Getting Lua State + Offsets

this is my first post / thread whatever, i might be spoonfeeding idk.
today im gonna talk about how to get the lua state (maybe) + the offsets required for it. then again this might actually not BE correct since im new to the whole roblox exploiting ordeal

OFFSETS MAY OR MAY NOT WORK!! SINCE ROBLOX HASNT UPDATED IDK IF THEY WORK

im sure theres a better way to do this

ok yeah lets get onto this

MOST if not ALL of this is from headhunter + stuff from v3rmillion so big thanks to them

make a new header file with addresses and such, call it Addresses.h or something idfk

go here get some functions + (1) struct: https://github.com/Fish-Sticks/headhunter/tree/master/headhunter/src/scheduler

we're using getscheduler to get this

lemme give you one

int job_name_offset = 16; /* GUESSING it rarely changes, saw 2020 same offset. see 2022 headhunter same offset :D */

this offset is pretty crucial so yeah

unpack roblox, open ida and such

use 0x400000 rebase for your addresses or 0x50000 rebase (were using 0x50000 for this context)

Finding Addresses

GETSCHEDULER

Open IDA < 7.0 and load into unpacked roblox

We're gonna find the most CRUCIAL address rbx_getscheduler();

Search up "SchedulerRate"

Goto first XREF

Decompile the sub you get something like this, decompile the circled function:

https://cdn.discordapp.com/attachments/971198887274639390/971198929477722132/unknown.png

In the circled function look for a calling of a sub without arguments

like this:

https://cdn.discordapp.com/attachments/971198887274639390/971199154065915945/unknown.png

this is rbx_getscheduler();

you may now go to the TYPEDEFS section of this document

GETSTATE / GETTHREAD

state, thread same thing

search "challenge" there will be < 1, go through each until you get an xref to a sub that looks like this:

https://cdn.discordapp.com/attachments/971198887274639390/971199341370966046/unknown.png

decompile the sub with "challenge" as one of its arguments

go down until you see an if statement, itll look like this:

https://cdn.discordapp.com/attachments/971198887274639390/971199442759852104/unknown.png

the circled sub is getstate!

proceed to typedefs

Finding offsets

now onto the extremely long - boring part.

OFFSETS!!!

Finding offsets for Scheduler!!

jobs_end, jobs_start -> look at xrefs of scheduler in 20s, 20 min, 22 max, see:

https://cdn.discordapp.com/attachments/971198887274639390/971199643629260821/unknown.png

purple: jobs_start

blue: jobs_end

jobs_start (ALT+BETTER), scriptcontext -> "WaitingScriptJob"

https://cdn.discordapp.com/attachments/971198887274639390/971199823787208734/unknown.png

purple is script context

blue is jobs_start

scheduler_fps -> "WaitingScriptJob"

goto first xref

decompile

decompile this

https://cdn.discordapp.com/attachments/971198887274639390/971199962329284608/unknown.png

find this:

https://cdn.discordapp.com/attachments/971198887274639390/971200050103484446/unknown.png

should be it

BONUS!!!

felt generous so heres how to get pseudo2addr and luaO_nilobject

search "tables cannot be cyclic" first xref

go down til you see this:

https://cdn.discordapp.com/attachments/971198887274639390/971200200037253170/unknown.png

purple is pseudo2addr!!

luaO_nilobject, decompile pseudo2addr go here:

https://cdn.discordapp.com/attachments/971198887274639390/971200310527819896/unknown.png

underlined is luaO_nilobject

see proof:

https://cdn.discordapp.com/attachments/971198887274639390/971200385173831730/unknown.png

ok now this isnt really proof

TYPEDEFS

getscheduler

typedef int(__cdecl* rbx_getscheduler)();
rbx_getscheduler rbx_get_scheduler = (rbx_getscheduler)x(rbx_getscheduler_Address);

getstate / getthread

typedef int(__thiscall* _getstate)(int scheduler_scriptcontext, int* type);
_getstate lua_getstate = (_getstate)x(lua_getstate_Address);

pseudo2addr

typedef int(__fastcall* _index2adr)(int l, int idx);
_index2adr r_pseudo2addr = (_index2adr)x(index2adr_Address);

END PRODUCT:

go through headhunter's getscheduler thang

run the scriptcontext through rbx_getstate(); like so:

int rL = rbx_getstate(scriptcontext, 0);

end:

https://cdn.discordapp.com/attachments/971198887274639390/971200483731574784/unknown.png

FAST LUASTATE GRABBING!!!

ignore additional 0's just a thing in my tostring method

OK THX