diff --git a/img/11.png b/img/11.png
new file mode 100644
index 0000000..48b0645
Binary files /dev/null and b/img/11.png differ
diff --git a/img/12.png b/img/12.png
new file mode 100644
index 0000000..c886f48
Binary files /dev/null and b/img/12.png differ
diff --git a/img/13.png b/img/13.png
new file mode 100644
index 0000000..1adfbe8
Binary files /dev/null and b/img/13.png differ
diff --git a/zy-极验滑快/2.极验滑块 跟W值1.md b/zy-极验滑快/2.极验滑块 跟W值1.md
index 41b743b..40e87af 100644
--- a/zy-极验滑快/2.极验滑块 跟W值1.md	
+++ b/zy-极验滑快/2.极验滑块 跟W值1.md	
@@ -12,4 +12,12 @@
 
 ![debugger](../img/10.png)
 
+继续跟踪栈,发现是 w 存在 o 中
 
+![debugger](../img/11.png)
+
+最后找到 w 赋值的位置
+
+![debugger](../img/12.png)
+
+这里的 "\u0077" 是特征码，记录下来
diff --git a/zy-极验滑快/3.极验滑块 跟W值2.md b/zy-极验滑快/3.极验滑块 跟W值2.md
new file mode 100644
index 0000000..1981e08
--- /dev/null
+++ b/zy-极验滑快/3.极验滑块 跟W值2.md	
@@ -0,0 +1,11 @@
+## 发现 w 生成代码
+
+    var u = r[$_CAGEe(750)]()
+    , l = V[$_CAGEe(342)](gt[$_CAGEe(209)](o), r[$_CAGEe(742)]())
+    , h = m[$_CAGEe(733)](l)
+
+## 先调试 u 变量，给每行代码打上断点
+
+![debugger](../img/13.png)
+
+这里有个知识点 256 ，我们的字节码 0-255， 一共就256个，一般256模值
\ No newline at end of file