Whitelist on Products

I sell products on ROBLOX and I was wondering any way to whitelist my product. I would make sure they can’t cut it out by obfuscating it, but how can I check if they own it? They buy it with developer products so there’s no way to check if they own it.

2 Likes

What do you mean “whitelist product”, or “cut it out by obfuscating it”? If you want to check if they own a developer product, you can keep track when a user buys a one using Datastores and Process Reciept.

I sell roblox aviation products that people will have in their own game. To prevent people from leaking it to non-purchasers, I need to include a whitelist system.

That means Ill obfuscate the whitelist script into the products main script so they can’t delete the whitelist.

Any ideas on how to achieve this?

1 Like

Ironbrew-2 is open sourced. Perhaps fork it and try changing stuff up.

https://github.com/DefCon42/ironbrew-2

1 Like

People can change and leak whatever they have access too. A whitelist system may have worked two years ago, but I believe this change rendered it impossible. Removing Support for Third Party Closed Source Modules

1 Like

I know how to obfuscate, but not whitelist.

Oops I skimmed too fast.

You can’t do anything to 100% guarantee the person using your code is whitelisted. You could make a key system where they have to enter a key for the code to continue.

If you still need a whitelist system, just keep a saved list of UserIDs and check the ID of a user is on the list when using your product.

They can easily leak the key. (30 chars)

Obfuscate the code with the key then send them the custom source? Not foolproof but should do an ok job.

Yeah but I want to auto-add them to the whitelist, not me having to manually add them.

You could require your whitelisted users via some 3rd party server.

Like I said earlier, you could use Datastores and ProcessReciept in a script to automatically do this.

But it wouldn’t be in the same game! Process receipt doesn’t save I thought, because DevProducts purchasing don’t save since they can be bought multiple times.

1 Like

Like what 3PS? Any ideas on that?

Ah sorry. That was obvious, and I didn’t think. Would it be easier to simply use gamepasses (or clothing item or whatever) instead, which can be identified as owned by a user?

Id rather use Developer Products as its already implented.

In that case, I think your best bet is to go with a third party system as @EpicMetatableMoment said.

What 3ps can I use for this case?

I think you might be better just attempting to trust the people you’re giving code to. No matter what you do your system can be bypassed.

For example, gamepass identification can be spoofed by creating a fake game object, with a fake GamePassService and fake :PlayerHasPass method.

Example code that could be used to wrap the game object:

local function wrap(object)
    local objectType = type(object)

    if (objectType == "userdata") then
        local newObject = newproxy(true)
        local newObjectMetatable = getmetatable(newObject)

        function newObjectMetatable:__index(key)
            local original = object[key]
            local originalType = type(original)

            if (originalType == "function") then
                return function(_, ...)
                    return original(objkect, ...)
                end
            end

            return original
        end

        return newObject
    end

    return object
end

--[[
    insert obfuscated code below that does everything your service does
    this obfuscated code still has to reference the environment its running in so
    you can overwrite the variables it'll use. 
]]--

Same can be done with HttpService for keys, and honestly you can’t do anything because they can just get to a point where they just dump all constants like strings and numbers and quickly steal all your API keys.

2 Likes