Update README.md

README.md

@@ -40,7 +40,7 @@ In such an environment, it was clear that a simple tool which can be used as an
 
 ![Diagram](r0ak-archdiag.png)
 
-r0ak works by redirecting the execution flow of the window manager's trusted font validation checks when attempting to load a new font, by replacing the trusted font table's comparator routine with an alternate function which schedules an executive work item (`WORK_QUEUE_ITEM`) stored in a named pipe's write buffer (`NP_DATA_ENTRY`) -- the underlying worker function and its parameter are what will eventually be executed by a dedicated `ExpWorkerThread` at `PASSIVE_LEVEL`. An real-time Event Tracing for Windows (ETW) trace event is used to receive an asynchronous notification that the work item has finished executing, which makes it safe to tear down the structures, free the kernel-mode buffers, and restore normal operation.
+r0ak works by redirecting the execution flow of the window manager's trusted font validation checks when attempting to load a new font, by replacing the trusted font table's comparator routine with an alternate function which schedules an executive work item (`WORK_QUEUE_ITEM`) stored in the input node. Then, the trusted font table's right child (which serves as the root node) is overwritten with a named pipe's write buffer (`NP_DATA_ENTRY`) in which a custom work item is stored. This item's underlying worker function and its parameter are what will eventually be executed by a dedicated `ExpWorkerThread` at `PASSIVE_LEVEL` once a font load is attempted and the comparator routine executes, receiving the name pipe-backed parent node as its input. A real-time Event Tracing for Windows (ETW) trace event is used to receive an asynchronous notification that the work item has finished executing, which makes it safe to tear down the structures, free the kernel-mode buffers, and restore normal operation.
 
 #### Supported Commands