What does the endbr64 instruction mean at the start of functions?
It marks an instruction as a legal target for an indirect jump or call — part of Intel CET (Control-flow Enforcement Technology), and a harmless nop on CPUs that don't support CET.
* CET Indirect Branch Tracking: an indirect jmp/call must land on endbr64; landing mid-function faults, shrinking ROP/JOP gadgets. *
endbr64 is a security marker the compiler drops at the top of every function that might be reached indirectly. On a CET-enabled CPU, any indirect branch (a jmp *%reg or call *%reg) is only allowed to land on an endbr64; jumping into the middle of a function lands on something else and the CPU faults. This shrinks the menu of gadgets available to ROP (Return-Oriented Programming) and JOP (Jump-Oriented Programming) attacks, which work by chaining indirect branches into arbitrary instruction boundaries.
my_function:
endbr64
push %rbp
...
When you're reverse-engineering, treat endbr64 as scenery — it has no effect on the logic, so just skip past it. Its only forensic value is a hint about how the binary was built: its presence means compilation with -fcf-protection (the default on modern GCC), and its absence suggests an older binary or one built without control-flow integrity.
Go deeper: