> With just a little bit of grinding, you can <i>easily</i> find some input that produces the right sighash. You don't need to find a full hash collision, you're only checking the first four bytes. So is this theory correct?<p>I remember a paytv hack (maybe it was a card unloop?) that worked this way.<p>We knew the card’s public key so we could encrypt any packets for it, but the card had a list of valid signatures that it accepted (which we also knew) but no other signatures accepted.<p>Cracking the private key to sign ourselves would be very hard. But we just need 1 packet that does 1 thing and anything else is irrelevant. Trillions of packets might do what we need. We don’t need a full compromise.<p>Say we needed to do:<p>> Start Packet<p>> I++<p>> End Packet<p>Even if that didn’t generate the right signature, the right mix of NOPs before or after or other junk code would eventually do the I++ that we really needed with the right signature.<p>The (freeware) hackers wrote some code for a bunch of us to run on our own computers to generate a bunch of random combos of junk before/after the meat and had us post to the forum if it spit out one that matched a valid signature and someone did!
Read it on Rekt:<p><a href="https://www.rekt.news/polynetwork-rekt/" rel="nofollow">https://www.rekt.news/polynetwork-rekt/</a>