 I want to showcase a new module in Yara, the console module, and this is something that can help you debug your rules if your rules don't behave like you expect. So let's take a look. First of all, I am using version 420 of Yara. This is the ReleaseCandidate1 version, so it's not the final version, but it is ReleaseCandidate1 420. And I have a rule here that just tests if the first two bytes of a file are equal to 4d5a. So the idea is to detect a Windows executable. Windows executable starts with mz, so 4d5a. This function here, unsigned integer 16 reads an unsigned integer of 16 bits at position 0 and compares this with 4d5a. Now if we test this on calculator, for example, we get no hits. The rule doesn't trigger, it does not work. Why? Well, you probably already have an ID. That's because here this should be reversed. But let's just assume we don't know that, and we are going to use the console module to figure this out. So first of all, you import the console module into your rule, and then inside the condition you can add a class to print out a value, an integer value for example in hexadecimal. And what I'm going to print out is exactly that value here to see how that value looks like when Yara executes it. So this is still my condition and this is here a function to print out that value. This always returns true, so you can add this together into your condition and the behavior of your rule should remain the same. So let's save this and test this again. And now again we have no hit, but we see the value printed to the screen, to the console and it is 5a4d. So it is not 4d5a, mz, but it is 5a4dzm. And you already know, probably know what is going on. This function here is little-endian. So it reads 16 bits, 2 bytes, in little-endian format. So it will first return the smaller value and then the higher value. And that's why it is reversed, 5a4d. Now to fix this, there are two solutions. Now that you know this, so we can revert to our original rule and then just invert it to hexadecimal values, run this again and now it triggers. Another solution might be to use the big-endian version. So explicitly use the big-endian version and then this works too.