diff --git a/rex/exploit/techniques/ret2libc.py b/rex/exploit/techniques/ret2libc.py
index 97171e5..bf32ef9 100644
--- a/rex/exploit/techniques/ret2libc.py
+++ b/rex/exploit/techniques/ret2libc.py
@@ -108,8 +108,9 @@ def _write_cmd_str(self, cmd_str):
 
         # add constraints
         l.debug("Applying all the constraints, fingers crossed...")
-        chain_mem = self.crash.state.memory.load(chain_addr, len(chain.payload_str()))
-        chain_bvv = self.crash.state.solver.BVV(chain.payload_str())
+        payload = chain.payload_str(timeout=len(chain._values)*2)
+        chain_mem = self.crash.state.memory.load(chain_addr, len(payload))
+        chain_bvv = self.crash.state.solver.BVV(payload)
         self.crash.state.add_constraints(chain_mem == chain_bvv)
 
         # windup
@@ -131,14 +132,16 @@ def _invoke_system(self, system_addr, cmd_addr):
 
             # add the constraint to the state that the chain must exist at the address
             chain_mem = self.crash.state.memory.load(chain_addr, chain.payload_len)
-            self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(chain.payload_str()))
+            payload = chain.payload_str(timeout=len(chain._values)*2)
+            self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(payload))
             return
 
         # mips does some weird shit, we need to handle it separately
         chain = self.libc_rop.set_regs(a0=cmd_addr)
         chain, chain_addr = self._ip_overwrite_with_chain(chain, state=self.crash.state, rop=self.libc_rop)
         chain_mem = self.crash.state.memory.load(chain_addr, chain.payload_len)
-        self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(chain.payload_str()))
+        payload = chain.payload_str(timeout=len(chain._values)*2)
+        self.crash.state.add_constraints(chain_mem == self.crash.state.solver.BVV(payload))
         self._windup_to_unconstrained_successor()
 
         # list all potential JOP gadgets