about Format Strings

[faxrazor () FASTMAIL CA]

I am a beginner in the field of exploiting but and
recently read "Format String Attacks" by Tim
Newsham.  The article gave examples and
descriptions on many aspects of exploiting a
format string.  It however left out how one would
go about finding the EIP/return address so that we
could change the value to our liking.  I searched
everywhere on bugtraq and irc without a good
answer so decided to post here.

#include <stdio.h>

int
main(int argc, char **argv)
{
char buf[100];
int x;
if(argc != 2)
exit(1);
x = 1;
snprintf(buf, sizeof buf, argv[1]);
buf[sizeof buf - 1] = 0;
printf("buffer (%d): %s\n", strlen(buf),
buf);
printf("x is %d/%#x (@ %p)\n", x, x, &x);
return 0;
}

The above is the code from the tutorial.  I was
wondering exactly how one would go about using gdb
to find the return address so that one might
insert in the above to cause a segmenation fault
(for example overwrite the EIP with a given number
like 0x1 or something just).  From here I
understand what goes on.  Just getting the ret
addy is problem.  Any advice and/or examples is
appreciated.  Also can someone show an example
of how you would go about passing address to write
twice to an address to possibly change the value
of integer x to 2 or something less than 4?
thanks
Thanks.