EtherBlob Explorer: Search and extract blob files on the Ethereum Blockchain network

by do son · Published April 1, 2021 · Updated May 1, 2024

EtherBlob Explorer

Search and extract blob files on the Ethereum network using Etherscan.io API.

EtherBlob Explorer is a tool intended for researchers, analysts, CTF players, or anyone curious enough wanting to search for different kinds of files or any meaningful human-supplied data on the Ethereum Blockchain Network. It searches over a user-supplied range of block IDs or UNIX timestamps.

For a real-life case, you can read this experiment made in 2017. The immutability of the blockchain can truly be a double-edged sword.

Features

Search Locations

This tool can search on the following locations, either separately or combining any of these on the same run:

Transaction Input Data: search inside transaction’s input data (default location).
Block Input Data: search inside block’s input data.
Contract Storage: search inside a contract’s storage array on the first N 32-byte sized positions, treating it all as one big data string.
To Addresses: search appending ‘to’ addresses as the possible input [*] (checking first for file headers and re-checking when all data is harvested using binwalk).

[*] Storing data on ‘to’ addresses is possible on the Ethereum network as there’s no verification if sending to an address that has no associated account keys. Meaning you can make transactions to arbitrary addresses to craft a payload over several 20-byte sized transactions (it’s very rare but so are some CTF challenges).

Search and Extraction Methods

All of these methods can be used either separately or in any combination:

Embedded Files: search for files embedded inside data using binwalk.
File Headers / Magic Bytes: search using headers + magic bytes via levaraging the Linux util file (default method).
ASCII String Dump: search for ASCII strings inside data.
Entropy-Based Search: use Shannon’s Entropy as a measure tool to search for natural language text (e.g. UTF-8 Unicode), encrypted/compressed files or anything the user seems viable with user-supplied entropy limits.

IMPORTANT: The order showed here is used under-the-hood for discarding searches with other methods (e.g. if file is found via embedded files then it won’t attempt to search using file headers, ascii string dump nor entropy) as it’s not likely to find anything meaningful if previous methods were already successful.

Misc

Accepts UNIX timestamps (instead of block IDs) that get resolved into the closest block IDs commited at those times.
Save all data from visited transactions into file for later reviewing.
Store CLI-displayed logs into file for later extracted-file analysis.
Ignore user-supplied file formats (case-insensitive) for extraction and accepts substrings of the complete file format for blacklisting.
Print general progress metrics (e.g. how many blocks / transactions have been parsed, how many blocks are left) every minute and also display some interesting metrics at the end of the current run.
More useful features found on the manual (-h)!