\vminfo
...
cgame : compiled on load
	code length : 2773738
	table length:  828664
	data length : 8388608

search for code length
correct one should have "cgame" 96 bytes before it
cgvm->dataBase should be at result + 12 bytes
don't forget it's little-endian so for example the number 0x141999c0 is represented by the bytes c0 99 19 14

set start/stop in memory scan options to cgvm->dataBase and cgvm->dataBase+cgvm->dataMask (dataMask is right after dataBase)


now search for cg.predictedPlayerState within cgvm->dataBase with a grouped scan

             4:1 4:* 4:* 4:* 4:* 4:* 4:*  f:-576 f:1088 f:152.125 f:0 f:0 f:0 4:* 4:800 4:320 
               ^                              ^     ^     ^
make this whatever cg_thirdPerson is          change these to current origin

might have to try toggling cg_thirdPerson and the first search field a few times to narrow it down
add 8 to whatever this finds because first two 4 byte fields are
cg.renderingThirdPerson and cg.hyperspace
rest are cg.predictedPlayerState (first 3 floats are origin)

for example, match at 0x14283728 means cg.predictedPlayerState starts at 0x14283730


subtract cgvm->dataBase (0x141999c0 in this example) from cg.predictedPlayerState (0x14283730) to get offset
0x14283730 - 0x141999c0 = 0xe9d70 (957808)