When the rules for this year's Pwn2Own contest came out, there was only less than one month left for us to prepare for our Internet Explorer Exploit. It was not an easy task to pop up a calc on this year's IE target, where you need to conquer the 64-bit IE child process, the control flow guard (CFG) on windows 8.1 as well as the enhanced-protected mode (EPM) of IE11. This was the first time that 64-bit IE was used in the contest, which means more stronger ASLR that makes simple heap-spraying techinque does not work as it does on 32-bit process. Also on Windows 8.1, CFG is heavily used in user mode processes which makes it harder to transfer the execution-flow to our shellcode. And at last, we need to bypass the EPM sandbox without user interfaction and without re-starting/re-login the computer. We are glad that we finally made it, with two 0day vulnerabilities, which have already been patched by Microsfot in June 2015. In this presentation, we will describe (for the first time) the details of the two vulnerabilities we used to take down 64-bit IE in this year's Pwn2Own. By going through the poc exploit, we will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug. And, we will also discuss the TOCTOU vulnerability we used to bypass IE's EPM sandbox to achieve elevation of privilege. Throughout the talk, we will describe several methods you may use to bypass exploit mitigtions (such as ASLR, CFG) on 64-bit IE, to achieve remote code execution with your memory corruption bug.