Ok, I think I'm down to the last missing item, but it's proving to be difficult -- the translation vectors.
So far, here is what I have found. It has been consistent across every instance of df I've run, so anyone else who can dump or examine memory that can verify these would be greatly appreciated. These are all 40d11, so they probably won't work on earlier versions:
In all cases, .text starts at 0x08048000, .bss at 0x08808000.
DwarvenRaceIndex is at 0x092a7b84, value = 0xa6
RaceVector.Start is at 0x093016b0
CreatureVector.Start is at 0x092bee50
LanguageVector.Start is at 0x09301770
As was posted earlier, the value at vector.start is a pointer to first entry in the vector. (For the curious, the vector length appears to be at Vector.Start - 4). Since these are vectors of objects, that location is itself a pointer to the object in question. So far, in each case the first 4 bytes of the object is a std:string: Race name, Creature First name, or Language word.
The value in the field is a pointer to a null-terminated char array. The length of the array is at offset -12 from that, and the capacity is at offset -8.
For the creatures, so far I have found the following fields:
[0]: FirstName (std:string)
[+4]: Custom Nickname (std:string)
[+38]: Custom Profession (std:string)
[+44]: Race Index (int) -- for dwarves = 0xa6 (from DwarvenRaceIndex).
I assume the last name starts at or near offset +8 but the last names are actually english words read from the dwarf translation table in the translation vector, and I haven't found that yet. I'm still trying to work out the structure of the translation objects and word tables, which don't match up with what the Win32 C# code is doing to read them in.
For those playing along at home, though: the first translation in the vector should be the DWARF one, and the first words in the DWARF language table are kulet ("abbey"), alak ("ace"), and bidok ("act").
More to come...