Roblox Reflection - The Basics (Part 1)
Introduction
According to Wikipedia (opens in a new tab), reflective programming is the ability of a process to examine, introspect, and modify its own structure and behavior. In the case of Roblox, its reflection system enables Lua scripts running in the engine to interact with internal classes written in C++.
In this blog post, we will use Binary Ninja's intermediate language to examine and reconstruct Roblox's reflection classes. By doing so, we can gain a deeper understanding of how Roblox's reflection system works and how we can interact with it.
Getting Started
To get started, you will need a copy of Binary Ninja, a decrypted Roblox executable, and a basic understanding of C++ and Luau. If you don't have Binary Ninja, you can download a free trial from their website (opens in a new tab). To decrypt the Roblox Client executable, you can use a tool like vulkan (opens in a new tab), which dumps the decrypted image from memory onto your disk.
I'll be performing all my analysis on the version-eadc3c90bb1a4267 version of Roblox and have used the ClassyPP (opens in a new tab) plugin to resolve RTTI information. If you are using a different version of Roblox, you may get different results.
The base address of my dumped image is 0x17ff7a2f70000.
Understanding the Roblox Engine
Before we begin reverse engineering the binary, it's important to have a high-level overview of the Roblox engine. The Roblox engine is written in C++, but many of its classes are exposed to Lua scripts, as documented here (opens in a new tab). The engine consists of numerous classes, each responsible for different aspects of the game. For instance, the Workspace class manages the game world, while the Player class handles the player's character.
Although these classes differ in functionality, they all share a common base class called Instance. This base class forms the root of the class hierarchy and is responsible for managing the lifecycle of objects within the engine. By understanding how the Instance class operates, we can gain insight into how the rest of the engine functions.
Inspecting the Binary
We can begin our reverse engineering once Binary Ninja has finished analyzing the binary. After resolving RTTI information with ClassyPP, we can see several virtual tables under the RBX::Reflection namespace. These virtual tables manage the reflection system and are crucial for interacting with the engine.
There are a lot of classes, each having hundreds of cross-references in code and data. Finding the Instance class is like finding a needle in a haystack. To make things easier, let's find a class derived from Instance that has a unique name.
Finding a Unique Class
After browsing Roblox's documentation, I found DistortionSoundEffect (opens in a new tab), which only had a few cross-references in code. I noticed that it was being used in a call to the RBX::Reflection::Descriptor constructor. The C-like pseudocode looks like this:
This appears to be an initializer for the DistortionSoundEffect reflection class. Let's look at the cross-references to this function.
Exploring Properties
The first cross-reference brings us to another subroutine that seems responsible for registering the Level property of the DistortionSoundEffect class. For the sake of space, I won't post the entire subroutine but instead focus on the relevant parts.
At the beginning of the subroutine, a GetSet object is created. This object defines the getter and setter functions for the Level property. In this case, the virtual table used is 0x7ff7a6c9cc10, or with renamed symbols:
class RBX::Reflection::PropDescriptor<class RBX::Soundscape::DistortionSoundEffect, float>::GetSetImpl<float (__cdecl RBX::Soundscape::DistortionSoundEffectProp::*)(void) const, void (__cdecl RBX::Soundscape::DistortionSoundEffectProp::*)(float)>::vfTableThis can be seen in the following snippet of Binary Ninja's MLIL:
The getter function pointer is stored at rax + 0x8, and the setter function pointer is stored at rax + 0x10, where rax is the GetSet object. The getter function is defined as float (__cdecl RBX::Soundscape::DistortionSoundEffectProp::*)(void) const, and the setter function is defined as void (__cdecl RBX::Soundscape::DistortionSoundEffectProp::*)(float).
Let's examine the getter subroutine (sub_7ff7a3adf3a0). Its MLIL is shown below:
As indicated by the virtual table, arg1 is a pointer to the DistortionSoundEffect object. The getter function returns the value located at arg1 + 0x8, which is the Level property of the DistortionSoundEffect object.
For the sake of brevity, I will not cover the setter function for this property, as it simply writes the value to the same location.
Exploring Inheritance
According to the Roblox documentation (opens in a new tab), the DistortionSoundEffect class is derived from the SoundEffect class. Let's go back to the DistortionSoundEffect descriptor and see if we can find any references to the SoundEffect class.
Looking back at the MLIL for the DistortionSoundEffect descriptor, we can see a subroutine being called, and its result is stored in rdx, which is also passed to the RBX::Reflection::Descriptor constructor. This subroutine is likely responsible for initializing the SoundEffect class:
Let's examine the code located at sub_7ff7a42e43b0 (only the relevant part is shown):
As you can see, we end up at the SoundEffect class descriptor initializer, just as expected. After repeating this process a few more times, we can reconstruct the class hierarchy of the DistortionSoundEffect class:
DistortionSoundEffect : SoundEffect : InstanceThis hierarchy matches the one described in the Roblox documentation.
Conclusion
In this blog post, we used Binary Ninja's intermediate language to examine Roblox's reflection classes. By reconstructing the class hierarchy of the DistortionSoundEffect class, we gained a basic understanding of how Roblox's reflection system works.
In the next part of this series, we will explore the reflection system in more depth and reconstruct some of the structures used to interact with the engine. Stay tuned!