Anti LuckyPatcher

Hello guys good day, I have a classic payment app and it works perfectly, but when a user uses lucky patcher they can buy items without having to pay, is there a way to avoid this from lucky patcher? I attach my kotlin code in advance thank you very much

`private val purchaseUpdateListener = PurchasesUpdatedListener { billingResult, purchases ->
          when {
              billingResult.responseCode == BillingClient.BillingResponseCode.OK && !purchases.isNullOrEmpty() -> {
                  for (purchase in purchases) {
                      if (purchase.purchaseToken.isNullOrEmpty()) {
                          // The payment was made in cash, it must be handled according to your requirements
                          // You can display a message to the user or perform some specific action
                          Query_Version25() // Call the QueryVersion25() function for cash payments
                      } else {
                              idp = purchase.orderId
                              isProductPurchased = true
              billingResult.responseCode == BillingClient.BillingResponseCode.USER_CANCELED -> {
                  Toast.makeText(this, R.string.ms27, Toast.LENGTH_SHORT).show()
              else -> {
                  Toast.makeText(this, R.string.ms28, Toast.LENGTH_SHORT).show()

          if (isProductPurchased) {
              // Reset the variable to allow the user to buy the same product again
              isProductPurchased = false
1 Like

Hello dear, you can’t prevent crack purchase on your app (Front end) because every user have your apk file and anyone can make a reverse engineering and extract/modify your app files.
but you can prevent the fake purchase and any unwanted crack by using server side validation.

simply when any user purchase a product inside your app, the app must send a request to your server with these keys (app package name - product id - purchase Token - app signiture)
after that you will check if the request have the same App signiture or not if not block the request and do whatever you want because this request came from modified app.
and check also if the package name is equal or not for example:

$AppSigniture  = $_POST["app_sign"];
$AppPackage  = $_POST["package"];

if ($AppSigniture === "APP_SIGNITURE_HERE" && $AppPackage === "com.EnceptCode.CodingOasis") {
    // continue
} else {
    echo "request blocked";

this is the first step to make sure that this request is valid and came from your genuine app but this filter is not enough you must send the purchase info to Google Validation Api to verify the purchase and return with the result.

Now you will install Google billing library for server side: From Github

follow the instructions to install the library on your server and after that you will create a file that will handle the google api request and response by adding this code:

$client = new Google_Client();

$service = new Google_Service_AndroidPublisher($client);

// your app package name
$packageName = "com.EnceptCode.CodingOasis";

// the keys that came from the app request:
$productId = trim($_POST["productId"]);
$purchase_token = trim($_POST["token"]);

//send request to google api for validation
$response = $service->purchases_products->get($packageName, $productId, $purchase_token);

// Get Response From The Api:
$PurchaseState = $response->getPurchaseState();
if ($PurchaseState == 1) { // 1 means Purchase Is Still Pending

} else if ($PurchaseState == 2) { // 2 means Refunded

} else if ($PurchaseState == 3) { // 3 means User revoked

} else if ($PurchaseState == 4) { // 4 means Payment deferred

} else if ($PurchaseState == 0) { // 0 means Purchase Success

    // give the user the item that he purchased.

} else { // Automatic verify failed


That’s All, now you’ve protected your app from unauthorized requests or crack. :smiley:

Greetings, Karim