Yes, yes, all valid points. I was just trying to remove one more weakness, which is the 4GB offsets matching.

Consider that anything that hits the 4GB+x weakness will be undetectable, regardless of the length of the overrun. (OK, within reason, as a long enough overrun will surely break something else.)

Under an MD5 hash scheme, the chances of a 32bit slot being overwritten with the correct magic data is 1/4G, the same as with the offset method. But for the offset method, if the from/to addresses are 4GB apart, a run will generate the correct data, regardless of the length of run. For MD5 hash, the probabilities are independent, even for a malloc overrun as in the example, because consecutive hash values are not dependent on the neighboring hash values in any simple way.

Still, 1/4G is quite small.