Solution flow (basically the same as addrop solution):
* Predict key due to time-based seeding
* Use an xor-what-where gadget to change the key global to one that undoes all of the "encryption"
* ROP back to GOT-stomping loop to undo libc pointer "encryption"
* Re-open fd 1 to leak a libc address
* Write "/bin/sh" to the key global (using the same xor-what-where gadget)
* ROP again to call system("/bin/sh")