Alright, let's talk about Bitcoin scripts and its opcodes.A transaction is (partly - the most interesting part of it) an
unlocking script and a
locking script, which are combined - in that very order, evaluated (executed - run as a program), and must return "TRUE" (which technically means that the stack must contain a positive integer top value and nothing else).
A P2SH address is simply the base58check encoded version of the
hashed locking script, so that it impossible to examine a "3-address" and determine its script (since it is hashed). This is where previous blockchain data comes in because my example address couldn't have been compromised if I hadn't prepared things for you and
already spent from it once before writing the OP.
Let's take it step by step.
While there are some common formats for P2SH scripts (such as "OP_HASH160 20 <a 20-byte hex string> OP_EQUAL") there is nothing that says that a P2SH address must adhere to any certain format. In fact, more complex scripts not only allowed but actually encouraged by Bitcoin. Multisig scripts, for example, can be very complex and contain a shitload of IF/THEN conditions. Remember however that when making a script, there must exist conditions for it (together with its inputs in the unlocking script) so that it may return "TRUE". If not, it is an unspendable address (and such addresses are curiously simple to create; you have been warned - don't unintentionally create Bitcoin black holes).
Let me lay out the locking script, so I can comment on it (and yes, I did use a few uncommon opcodes, but that's not illegal - they are standard by definition):
OP_SIZE
OP_SWAP
OP_SIZE
OP_NIP
8 0xd9ac1d9c37b651db
OP_ROT
OP_ROT
OP_EQUAL
OP_ROT
OP_DROP
OP_SWAP
OP_DROP
OP_1
8 0x99ac1d9c37b651db
OP_DROP
OP_EQUAL
It
is quite messy, and intentionally so, but it can be deciphered. Basically, what it does it that is takes two inputs, calculates their sizes (and not their values!) and if they are equal, it will (again together with the unlocking code below) return "TRUE".
This locking script shuffles around stack values like crazy and adds instances of gibberish 8-byte strings twice, which are never evaluated but simply dropped. Also, since the script will be serialized (converted to a hexadecimal string), I was very happy to end up with an exactly 32-byte script, since I figured that strings of that length are easily mistaken for hash values and/or signatures. The serialized locking script is thus
0x827c827708d9ac1d9c37b651db7b7b877b757c75510899ac1d9c37b651db7587
and this is easily converted to testnet public address 2NA4ZpHbzfp7VkAXHjpZc8Ze6SpNfS7jSbF and mainnet public address 3JWMkYfy4Mc9YNtk4gwjWceqEUAViUiMF5 with a few lines of Python (see previous post by yours truly) or if you're even lazier (or smarter, depending on your your world-view) using a web service (one linked below).
So, the unlocking script then. Again, I went for 32-byte strings, for the same reason; easily mistaken for hashes that actually represent something. But I simply generated two random hexadecimal numbers with bash command "openssl rand -hex 32" (which - by the way - is an excellent one-liner for producing unbreakable private keys), so that:
32 0x2803d055a4a133bde555a39d37762c8354b6f7418817c5c4b516cf413b280209
32 0x3dbb8323f94bf9acd13a5f92e0d0a7e87f34e31b09a866fdc80437a57e24a114
Looks really serious, doesn't it?
Remember though, these numbers are completely random and are never evaluated! The only requirement by my script is that two inputs of equal length are provided. This means that another unlocking script that would have and will work equally well for this address is (this is what I hoped someone would realize):
Oh yeah, this will work too:
Same length, not values - remember?
If you want to see the unlocking and locking scripts together, how they are evaluated step by step and how this crazy combination eventually leads to "TRUE", here they are together (this page is in my humble opinion awesome for P2SH experiments):
https://bitcoin-script-debugger.visvirial.com/?input=32%200x2803d055a4a133bde555a39d37762c8354b6f7418817c5c4b516cf413b280209%2032%200x3dbb8323f94bf9acd13a5f92e0d0a7e87f34e31b09a866fdc80437a57e24a114%20OP_SIZE%20OP_SWAP%20OP_SIZE%20OP_NIP%208%200xd9ac1d9c37b651db%20OP_ROT%20OP_ROT%20OP_EQUAL%20OP_ROT%20OP_DROP%20OP_SWAP%20OP_DROP%20OP_1%208%200x99ac1d9c37b651db%20OP_DROP%20OP_EQUALNote especially the green "Result: OK".
The person (or bot? - I still don't know who cracked it) simply did a copy/paste of the combined unlocking and locking script from my first spending
63202803d055a4a133bde555a39d37762c8354b6f7418817c5c4b516cf413b280209203dbb8323f94bf9acd13a5f92e0d0a7e87f34e31b09a866fdc80437a57e24a11420827c827708d9ac1d9c37b651db7b7b877b757c75510899ac1d9c37b651db7587
and used it unchanged to create a
new transaction. To view the raw transation, it can be done in Bitcoin Core console using "getrawtransaction 023f0dde4d0b11581cb81214462170995b85ec6be41c78c5fb44084c7d9e671a" or in Electrum console using "gettransaction('023f0dde4d0b11581cb81214462170995b85ec6be41c78c5fb44084c7d9e671a')", but remember to start them in testnet mode before trying.
In other words, the next time you want to snatch coins from these addresses, try the shorter redeem code:
23515120827c827708d9ac1d9c37b651db7b7b877b757c75510899ac1d9c37b651db7587
Unless you didn't already know OP_1 is "51" in hexadecimal, why the string begins with two instances of that.
Phew... that took some time to write up...
I hope you liked it, and in that casse feel free to pass over some testnet coins to 2N2EJxoRy5hRE74aV4NDiC22dcH3QEqzf5G, because I was just robbed of almost all I had there
Edit/additions:
1) To clarify further, what I tried to accomplish with three different 32-byte strings as the Sigcode
2803d055a4a133bde555a39d37762c8354b6f7418817c5c4b516cf413b280209
3dbb8323f94bf9acd13a5f92e0d0a7e87f34e31b09a866fdc80437a57e24a114
827c827708d9ac1d9c37b651db7b7b877b757c75510899ac1d9c37b651db7587
which are the values you see when you look at a transaction
in a block explorer was an attempted deception. I.e NOT "hey, this looks like a broken signature".
2) Speaking of signatures. I should have written earlier that my script does zero signature evaluation and there is no elliptic curve cryptography (ECC) anywhere, why the address is another "anyone-can-spend" now that the required inputs have been disclosed, so any old redeem code that has worked will work again.