/* No speaking simultaneous interpretation is available , however, we try to show the slides in both english & japanese as much as we can. */

/* [en] means English speaker, [ja] means Japanese speaker. */

[ja] Nmap's 9 of truth (I don't already have anything to say.)


Nmap has nine of truth that are not known yet maybe. Eight of hidden

options and one of the malware detection capability. I would like to

introduce you how to use these ability.


I'm a Security engineer who like tequila just a little bit.

[en]Advanced Mobile Devices Analysis using JTAG and Chip-off

Captain Kelvin

Forensics analysis on mobile devices is becoming much complicated as the developers in their attempts to preventing data leakage by OS based protection or data encryption. It is a significant challenge to the forensics examiners and investigators. Although the digital forensics venders provide latest and newest forensics applications for the ease of analysis, these are often limited to logical based approach or work under a simple assumption that the device is ready for analysis. To deal with the physical acquisition, apart from the unofficial ‘Root’ and ‘Jail Break’, JTAG and Chip-off are the alternated approaches to solve the problem. Also it is an effective way if the device is locked or physical damaged.

This talk will demonstrate how to acquire physical images from android based and Window based operation system. The first example shows android phones being locked by a pattern lock and password protected while the USB debugging function was set to ‘DISABLE’; along with a Windows phone acquired using JTAG connection. In the second example, an eMMC chip on android phone will be removed for physical acquisition..

Captain Kelvin:

Captain is an independent researcher in VXRL. He has over 10 years experiences in digital forensics and investigation and started his researches since 2002. He was the first Asian who gave speeches in HTCIA US, SANS DFIR Summit and Digital Forensics Research Workshop Europe (DFRWS EU), and spoke at some industrial well-known conferences such as DEFCON, HITCON, AvTokyo, VXCON and APWG. The topics cover DDoS Investigation, Network Forensics, Mac Memory Forensics and Investigation & Intelligence Framework. Besides, he was one of the authors of famous media: Digital Forensics Magazine and Forensics Focus.

[ja] Analyzing of malicious Java Script

Kazuki Takada

The JavaScript used in 2016 by two major banking Trojan horses to attack online banking websites were found to be almost identical. I will describe the behavior of malicious JavaScript based on my analysis of a forty thousand line JavaScript. I will also describe the advanced feature of the malicious Javascript that was used to hide the web injection information within the DOM object..

Kazuki Takada:

SecureBrain Corporation, Software Engineer and Security Reseacher.

[ja] Game Hacking -- Is IL2CPP So Secure?


This talk is divided into 3 parts.

Firstly, an overview of common mobile game hacking skills and their countermeasures will be introduced. This part includes both iOS and Android platform games and the popular game engine Unity3D will be mainly discussed.

In the second part, I will show an in-depth hacking technique to defeat one of the countermeasures discussed in the previous part. As most game hackers may know, if you use IL2CPP to compile an Unity game, all the strings used in your original source code will be stored separately in another file so that you are not able to find any strings when you load the game binary to IDA. Moreover, as the game is compiled to native assembly, all the symbols like class names or function names are stripped from the binary. This significantly makes the static analysis of these games more difficult and is usually considered to be un-hackable. In this part, however, I will show my IDA plugin which is able to recover all the class names, method names and string constants and mapping them into IDA. With this plugin, hacking Unity games becomes incredibly easy.

Lastly, a demo of hacking a Unity game compiled by IL2CPP will be presented. Based on this practice, I will give an review of these countermeasures and discuss the possibility of protecting mobile games from being hacked.


Nevermoe comes from China. He came to Japan 3 years ago to pursue his master's degree in the University of Tokyo. Half a year ago, He entered the LINE Corporation where his main work is to check the security of LINE's products.

[ja] SWIFT Code for Mozilla Bank - Code Vulnerability Analysis of Firefox for iOS

Muneaki Nishimura (Nishimunea)

Firefox for iOS is a new mobile browser that rolled out last November. This browser uses iOS's WKWebView for rendering web pages, and the vendor Mozilla is focusing on creating browser's UI. The UI written in Swift provides various features that communicate with web pages.

However, these features have been led to security issues due to incompatibility with web security models. I have found 10+ bugs in the browser and received a total reward of $19,000 so far.

Most of the bugs I reported were discovered using keyword searches in the source code. In this talk, I will introduce useful keywords, i.e., SWIFT code, to withdraw reward money from Mozilla bank.

Muneaki Nishimura (Nishimunea):

Muneaki Nishimura, also known as Nishimunea, is a security engineer at Recruit Technologies Co., Ltd. and weekend bug hunter. His research interests are in abusing security sandbox in web browsers and web based platforms. He is a lecturer and current application track leader of Security Camp, the national information security human resource development program in Japan.

[ja] Let's name an APT group name!

Akira Miyata(seraph)

Security vendors create IOCs from the result of analysis of cyber threat, and taking advantage of the improvement of the detection rate. In addition, they name catchy APT group name or campaign name, and provide many reports. How do cyber threat intelligence analysts to analyze in order to approach to APT group?

In this session, I'd like to introduce about a process to name APT group name or campaign name with concrete example of the feature obtained by malware analysis and the like.

Akira Miyata(seraph):

Malware analyst. Twitter:@Seraph39.

[ja] HTTPS trafic intercept on Windows 10

Soya Aoyama(Ao)

Windows 10 have been added many new features.

We can capture HTTPS communication easily by using a certain function.

In this talk ,I will introduce this function with demo.

Soya Aoyama:


Security Researcher, soccer and drink lover

[ja] Let's be a bug bounty hunter 2016

Yuji Tounai

3 years ago, I was talking about "I wanna be a bug bounty hunter" at AVTOKYO 2013.5. What is recent situation of a bug bounty hunter? How to get a bounty rewards? What do you write a report for a bounty rewards? How much is my bounty rewards?

Yuji Tounai:

NTT Communications, "Yurufuwa" weekend bug hunter, Rewards from Google and Yahoo, Paypal, Cybozu, etc...

[ja] House of Einherjar -- Yet Another Heap Exploitation Technique on GLIBC



2 years has past since The Project Zero published the article entitled "The poisoned NUL byte, 2014 edition" in their blog. It shows new power of Off-by-one Error(OBOE) to us.

However, even if the target is the latest GLIBC, the OBOE against `struct malloc_chunk` still has another potential of arbitrary code execution.

In this session, I would like to propose a new heap exploitation technique, the House of Einherjar, I discovered through diving GLIBC malloc.


From Cyber Defense Institute, Inc. and I play CTF as a member of TokyoWesterns. Yes, malloc is delicious:)