- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 546
- Reaction score
- 7
Anyone currently digging into the latest Roblox internal builds?
Working on a UNC executor against the version-26c90be22e0d4758 build. Module stomping via SEC_IMAGE into mfcore.dll is hitting correctly. The L acquire through the ScriptContext to ExtraSpace chain is perfectly stable (L+0x18 -> global validates), but I'm hitting a wall with the globals table.
The Blocker
Currently unable to locate the _G Table to register new UNC functions via luaH_set. The internal structure seems to have shifted or I'm misinterpreting the pointer chain.
Current Progress & Technical Stack
Despite the gt issue, the following offsets and functions are already resolved and verified:
The dumper is failing to resolve lua_setfield and lua_pushcclosurek because the standard "not enough memory to allocate C closure" anchor is stripped from .rdata. Surviving anchors include: "_VERSION", "The metatable is locked", "delay function requires", and "attempt to index".
Technical Questions for the RE Crowd
I'm happy to drop the full list of offsets I've successfully dumped if we can get this global table resolved. Drop your findings or crash logs if you're hitting the same segment.
Working on a UNC executor against the version-26c90be22e0d4758 build. Module stomping via SEC_IMAGE into mfcore.dll is hitting correctly. The L acquire through the ScriptContext to ExtraSpace chain is perfectly stable (L+0x18 -> global validates), but I'm hitting a wall with the globals table.
The Blocker
Currently unable to locate the _G Table to register new UNC functions via luaH_set. The internal structure seems to have shifted or I'm misinterpreting the pointer chain.
- L+0x48 (Upstream LuaState::gt) — The pointer reads fine, but the first byte is 0x00, not 0x06 (LUA_TTABLE).
- index2adr(L, -10002) at RVA 0x41B0950 — This returns a TValue whose value field points to global_State (G), NOT the _G Table.
- Closure.env (+0x10) check — Testing across 13 discovered CClosures shows env=0 or env with tt=0x00.
Current Progress & Technical Stack
Despite the gt issue, the following offsets and functions are already resolved and verified:
- ptrenckey offset:
Code:
0x4B8 - luaF_newCclosure, luaS_newlstr, luaH_set/setstr logic.
- Core struct offsets for Closure, TValue, Proto, and TString.
The dumper is failing to resolve lua_setfield and lua_pushcclosurek because the standard "not enough memory to allocate C closure" anchor is stripped from .rdata. Surviving anchors include: "_VERSION", "The metatable is locked", "delay function requires", and "attempt to index".
Technical Questions for the RE Crowd
- Where is gt sitting on the lua_State in this specific build? Has it moved from 0x48?
- Is there a more reliable path to reach _G from the current known offsets?
- Does anyone have a fresh signature for lua_setfield or lua_pushcclosure for this version?
I'm happy to drop the full list of offsets I've successfully dumped if we can get this global table resolved. Drop your findings or crash logs if you're hitting the same segment.
