Exploiters are now bypassing my UserOwnsGamepass check and using a hookfunction to return it as true

  1. What do you want to achieve? How can I prevent this from being called from a hook function.

  2. What is the issue? Exploiters now get the tool for free.

  3. What solutions have you tried so far? I tried looking at some other post.

and they get the boombox.

hookfunction(game:GetService("MarketplaceService").UserOwnsGamePassAsync, newcclosure(function()
     return true

Above is the exploiters code that returns the value as true

This will only return true on the client. To make it secure, check on the server. If it’s a local item, you can’t really prevent it (as anything local on the client can be modified by an exploiter).


use a remote function

local PlayerOwnsTool = game.ReplicatedStorage.CheckOwned:InvokeServer(securedkey, id)

Why would you even use MarketPlaceService on client anyway? I feel like the service should be locked to server-only.


exactly for me I’ve never seem to use this for client

i dont think this has any difference than Marketplace:UserOwnsGamePass

im pretty sure it does because the invoke server is returning Marketplace:UserOwnsGamePass from the server side to the client meaning exploiters cant bypass it by changing the client version.

how cant exploiters bypass it? i thought hookfunction can hook any function?

hm i didnt think about it like that but at the end of the day u can secure that remote function with auto generated keys.

Sorry to bring this thread back, but I believe the players character in an exception, sorta. All items are automatically synced among server and client within a players character (instances, atleast) so you can shove some things in there. I did it for a few anti cheats and I would just have it check characters for it since if they destroy it locally itll be synced and show on the server.

Replication on Roblox has a lot of exceptions when it comes to working with characters, humanoids, and guis. There’s a lot of rough edges because these things have existed for quite a while.

The main point of this post is to never trust the client and always validate their requests on the server.

This doesn’t solve the problem.

Sidenote: Please do not bump threads two years later

Security through obscurity is not true security. It’s much better to just validate a client’s requests and never trust the client.

okay what ever u say pall when the injected script is changing “game:GetService(“MarketplaceService”).UserOwnsGamePassAsync”
vs what ur recieving from a remote function🤷‍♂️

They’re saying that this:

is not security. The client can easily grab the key

that would also be hooked by a namecall hook on the games metatable.

local namecall;
namecall = hookmetamethod(game, "__namecall", function(self, ...)
    if self == game.ReplicatedStorage.CheckOwned and getnamecallmethod() == "InvokeServer" then
        return true
    return namecall(self, ...)

use server side, the hackers wont be able to access it

You should never trust the results of these functions client side and should never need to. Don’t trust the client.

1 Like

im not saying that the key is literally “securedkey” im talking about a actual generated key. I have a module that auto generates keys