Welcome back to Part 4 of cracking CMU’s Bomblab using Angr! If you just stumbled upon this, I would recommend starting with part 1 here.

### Phase 4

Let’s disassemble Phase 4:

The sscanf and the call to func4 is interesting. Let’s check out func4 first:

I was so happy when I saw this. There is no input expected at all, and everything is self contained, so we could basically ignore this whole function.

Let’s see the format string for sscanf again to see what’s expected of us:

Wow, another 2 integers? They are surely making our life very easy. In fact, even the stack offsets of the arguments that sscanf extracts to are the same as in Phase 3, of being 0x8 and 0xc from the stack base.

We can literally re-use the same exploit script as Phase 3, except we need to change the start address and the find address accordingly.

### Full Solution Script

If we run it, we get the following:

Trying it on the bomb itself:

Easy peasy lemon squeezy! This took basically no effort at all. You can continue on to Part 5 here.