3 comments

[ 3.9 ms ] story [ 12.3 ms ] thread
(comment deleted)
> With just a little bit of grinding, you can easily find some input that produces the right sighash. You don't need to find a full hash collision, you're only checking the first four bytes. So is this theory correct?

I remember a paytv hack (maybe it was a card unloop?) that worked this way.

We knew the card’s public key so we could encrypt any packets for it, but the card had a list of valid signatures that it accepted (which we also knew) but no other signatures accepted.

Cracking the private key to sign ourselves would be very hard. But we just need 1 packet that does 1 thing and anything else is irrelevant. Trillions of packets might do what we need. We don’t need a full compromise.

Say we needed to do:

> Start Packet

> I++

> End Packet

Even if that didn’t generate the right signature, the right mix of NOPs before or after or other junk code would eventually do the I++ that we really needed with the right signature.

The (freeware) hackers wrote some code for a bunch of us to run on our own computers to generate a bunch of random combos of junk before/after the meat and had us post to the forum if it spit out one that matched a valid signature and someone did!