It would be a lot better if you posted your C code, and the gdb disassembly output for main and the function. That aside. It looks like you're loading the address ebp-24 onto eax, which I assume is a buffer. Then it looks like you're adding 48 to it. I think that you should actually be adding 28 to it. ebp is just below the return address in the stack. and since you loaded ebp-24 into eax, you only need to add 28 to get the address of the return address into eax. After that you just need to change the value at that address to the new address you want it to return to. To do that, you simply find the address after x is assigned the value 1 in main, and set *ret = that address in hex. Good luck, and I can probably help more if you post everything specified in the beginning of my post. I was having a hard time figuring out what was going on near the end of that function.

edit
I think I see now. You're just adding a certain amount to the return address. Look at the disas of main. The return address before you modify it will be the address of the instruction right after your call to the instruction. Count the amount you have to add to get it to move to the instruction right after it assigns x the value 1, then use that value in your (*ret) +=. I'm not sure how the optimization options will affect this. When I started out doing this I never used any weird options, just the standard -o and maybe -g.