From 37d73a6781f448f93c3d235da0085d600f7265f5 Mon Sep 17 00:00:00 2001
From: Vincent Thiberville <vthib@pm.me>
Date: Tue, 13 Feb 2024 23:26:37 +0100
Subject: [PATCH] fix: keep proper magic value in macho module

This matches the https://github.com/VirusTotal/yara/pull/2041 fix
done in yara 4.5.0
---
 boreal/src/module/macho.rs              | 2 +-
 boreal/tests/it/libyara_compat/macho.rs | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/boreal/src/module/macho.rs b/boreal/src/module/macho.rs
index bd75df03..946c1380 100644
--- a/boreal/src/module/macho.rs
+++ b/boreal/src/module/macho.rs
@@ -833,7 +833,7 @@ fn parse_header<Mach: MachHeader<Endian = Endianness>>(
     }
 
     [
-        ("magic", header.magic().to_be().into()),
+        ("magic", header.magic().into()),
         ("cputype", cputype.into()),
         ("cpusubtype", cpusubtype.into()),
         ("filetype", header.filetype(e).into()),
diff --git a/boreal/tests/it/libyara_compat/macho.rs b/boreal/tests/it/libyara_compat/macho.rs
index 2f03ff2d..1f70d4a0 100644
--- a/boreal/tests/it/libyara_compat/macho.rs
+++ b/boreal/tests/it/libyara_compat/macho.rs
@@ -284,6 +284,14 @@ fn test_macho() {
         true,
     );
 
+    check_file(
+        "import \"macho\" rule test { condition:
+    macho.file[0].magic == 0xcefaedfe and
+    macho.file[1].magic == 0xcffaedfe }",
+        "tests/assets/libyara/data/tiny-universal",
+        true,
+    );
+
     // Entry points for files (LC_MAIN)
 
     check_file(