http://bugs.winehq.org/show_bug.cgi?id=10273
--- Comment #3 from Anastasius Focht focht@gmx.net 2007-11-01 20:03:41 --- Hello,
--- quote --- I don't know if this is related, but Ivan Leo talked about some hook testing done by safedisk 2. Appart of other things, it checks if all CALLs have a RET. It started at the exported functions, but eventually dived into Linux libraries. GCC generated code which broke these checks, e.g.
... Could this be the statistical heuristic you see? --- quote ---
Well Micro$oft compilers seem to generate such code sequences on occasion too but probably not many to have such significance.
The tests for hooked/detoured code (jump trampolines) are likely part of that "behavioral analysis". They probably used some sort of disassembler/tracer. But this is probably only a part of that analysis. I experimented with various opcode sequences, covering standard entry code but even a large number of them had no real significance (> of all gcc generated entries).
--- quote --- The patch does seem to help at least one other app get further. --- quote ---
I am missing the application name ;-)
Regards