Update README.md

README.md

@@ -199,12 +199,12 @@ steps:
 5. Build the vulnerability trigger and push it to the virtual device
 6. Break in GDB
 
-	load the custom python script([dynamic-analysis.py](https://github.com/cloudfuzz/android-kernel-exploitation/blob/master/gdb/dynamic-analysis.py) in repo) :
+	Load the custom python script([dynamic-analysis.py](https://github.com/cloudfuzz/android-kernel-exploitation/blob/master/gdb/dynamic-analysis.py) in repo) :
 	To trace function calls and dump the binder_thread structure chunk before and after it's freed. Also dump the same binder_thread structure before and after the unlink operation has been done.
 
-	In this file we first [delete all breakpoints](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L157) and the put 2 breakpoints(BP); The first symbol is “[binder_free_thread](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L164)” (will trace binder_free_thread function)before binder_thread is freed stop function will be called so parameters and symbol will be shown with ([gb.write(....)](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L96) ) and then the call back method(we set it [set_dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L34)) will be called; in this function binder_thread_address will be set in our global variable and gdb.execute send any output produced by command to GDB’s standard output .
+	In this file we first [delete all breakpoints](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L157) and the put 2 breakpoints(BP); The first symbol is “[binder_free_thread](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L164)” (will trace binder_free_thread function)before binder_thread is freed, stop function will be called; so parameters and symbol will be shown with ([gb.write(....)](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L96) ) and then the callback method(we set it [set_dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L34)) will be called; In this function binder_thread_address will be set in our global variable and gdb.execute send any output produced by command to GDB’s standard output .
 
-	The second symbol is “[remove_wait_queue](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L175)”(will trace remove_wait_queue function) the parameters which we want to observe are "wq_head", "wq_entry" and for exit wait.c:52 breakpoint will be set. their callbacks are [dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L42).these breakpoints will show what happens before and after the unlink operation
+	The second symbol is “[remove_wait_queue](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L175)”(will trace remove_wait_queue function) the parameters which we want to observe are "wq_head", "wq_entry" and for exit wait.c:52 breakpoint will be set. Their callback function is [dump_binder_thread ](https://github.com/cloudfuzz/android-kernel-exploitation/blob/d408cc833df175c2410c2a0ef35cc27c23b80f3e/gdb/dynamic-analysis.py#L42).These breakpoints will show what happens before and after the unlink operation.
 
 7. launch adb shell and run the trigger PoC