Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it.

Hypervisors for Memory Introspection and Reverse Engineering by @memn0ps .

RISC-Y Business: Raging against the reduced machine by @mrexodia oopsmishap.

Abusing undocumented features to spoof PE section headers by @x86matthew

Bootkitting Windows Sandbox by @mrexodia @sdoogm .

Improving MBA Deobfuscation using Equality Saturation by @fvrmatteo and @mr_phrazer.

Earn $200K by fuzzing for a weekend: Part 2 by @addisoncrump_ko .

Earn $200K by fuzzing for a weekend: Part 1.by @addisoncrump_ko .

Tickling VMProtect with LLVM: Part 1-3 by @fvrmatteo .

Windows 11: TPMs and Digital Sovereignty by @daax_rynd @_can1357 @nickeverdox .

Preventing memory inspection on Windows by @JustasMasiulis

Counter-Strike Global Offsets: reliable remote code execution by @brymko @cffsmith @scannell_simon (Guest article).

We've launched a public discord, check it out!.

CVE-2021-30481: Source engine remote code execution via game invites by @floesen_ .

RT @chirun02: Many researchers (@bienpnn, @teapotddd, @the_secret_club and others) have demonstrated exploits for Source games that Valve d….

Here we see researcher teapotd demonstrate his remote code execution vulnerability in CS:GO that is yet to be patched by Valve!.

After two years, Valve has patched the critical remote code execution exploit disclosed by @floesen_.

Here we see researcher teapotd with multiple CRITICAL 0days in Source Engine games that have been known by Valve for years.

You can read about our work in the latest VICE article .