Endianness

Endianness defines the byte order used when storing a multi-byte integer in memory. x86-64, ARM64 (in default LE mode), and most modern desktop/server CPUs are little-endian.

Little-endian (x86/x64)

The least significant byte is stored at the lowest address.

Value: 0x12345678  (32-bit)

Memory address:  0x00  0x01  0x02  0x03
Content:          78    56    34    12
                  ↑ LSB                ↑ MSB

uint32_t x = 0x12345678;
uint8_t *p = (uint8_t *)&x;
// p[0] = 0x78, p[1] = 0x56, p[2] = 0x34, p[3] = 0x12

Big-endian

The most significant byte is stored at the lowest address (network byte order, many binary file formats, MIPS/SPARC historically).

Value: 0x12345678

Memory address:  0x00  0x01  0x02  0x03
Content:          12    34    56    78
                  ↑ MSB                ↑ LSB

Byte-swap instructions on x86-64

asm

bswap eax        ; reverse byte order of EAX: 0x12345678 → 0x78563412
bswap rax        ; 64-bit version
xchg al, ah      ; swap bytes of AX only
ror  ax, 8       ; rotate 16-bit value (network ↔ host for short)

BSWAP is the hardware htonl/ntohl equivalent.

Reverse-engineering notes

When a hex dump of an integer looks "backwards" compared to the source code, you are seeing little-endian storage. This trips up newcomers reading raw memory in a debugger.
Magic numbers in file headers (e.g. 0x504B0304 for ZIP) are stored in big- endian in the file spec but may appear reversed if you read them as a 32-bit little-endian integer — always confirm the endianness of the format.
Network packets and TLS records are big-endian; a function that calls bswap before processing a field is converting from network byte order.
ARM64 processors can switch to big-endian mode but shipped hardware almost always uses little-endian; assume LE unless the binary's ELF/Mach-O header says otherwise.