“[addr][addr+2]%.[val. min. - 8]x%[offset]$hn%.[val. max - val. min.]x%[offset+1]$hn”

where addr is the memory location you want to overwrite (eg .dtors), val. max and val.min are the upper and lower bytes of what we want to put into that memory location (eg the address of our shellcode) and offset is where our format string is.