[chatmasta]

They mention that PH had a custom compiled PHP and that's why they couldn't get the address of the function they wanted to call for evaluating code.

My understanding is that ROP gadgets are a separate issue. Basically you want to find a function that compiles to assembly instructions resembling the ones you need to move the stack pointer to your desired location. Testing this locally shouldn't be a problem, because functions across builds will compile to the same assembly instructions (even if their headers have different load addresses).

Again, that's my understanding - I have a very vague grasp of this stuff.