Landing rapid7#1835 - Fix a backwards disasm bug which stomps on the depth opt

Author: wchen-r7

lib/rex/ropbuilder/rop.rb

@@ -195,16 +195,16 @@ def color_pattern(gadget, disasm, addrs, p)
 	end
 
 	def process_gadgets(rets, num)
-		ret = {}
+		ret     = {}
 		gadgets = []
-		tmp = []
+		tmp     = []
 		rets.each do |ea|
 			insn = @disassembler.disassemble_instruction(ea)
 			next if not insn
 
 			xtra = insn.bin_length
 
-			1.upto(num) do |x|
+			num.downto(0) do |x|
 				addr = ea - x
 
 				# get the disassembled instruction at this address
@@ -234,6 +234,7 @@ def process_gadgets(rets, num)
 				else
 					next
 				end
+
 				# otherwise, we create a new tailchunk and add it to the list
 				ret = {:file => @file, :address => ("0x%08x" % (ea - x)), :raw => buf, :disasm => dasm}
 				gadgets << ret