diff --git a/chaos-rop/README.md b/chaos-rop/README.md
new file mode 100644
index 0000000..ae89ef7
--- /dev/null
+++ b/chaos-rop/README.md
@@ -0,0 +1,11 @@
+#  ROP
+###  描述：
+*  GeruzoniAnsasu给他的学弟讲解了一下rop是什么之后，学弟问到，程序代码全都写成rop的形式会是什么样？答：混沌邪恶。
+*  基本上主要操作都是push push push ret 完成的……输入正确的key之后会依次跳到几个加解密的代码段，跳的地址跟上一段加解密结果有关，最后跳到正确的地址后会将flagiswhatthefuck?改为flagiswhatyouwant
+
+
+*  这里的代码是批量出的某个版本。。而且源码部分已经部分打乱了，最初的顺序写的代码不知道被我改了什么东西编译不了了orz将就吧，反正哪个版本都看不懂的
+
+*  sample10是我自己尝试逆的另一个版本，到第二个跳rbx的地方发现不给提示没法猜原数据……orz好吧我承认这个东西确实就是写来让人做不了的，不过本意并不是逻辑意义上的做不了
+    *  [*][c][t][f][_][f][+][+][+][+]打*号的位是不固定的（不过也没人发现）打+号的位置不影响跳转地址，但会因aesenc加密后不符导致最后不会显示flag正确的提示，如果真要逆这几位的话……别想了不可能逆得了的
+*  程序总共有5段aesenc顺序和数据全对才能提示正确  gg，没法做
diff --git a/chaos-rop/callee.c b/chaos-rop/callee.c
new file mode 100644
index 0000000..8e10730
--- /dev/null
+++ b/chaos-rop/callee.c
@@ -0,0 +1,135 @@
+//callee.c
+#include <stdlib.h>
+#include <stdio.h>
+#include <memory.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <signal.h>
+	
+ssize_t read(int fd, void *buf, size_t count);
+ssize_t write(int fd, const void *buf, size_t count);
+extern char * _extern;
+extern char* _extern_end;
+char flgsz[128] = {"\nflag:hctf{Ye4h_u_g0"};
+char fakesz[128] = {"什么的……当然是假的啦！"};
+
+//tmp
+extern char * FAKE_J1;
+extern char * FAKE_J2;
+extern char * FAKE_J3;
+extern char * FAKE_J4;
+extern char * FAKE_J5;
+extern char * FAKE_J6;
+extern char * FAKE_J7;
+extern char * FAKE_J8;
+extern char * FAKE_J9;
+extern char * FAKE_J10;
+extern char * FAKE_J11;
+extern char * FAKE_J12;
+
+void XOR(char *s1,char *s2,unsigned int len)
+{
+	unsigned int i=0;
+	for(i=0;i<len;i++)
+	{
+		*(s1+i) ^= *(s2+(len-i));
+	}
+}
+
+void  __fini(void) __attribute__((destructor));
+void  __fini(void)//never here
+{
+XOR (FAKE_J1,FAKE_J2,0x30);
+XOR (FAKE_J2,FAKE_J3,0x30);
+XOR (FAKE_J3,FAKE_J4,0x30);
+XOR (FAKE_J4,FAKE_J5,0x30);
+XOR (FAKE_J5,FAKE_J6,0x30);
+XOR (FAKE_J6,FAKE_J7,0x30);
+XOR (FAKE_J7,FAKE_J8,0x30);
+XOR (FAKE_J8,FAKE_J9,0x30);
+XOR (FAKE_J9,FAKE_J10,0x30);
+XOR (FAKE_J10,FAKE_J11,0x30);
+XOR (FAKE_J11,FAKE_J12,0x30);
+}
+void __init(void) __attribute__((constructor));
+void __init(void)
+{
+
+	__asm__ __volatile__ (
+	"pushq %rbp;"
+	"pushq %rsp;"
+	"movq  %rsp,%rbp;"
+	"leaq  _extern_end, %rsp;"//_extern_end
+	"pushq  $write;"				//write
+	"pushq $puts;"					//puts
+	"pushq $read;"					//read
+	"pushq $memcpy;"			//memcpy
+	"pushq $XOR;"					//xor
+	"leaq 8(%rbp) , %rsp;"
+	"popq %rbp"
+	);
+}
+void handle3()
+{
+	void handle2();
+	puts(fakesz);
+	signal(SIGALRM,handle2);  
+    alarm(40); 
+}
+void handle2()
+{
+	puts(flgsz);
+	signal(SIGALRM,handle3);  
+    alarm(1); 
+}
+void handle()
+{
+	puts("\nTry the flag you got:");
+	signal(SIGALRM,handle2);  
+    alarm(10); 
+}
+
+int main(int argc, char **argv)
+{
+	 signal(SIGALRM,handle);  
+    alarm(1); 
+	//puts("本来这个程序有好多种运行方法的实在写不下去改简单了\n");
+	asm volatile(
+	"movq $0x0A86BAE4,%rax;"
+	"push %rax;"
+	"movq $0x958DE580AEE7B994,%rax;"
+	"push %rax;"
+	"movq $0xE6BB8EE58BB8E48D,%rax;"
+	"push %rax;"
+	"movq $0xB8E49986E5A89CE5,%rax;"
+	"push %rax;"
+	"movq $0x9EAEE5849AE795B3,%rax;"
+	"push %rax;"
+	"movq $0xE6B996E68CA1E890,%rax;"
+	"push %rax;"
+	"movq $0xBFE88DA7E79AA4E5,%rax;"
+	"push %rax;"
+	"movq $0xBDA5E5899CE68FBA,%rax;"
+	"push %rax;"
+	"movq $0xE58BA8E7AAB8E499,%rax;"
+	"push %rax;"
+	"movq $0xBFE8A59DE6AC9CE6,%rax;"
+	"push %rax;"
+	
+	//"movq %rsp,%rdi;"
+	"push %rsp;"
+	"pop %rbx;"
+	"push $_realstart;"//go start
+	"push $JMP_RAX;"
+	"push %rbx;"
+	"push $POP_RDI;"
+	//"lea  _extern_end, %rax;"
+	"push $MOV_SELF_RAX;"
+	"push $SUB_RAX_16;"
+	"push $_extern_end;"
+	"push $POP_RAX;"
+	//"call -0x10(%rax);"
+	"ret;"
+	);
+}
diff --git a/chaos-rop/flag b/chaos-rop/flag
new file mode 100644
index 0000000..0ce8ffe
--- /dev/null
+++ b/chaos-rop/flag
@@ -0,0 +1,3 @@
+test  :  hctf_flag_:4Ux8dFnFy44XJzG4kvom4YQzC
+sample10  :  hctf_flag_8417ZbAtX8FSUgeye246LrH446d9
+
diff --git a/chaos-rop/rop.asm b/chaos-rop/rop.asm
new file mode 100644
index 0000000..bfb6d4e
--- /dev/null
+++ b/chaos-rop/rop.asm
@@ -0,0 +1,392 @@
+;hctf_flag_:4Ux8dFnFy44XJzG4kvom4YQzC
+vMagic1 equ 0x7c5f7cc4
+vMagic2 equ 0xee91aeb5
+vFinalL equ 0xea52a46b6abadc5f
+vFinalH equ 0x8f5d96c766de3a00
+
+BITS 64
+
+extern flgsz
+extern fakesz
+
+global _realstart
+global _extern
+global _extern_end
+
+;tmp
+global JMP_RAX
+global SUB_RAX_16
+global POP_RAX
+global POP_RDI
+global MOV_SELF_RAX
+global FAKE_J1, FAKE_J2, FAKE_J3, FAKE_J4, FAKE_J5, FAKE_J6,FAKE_J7,FAKE_J8,FAKE_J9,FAKE_J10,FAKE_J11,FAKE_J12
+
+section .data write exec
+CALL_HELPER9:;栈顶存放参数个数和go_addr
+	pop r8;ret addr
+	pop r9;self
+	pop r9;arg cout
+	lea r10,[rsp-8]
+c2:
+	cmp r9,0
+	jg c1
+	add r8,9
+	mov [rsp-8],r8
+	mov rsp,r10
+	ret
+c1:
+	pop r11
+	mov [rsp-0x10],r11
+	dec r9
+	jmp c2
+	
+FAKE_J1:
+	db 0xeb
+MOV_SELF_RAX:
+	mov rax,[rax]
+	ret
+entry3:
+	movaps xmm0,[rdi];save part2
+	AESENC xmm1,xmm2;buff1
+	;AESENC xmm1,xmm0
+	push entry4
+	push POP_RBX
+	ret
+_extern:
+	NONE dq 0
+	ext_XOR dq 0
+	ext_memcpy dq 0
+	ext_read dq 0
+	ext_puts dq 0
+	ext_write  dq 0
+_extern_end:
+	align 64 
+	
+_jmptable:;should use s4+3 to jmp here
+	times 30 db 0x0c
+	inc r14;flag
+	lea rax, [JMPTABLE]
+	jmp [rax+r15*8];r15-->select jmp pos
+	
+_ss:
+	s1 db "Hello :)",0xa,0x0
+	s2 db "菊苣们好·-·",0xa,0x0
+	s3 db "皆さんごきげんようovo",0xa,0x0
+	s4 db "안녕하세요:)",0x0a,0x0
+	len equ $ - s1
+_realstart:
+	xor rdi,rdi
+	inc rdi
+	dec r14;clear jmp table flag
+	push rdi
+	push s4+3
+	push len
+	push POP_RDX
+	push s1
+	push POP_RSI
+	ret
+	db 0xeb
+_c1:; first time to call write
+	;sub rsp 8
+	call [ext_write]
+	push s4+3
+	push 1
+	push POP_R15
+	ret
+	db 0xeb
+_out3:
+	push _out4
+	push vMagicStr
+	push POP_RCX
+	push ADD_RAX_RCX
+	push MOV_SELF_RAX
+	push vMagicStr
+	push POP_RAX
+	push rax
+	push POP_RCX
+	ret
+	db 0xeb
+_EXIT:
+	pop rax
+	xor rbx,rbx
+	int 0x80
+_read_input:
+	cmp r14,1
+	jz l1;from jmp table r14 should be 1
+buff_all:
+	times 1023 db 0x0;can be anything,but size is 256
+	db 0
+l1:;read  input to buffall
+	dec r14
+	push l2;continue to l2
+	push qword[ext_read]
+	push 0
+	push POP_RDI
+	push buff_all
+	push POP_RSI
+	push 1024
+	push POP_RDX
+	ret
+	FAKE_J2:
+	db 0xeb
+JMP_RAX:
+	jmp rax
+	ret
+FAKE_J3:
+	db 0xeb
+SUB_RAX_16:
+	sub rax,16
+	ret
+l2:
+	;rsi --> buff
+	push MOV_SELF_RAX
+	push rsi
+	inc rsi
+	push POP_RAX
+	push 3
+	push CALL_HELPER9
+	call [rsp]
+entry1:
+	add r15,1;read_input / entry1_c
+	jmp s4+3
+;call return to here
+hhh:
+	mov rbx,entry1
+	mov rcx,0x3732363034393931;19940627
+	mov rdx,0x62d762d762d762d7
+	xor rax,rcx
+	shr rax,5
+	xor rax,rdx
+	movzx r12,al ; r12 --> times of sections --> 5
+	shr rax,8
+l4:;main loop
+	inc rsi; point to secion data start
+	cmp r12,0
+	jg l3
+;here out
+_out:
+	push _out1
+	push MOV_SELF_RAX
+	push buff1
+	push POP_RAX
+	ret
+	db 0xeb
+l3:
+	dec r12
+	movzx r13,al; r13 --> len of section -->8 for first
+	test r14,r14
+	jz l5
+	align 128
+buff1:
+	times 0xff db 0xcc
+FAKE_J5:
+	db 0xeb
+POP_RDI:
+	pop rdi
+	ret
+_out1:
+	push _out2
+	push rax
+	push POP_RCX
+	ret
+FAKE_J6:
+	db 0xeb
+POP_RSI:
+	pop rsi
+	ret
+l6:
+	inc r15
+	call rbx
+	push l4; jmp l4
+	push MOV_SELF_RAX
+	push rsi;	 this rsi must be original
+	push POP_RAX
+	ret
+	FAKE_J7:
+	db 0xeb
+POP_RDX:	
+	pop rdx
+	ret
+FAKE_J8:
+	db 0xeb
+POP_RCX:
+	pop rcx
+	ret
+l8:
+	mov ebx,eax
+	;call rcx ;go out  --> entry2
+	pop rsi
+	push _sub
+	push rsi; rsi --> beg of buff_all
+	push POP_RAX
+	push (l1-1);rdi --> endof buff_all
+	push POP_RDI
+	ret
+	showstr	db "fl"
+	db "agiswhat"
+ 	vMagicStr db "thefuck?",0 ; thefuck?  --> youinput
+FAKE_J9:
+	db 0xeb
+POP_R15:
+	pop r15
+	ret
+FAKE_J10:
+	db 0xeb
+ADD_RSI_R13:
+	add rsi,r13
+	ret
+l5:
+;copy data to buff1
+	push l6
+	push ADD_RSI_R13
+	push qword[ext_memcpy];memcpy(buff1,rsi,r13_len)
+	push r13
+	push POP_RDX
+	push buff1
+	push POP_RDI
+	ret
+	FAKE_J4:
+	db 0xeb
+POP_RAX:
+	pop rax
+	ret
+;entry1:
+;	add r15,1;read_input / entry1_c
+;	jmp s4+3	
+entry1_c:
+	dec r14
+	push rsi ;save rsi
+	push l7
+	push qword[ext_XOR]
+	push buff1
+	push POP_RDI
+	push $-3;self locating  || may be entry2?
+	push POP_RSI
+	push r13
+	push POP_RDX
+	ret
+FAKE_J11:
+	db 0xeb
+ADD_RAX_RCX:
+	add rax,rcx
+	ret
+FAKE_J12:
+	db 0xeb
+XOR_RAX_RCX:
+	xor rax,rcx
+	ret
+entry2_c:
+	dec r14
+	movaps xmm2,[rdi];save part1
+	;AESENC xmm1,xmm2;buff1
+	movzx rcx, byte[buff1]
+	lea rcx, [rcx*8]  ; must be 4*8
+	push l9
+	push MOV_SELF_RAX
+	push ADD_RAX_RCX
+	ret
+	db 0xeb
+sj5:
+	xor r15, r15
+	jmp entry3
+POP_RBX:
+	pop rbx
+	ret
+l7:	
+	movaps xmm1,[buff1] ;AES KEY  0x3f6709877f3f661c
+	;AESENC xmm1,xmm2
+	;inc r15;r15=1+2 --> entry2 --> entry2_c
+	push l8
+	push XOR_RAX_RCX
+	push MOV_SELF_RAX
+	push buff1
+	push POP_RAX
+	;magic equ (0x3f6709877f3f661c)^(entry2-$$)
+  ;%assign magic $^FAKE_J1
+	push vMagic1 ; entry2 --> entry2_c  = entry2 ^ 0x7f3f661c
+	;push $$
+	push POP_RCX
+	ret
+	db 0xeb
+_out2:
+	mov rax,vFinalL
+	xor rax,rcx
+	test rax,rax
+	jnz _EXIT;wrong,can't see any change
+	mov rcx,vFinalH
+	push _out3
+	push XOR_RAX_RCX
+	push MOV_SELF_RAX
+	push buff1+8
+	push POP_RAX
+	ret	
+	db 0xeb
+entry2:
+	add r15,2
+	jmp s4+3
+_sub:
+	sub byte[rax], 0x30
+	inc rax
+	cmp rdi,rax
+	jne _sub
+	ret
+	db 0xeb
+sj4:
+	xor r15, r15
+	jmp entry2_c
+l10:
+	mov ebx,eax
+	ret
+	db 0xe8
+entry4:
+	movaps xmm3,[rdi];save part3
+	AESENC xmm1,xmm0
+	;AESENC xmm1,xmm3
+	pxor xmm0,xmm2
+	pxor xmm0,xmm3
+	pxor xmm0,[rdi+128]
+	movaps [rdi],xmm0
+	push l10
+	push XOR_RAX_RCX
+	push vMagic2;magic2 --> entry5
+	push POP_RCX
+	push MOV_SELF_RAX
+	push rdi
+	push POP_RAX
+	ret
+	db 0xeb
+sj3:
+	xor r15, r15
+	jmp entry1_c
+sj1:
+	xor r15, r15
+	jmp _c1
+JMPTABLE:
+	dq sj1
+	dq sj2
+	dq sj3
+	dq sj4
+	dq sj5
+entry5:
+	AESENC xmm1,xmm3
+	AESENC xmm1,[rdi]
+	movaps [rdi],xmm1
+	ret
+l9:
+	push buff1
+	push POP_RDI
+	push rax
+	push POP_RBX
+	ret
+	db 0xeb
+sj2:
+	xor r15, r15
+	jmp _read_input
+	db 0xeb
+_out4:
+	mov [rcx],rax
+	push _EXIT
+	push qword[ext_puts]
+	push showstr
+	push POP_RDI
+	ret
diff --git a/chaos-rop/rop.o b/chaos-rop/rop.o
new file mode 100644
index 0000000..33366ff
Binary files /dev/null and b/chaos-rop/rop.o differ
diff --git a/chaos-rop/sample10 b/chaos-rop/sample10
new file mode 100755
index 0000000..50e1c81
Binary files /dev/null and b/chaos-rop/sample10 differ
diff --git a/chaos-rop/sample10.i64 b/chaos-rop/sample10.i64
new file mode 100755
index 0000000..6d39610
Binary files /dev/null and b/chaos-rop/sample10.i64 differ
diff --git a/chaos-rop/test b/chaos-rop/test
new file mode 100755
index 0000000..68954e2
Binary files /dev/null and b/chaos-rop/test differ