diff --git a/poc/vuln-1.poc b/poc/vuln-1.poc
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..eba4958dc48bffaf58c6b5738680c0efebd5f4f8 100644
--- a/poc/vuln-1.poc
+++ b/poc/vuln-1.poc
@@ -0,0 +1,2 @@
+push 5
+store aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/poc/vuln-2.poc b/poc/vuln-2.poc
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0724af2cbbe79f5962158ba33c8573ce36b6c9c1 100644
--- a/poc/vuln-2.poc
+++ b/poc/vuln-2.poc
@@ -0,0 +1,3 @@
+push 5
++
+print
\ No newline at end of file
diff --git a/poc/vuln-3.poc b/poc/vuln-3.poc
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..9898eb7de370b2ac97e89c694ece7da2673b8e73 100644
--- a/poc/vuln-3.poc
+++ b/poc/vuln-3.poc
@@ -0,0 +1,4 @@
+push 5
+store a
+load a
+print
\ No newline at end of file
diff --git a/poc/vuln-4.poc b/poc/vuln-4.poc
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..51b30b943cb3bb079d11645880e42f786d3b263f 100644
--- a/poc/vuln-4.poc
+++ b/poc/vuln-4.poc
@@ -0,0 +1,3 @@
+push 5
+-
+print
\ No newline at end of file
diff --git a/poc/vuln-5.poc b/poc/vuln-5.poc
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..5bd0e4a5890db12d49db6a3f531479729e2345fb 100644
--- a/poc/vuln-5.poc
+++ b/poc/vuln-5.poc
@@ -0,0 +1,4 @@
+push 5
+store a
+remove a
+list
\ No newline at end of file
diff --git a/src/vuln-1/dc.c b/src/vuln-1/dc.c
index 63fb7f4f14026c24db10a6f63d0638e7b8c72a57..9aecf119d69aec191fddc6c4556fe3df730b0a30 100644
--- a/src/vuln-1/dc.c
+++ b/src/vuln-1/dc.c
@@ -72,7 +72,10 @@ static void node_print(const node_t *p){
 static node_t *node_new(const char *varname, const value_t value){
   node_t *new = malloc(sizeof(node_t));
   assert(new != NULL && "new: malloc failed");
-  new->varname = strdup(varname);
+  //new->varname = strdup(varname);
+  //vuln-1
+  new->varname = (char *)malloc(1015 * sizeof(char));
+  strcpy(new->varname, varname);
   assert(new->varname != NULL && "new: strdup varname failed");
   new->value = value;
   new->left = NULL;
@@ -109,7 +112,7 @@ static node_t * node_insert(node_t *p, node_t *q){
   node_t ** new = NULL;
   node_t * const start = p;
   while (new == NULL) {
-    int ret = strcmp(q->varname,p->varname);
+    int ret = strcmp(q->varname,p->varname);//exchange p and q
     if (ret == 0){
       assert (q->left == NULL && q->right == NULL && "illegal insertion");
       /* edit the node in place */
@@ -146,8 +149,7 @@ static void destroy(node_t *p){
     node_t * left = p->left;
     node_t * const right = p->right;
     left = node_insert(left,right);
-    //node_free(p);
-    free(p);
+    node_free(p);
     p = left;
   }
 }
diff --git a/src/vuln-2/dc.c b/src/vuln-2/dc.c
index ed843fe033476050bf8e8acb6775def110d16ad4..bc2abf164b7a9fe4236d41712f3d81d6bc4f7bec 100644
--- a/src/vuln-2/dc.c
+++ b/src/vuln-2/dc.c
@@ -74,10 +74,6 @@ static node_t *node_new(const char *varname, const value_t value){
   assert(new != NULL && "new: malloc failed");
   new->varname = strdup(varname);
   assert(new->varname != NULL && "new: strdup varname failed");
-  /***********/
-  new->varname = (char *)malloc (1002*sizeof(char));
-  strcpy(new->varname, varname);
- /*********/
   new->value = value;
   new->left = NULL;
   new->right = NULL;
@@ -477,7 +473,8 @@ static int execute(void){
       return -1;
     }
     
-    if (stack_size() < 2){
+	//vuln-2
+    if (stack_size() < 1){
       debug_printf("Add from insufficient stack\n");
       return -1;
     }
diff --git a/src/vuln-3/dc.c b/src/vuln-3/dc.c
index 1a47cd0184a07c58217bc2df7304aa3e0d606b5e..0d9795a06dfc5cb6cdd6056ba7d7bc0b563d2d95 100644
--- a/src/vuln-3/dc.c
+++ b/src/vuln-3/dc.c
@@ -429,8 +429,10 @@ int save_levelorder(const node_t *p,
 
 /* returns 0 on successful execution of the instruction in inst */
 static int execute(void){
-  char * toks[4]; /* these are pointers to start of different tokens */
-  const unsigned int numToks = tokenise(inst,toks,4);
+
+	/*---- vuln3 ----*/
+  char * toks[2]; /* these are pointers to start of different tokens */
+  const unsigned int numToks = tokenise(inst,toks,2);
     
   if (numToks == 0){
     /* blank line */
@@ -443,7 +445,9 @@ static int execute(void){
       return -1;
     }
     debug_printf("Looking up: %s\n",toks[1]);
-    const node_t *p = lookup(map,toks[1]);
+
+	/*---- vuln3 ----*/
+    const node_t *p = lookup(map,toks[2]);
     if (p != NULL){
       if (stack_full()){
         debug_printf("Trying to load onto full stack\n");
diff --git a/src/vuln-4/dc.c b/src/vuln-4/dc.c
index 1a47cd0184a07c58217bc2df7304aa3e0d606b5e..a7421ab40b1edc5948ca8a68b385724aa45c7cfe 100644
--- a/src/vuln-4/dc.c
+++ b/src/vuln-4/dc.c
@@ -182,7 +182,7 @@ static node_t * rem(node_t *p, const char *varname){
   return start; // not found
 }
 
-const char WHITESPACE[] = " \t\r\n";
+const char WHITESPACE[] = " \r\n";
 
 
 /* tokenise a string, splitting on characters in WHITESPACE, up to
@@ -488,7 +488,8 @@ static int execute(void){
       return -1;
     }
     
-    if (stack_size() < 2){
+	/*---- vuln4 ----*/
+    if (stack_size() == 0){
       debug_printf("Sub from insufficient stack\n");
       return -1;
     }
diff --git a/src/vuln-5/dc.c b/src/vuln-5/dc.c
index 1a47cd0184a07c58217bc2df7304aa3e0d606b5e..de84ea6c472c352e21abfa4eea2dac1c4a9ca60b 100644
--- a/src/vuln-5/dc.c
+++ b/src/vuln-5/dc.c
@@ -429,8 +429,10 @@ int save_levelorder(const node_t *p,
 
 /* returns 0 on successful execution of the instruction in inst */
 static int execute(void){
-  char * toks[4]; /* these are pointers to start of different tokens */
-  const unsigned int numToks = tokenise(inst,toks,4);
+
+	/*---- vuln5 ----*/
+  char * toks[2]; /* these are pointers to start of different tokens */
+  const unsigned int numToks = tokenise(inst,toks,2);
     
   if (numToks == 0){
     /* blank line */
@@ -566,7 +568,9 @@ static int execute(void){
       return -1;
     }
     debug_printf("Removing: %s\n",toks[1]);
-    map = rem(map,toks[1]);
+
+	/*---- vuln5 ----*/
+    map = rem(map,toks[2]);
     
   } else if (strcmp(toks[0],INSTRUCTION_SAVE) == 0){
     if (numToks != 2){