LOGBOOK

HELP

Quiz Entry - updated: 2026.07.06

What does the endbr64 instruction mean at the start of functions?

It marks an instruction as a legal target for an indirect jump or call — part of Intel CET (Control-flow Enforcement Technology), and a harmless nop on CPUs that don't support CET.

Under CET, an indirect branch must land on an endbr64 or the CPU faults, blocking ROP/JOP

* CET Indirect Branch Tracking: an indirect jmp/call must land on endbr64; landing mid-function faults, shrinking ROP/JOP gadgets. *

endbr64 is a security marker the compiler drops at the top of every function that might be reached indirectly. On a CET-enabled CPU, any indirect branch (a jmp *%reg or call *%reg) is only allowed to land on an endbr64; jumping into the middle of a function lands on something else and the CPU faults. This shrinks the menu of gadgets available to ROP (Return-Oriented Programming) and JOP (Jump-Oriented Programming) attacks, which work by chaining indirect branches into arbitrary instruction boundaries.

my_function:
    endbr64
    push %rbp
    ...

When you're reverse-engineering, treat endbr64 as scenery — it has no effect on the logic, so just skip past it. Its only forensic value is a hint about how the binary was built: its presence means compilation with -fcf-protection (the default on modern GCC), and its absence suggests an older binary or one built without control-flow integrity.

Go deeper:

From Quiz: REVE1 / Assembly Patterns & GDB | Updated: Jul 06, 2026