yeah... forgot to mention that he told us explicitly not to do that. If I remember right, if I were to use a buffer overflow and consequently receive a segmentation error, I would have the same result.

I think this is what it should look like... I'm not exactly sure what to do with the pointer syntax in the functions. Why do I not define *source before I call it in the function? Is it because I use char*course in the prototype?

void Function(char *source) {
char buffer = [10]
source = buffer
(*source) = source + 12 // might be 14 depending upon whether or not the address of the source begins after at 10 or 12.  Although the buffer has 10 bits, it is 2 words long, so it actually occupies 12 bits.  Will source's address begin at 10 or begin at 12?
}

void main(){
int x;
x=0;
Function(*source)
x=1;
printf("%d\n",x);
}

we actually don't have a book...
Plus this class is wayy past the basics. I'm just taking it randomly. I've never formally been taught a computer language.
I guess this works a little bit better

void Function(char *source) {
char buffer = [10];
source = buffer;
(*source) = source + 12 /* So I need 4 bytes to pass the SFP.
another 4 bytes to overwrite the return address.
and then another 4 bytes to overwrite the x=1. */
}

void main(){
char *source = 0;
int x;
x=0;
Function(source)
x=1;
printf("%d\n",x);
}

okay. So now I have a much better idea of what I'm doing.
I got most of it right now.

#include <stdio.h>
void Function(char *source) {
int buffer[10];
int *ret;
ret = buffer + 16;
(*ret) = ret + 10;
}
void main(){
int x = 0;
Function("gsgrw")
x=1;
printf("%d\n",x);
}

so, the stack looks as follows:
[buffer][SFP][return address][x = 1]

I placed the address of ret at buffer + 16. We want the address of ret to begin after the 10 bit buffer (but this is more than two words, so the buffer must be 12 bits long) and after the 4 bit SFP. 12 + 4 = 16.

Using the assembly code (assembly code below), I need to determine how many bits are in between the beginning of the address of ret and at the end of the address x=1.

We know that the address of ret begins when the call function ends.
That happens at main + 26.

the x=1 begins at main +29 and ends at main +36
.
so we want to write over these bits with random code. So we extend the length of the ret value by 10.

Here is the assembly:

Dump of assembler code for function main:
0x08048438 : push %ebp
0x08048439 : mov %esp,%ebp
0x0804843b : sub $0x8,%esp
0x0804843e : movl $0x0,0xfffffffc(%ebp)
0x08048445 : sub $0xc,%esp
0x08048448 : push $0x8048560
0x0804844d : call 0x804841c
0x08048452 : add $0x10,%esp
0x08048455 : movl $0x1,0xfffffffc(%ebp)
0x0804845c : sub $0x8,%esp
0x0804845f : pushl 0xfffffffc(%ebp)
0x08048462 : push $0x8048564
0x08048467 : call 0x8048310 <__deregister_frame_info@plt+32>
0x0804846c : add $0x10,%esp
0x0804846f : leave
0x08048470 : ret
0x08048471 : nop
0x08048472 : nop
0x08048473 : nop

Thank you for any help