String Format Attack

[glubby]

Hi,
Since the beginning of the week, I'm trying to perform a format string attack. The goal is to read element within the execution stack of the program. To do so, I'm using this the little C code that I have found.

/*
* fmtme.c
* Format a value into a fixed-size buffer
*/
#include <stdio.h>
int main(int argc, char **argv){
char buf[100];
int x;
if(argc != 2)exit(1);
x = 1;
snprintf(buf, sizeof buf, argv[1]);
buf[sizeof buf - 1] = 0;
printf("buffer (%d): %s\n", strlen(buf), buf);
printf("x is %d/%#x (@ %p)\n", x, x, &x);
return 0;
}

The program works fine. Here are the results :

$ ./fmtme "aaaa %x %x %x %x %x %x %x %x %x"
buffer (49): aaaa 0 0 0 bf821020 bf820ff0 8048226 0 1 61616161
x is 1/0x1 (@ 0xbf820f68)

Here is the problem, in the example, run on a BSD/OS 4.1, they have this :
% ./fmtme "aaaa %x %x"
buffer (15): aaaa 1 61616161
x is 1/0x1 (@ 0x804745c)

I would like to know what are those values "0 0 0 bf821020 bf820ff0 8048226 0" I have before I read the stack's elements (the value of x et the hexadecimal output of "aaaa") ? I have been testing it, on a backtrack 2, Debian 3.1 et fedora 7 (kernel 2.6) and I obtain similar results. Any explanations ??