We’re back now with Part 3 of this series on cracking CMU’s Bomblab using Angr! If you are new, I would recommend starting with Part 1 here.

### Phase 3

If you went through what we did for phase 2, the idea behind phase 3 is also super similar.

Start again by creating a function stub for phase 3:

Let’s see the disassembly for Phase 3:

We see a sscanf call, which reads formatted input from a string. This is probably what builds the arguments, based on the previous read_line call, since rdi is not modified before sscanf is called. Let’s check out the format string that was passed in:

Cool, so two integers. We can follow more or less the same format as in Phase 2 by pushing these two values onto the stack. We define the start address to be the instruction after the sscanf call:

However, there is one major difference. In Phase 2, our arguments were at the bottom of the stack, and so we could just push them onto the stack. However, in this case, we see that we have a stack size of 0x18 from line 3, but the addresses of the two arguments that were populated by sscanf are rsp + 0xc and rsp + 0x8 respectively. This means that we need an additional 8 bytes of padding afterwards:

Let’s set our find condition to be right before the ret, and avoid to be explode_bomb as usual, and then copy and paste what we had for Phase 2 to extract the solution:

### Full Solution Script

Let’s try running it:

Now using the solution on the actual bomb:

Nice, it worked, and this was pretty fast too given how similar it was to phase 2! You can continue to Part 4 here.