37848-vm/backend/src/services/dumper.js

class DumperService {
  static async analyze(content, name) {
    const logs = [];
    const envLogs = [];
    const dumpedOutput = [];
    
    logs.push(`[SYSTEM] Initializing analysis for ${name}`);
    
    // Detection
    let obf = 'Unknown';
    if (content.includes('LPH_') || content.toLowerCase().includes('luraph')) obf = 'LURAPH';
    else if (content.includes('IronBrew') || content.toLowerCase().includes('ironbrew')) obf = 'IRONBREW';
    else if (content.includes('Prometheus')) obf = 'PROMETHEUS';
    else if (content.includes('WeAreDevs') || content.includes('WRD')) obf = 'WEAREDEVS';
    
    logs.push(`[LOADER] Signature identified: ${obf}`);

    // Scan for environment calls
    const globals = [
      ...new Set(content.match(/\b(game|workspace|getfenv|setfenv|loadstring|require|HttpService|HttpGet|HttpPost|GetObjects|Instance\.new|shared|_G|spawn|wait|delay|tick|warn|print|error)\b/g) || [])
    ];
    
    globals.forEach(g => {
      envLogs.push(`Captured call to global: ${g}`);
    });

    // Simple "Deobfuscation" - Extracting strings and constants
    const s1 = content.match(/'[^']*'/g) || [];
    const s2 = content.match(/"[^"]*"/g) || [];
    
    const uniqueStrings = [...new Set([...s1, ...s2])].map(s => {
      return s.slice(1, -1);
    }).filter(s => s && s.length > 2);

    dumpedOutput.push('-- DUMPED CONSTANTS AND STRINGS --');
    uniqueStrings.forEach(s => {
      const escaped = s.split("\"").join("\\\"").split("\n").join("\\n");
      dumpedOutput.push(`CONST_STR["${escaped}"]`);
    });

    // Heuristics
    const networkAccess = content.includes('HttpService') || content.includes('HttpGet') || content.includes('HttpPost');
    const suspicious = content.includes('getfenv') || content.includes('loadstring') || content.includes('setfenv');

    return {
      obf,
      logs,
      envLogs,
      dumpedOutput: dumpedOutput.join('\n'),
      heuristics: {
        network: networkAccess ? 90 : 5,
        obfuscation: obf !== 'Unknown' ? 100 : 15,
        suspicious: suspicious ? 80 : 10
      }
    };
  }
}

module.exports = DumperService;