: Mon, 17 Aug 2020 22:31:10 +0000
Subject: [PATCH] Update README.md

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6e6a8ab..39b5338 100644
--- a/README.md
+++ b/README.md
@@ -19,4 +19,8 @@ This inline hook jumps to shellcode that packages all of the parameter values pa
 <img src="https://imgur.com/DpFyC9p.png"/>
 
 Now that you have a basic understanding of how this system works (and sorta why it is), lets look at what we can do!
-To begin we need to extract the driver handle at runtime, this can be done simply by extracting the address of the shellcode out of the inline hook of `NtReadVirtualMemory`.
\ No newline at end of file
+To begin we need to extract the driver handle at runtime, this can be done simply by extracting the address of the shellcode out of the inline hook of `NtReadVirtualMemory`. Nnow that we have 
+the handle to the driver we can start sending IOCTL's to BattlEye. The IOCTL data is not encrypted nor complicated... this is what it looks like:
+
+<img src="https://imgur.com/fa627q3.png"/>
+