This may be stating the obvious, but here goes...

A "PUSH $address" followed by a RETN is functionally identical to "JMP $address". The instructions are different, but they accomplish the exact same thing, since RETN basically just does what can be thought of as "POP EIP".

If the purpose of examing the difference between the two was to try to find a pattern of some sort (i.e. the PUSH, RETN is there when there are stolen bytes, the JMP is there when there aren't), then my comment has no relevance.

But, since it appears there is no such pattern (as evidenced by the fact that the VCD app has the PUSH, RETN), the difference between the two seems irrelevant to me. Maybe ASPR just generates one or the other randomly, to try to confuse people?

Regards,
Satyric0n