To have a valid signature in the scriptpubkey.
To exploit this you want to have a data push in the scriptpubkey which contains the signature among other dummy data and then execute the signature check. When checking the signature Bitcoin Core’s FindAndDelete won’t drop the data push from the signature hash, but btcd will before version 0.24.2.
To cause a chain split you not only want the sighash calculation to differ, you want it to lead to a different signature check result. The only way to have a valid signature in the scriptpubkey is to generate the signature first and then to recover a public key from it plus the sighash. By performing a public key recovery using Bitcoin Core’s sighash you’ll get a public key such as the signature check passes on Bitcoin Core but fails on btcd. And vice-versa.
I have a documented Bitcoin Core unit test as a patch which generates such a transaction, that we sent to Laolu as part of the original report. I’m hesitant to share it publicly though since it would simplify the job of a script kiddy who wants to be annoying. I’ll share the patch with you privately and share it on this thread later.