Why shellcodes with jmp instruction work, and why doesn't the labels work inside a C wrapper?

Question

I have two assembly codes like the one below

file: a.asm

section .text
global _start
_start: mov eax, 4
        mov ebx, 1
        mov ecx, mesg
        mov edx, 10
        int 0x80
        mov eax, 1
        int 0x80
mesg    db      "KingKong",0xa

and another assembly code

file: b.asm

section .text
global _start

_start: jmp mesg

prgm:   mov eax, 4
        mov ebx, 1
        pop ecx
        mov edx, 10
        int 0x80
        mov eax,1
        int 0x80
mesg:   call prgm
        db "KingKong",0xa

After taking the hex of these two codes and putting it inside this C wrapper

char *b = "\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\x7d\x80\x04\x08\xba\x0a\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xcd\x80\x4b\x69\x6e\x67\x4b\x6f\x6e\x67\x0a";

char *b = "\xe9\x19\x00\x00\x00\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x59\xba\x0a\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xcd\x80\xe8\xe2\xff\xff\xff\x4b\x69\x6e\x67\x4b\x6f\x6e\x67\x0a";
int main()
{
        (*(int (*)(void))a)();
}

The first assembly code(b) prints 'KingKong' as expected but the second assembly code a print garbage. like the one shown

root@bt:~/Arena# ./a
�root@bt:~/Arena#
root@bt:~/Arena# ./b
KingKong

output generated by a (first one) is this � weird character, while the second one (b) prints kingkong as expected. Now could someone exlain why was the second assembly code is working while the first isn't .

EDIT: From the answer I see that the first program hard-codes the address. Even the second approach uses labels, like jmp mesg, now wont this instruction make the program very similar to the first, aren't they both the same cos they use labels to decide the location. All I know is, to have the code position independent we need to use the esp or the ebp registers with relative addressing scheme. Wont the second program's jmp instruction make it just the same like the first one.

Answer 1

The address of mesg can vary depending on how your program is laid out in memory.

The following will hard-code a specific address and will not work reliably (or at all):

    mov ecx, mesg

For reference, the first approach hard-codes the following address:

    mov ecx, 0x804807d

The second approach does work because it figures out the address of mesg at runtime, using the return address of a call instruction.

Put another way, the first version only works if loaded at a specific address whereas the second is position-independent.

It is worth noting that the jmp and the call instructions that appear in the second version use relative addressing, meaning that the opcodes specify the distance to the target rather than the address of the target. This makes these instructions work regardless of where they are placed in memory.

If you examine the opcodes, you'll see that the jmp is encoded as

e9 19 00 00 00

(i.e. jump 0x19, or 25₁₀, bytes forward), and the call is encoded as

e8 e2 ff ff ff

where 0xffffffe2 is a small negative number (-30).