How do you make a saveinstance exploit?

So i know that you can do save instance given a internal exploit, but would it be possible to make a exploit solely focused on like exploring the data model and even looking at scripts? If yes would it be doable externally and if not what would you need to actuall luy get script bytecode and turn that into lua?