So I never got that process in the OP to work.
It seems that all config data is stored in the XML config file, changing the HTML files on disk doesn't do anything.
I then tried some other hack that involved disabling the captive portal and then re-enabling it using cron. That didn't work either.
I just wanted a normal captive portal login during the day, and after hours, a simple page showing the AUP and a button to accept it and get online.
But this did:
Install and configure freeradius; create 2 users, one for normal guest access, one for after-hours access. The normal account has a password we change periodically and only give to known guests. The after-hours account has a simple password, but is restricted in radius to only be allowed to login after hours.
Configure captive portal to use radius for authentication.
Create custom captive portal login screen with a bit of javascript which hides an entire DIV. During the day it shows a DIV containing the normal captive portal login form. After hours, it hides that DIV and displays another one which shows a different login form, using the after-hours username/password as hidden fields, and a plain ACCEPT button.
In morning, I reboot the firewall to boot everyone who might be using the after-hours login still off the guest network.
Since the after-hours radius user is restricted to certain login hours, even if someone does a view source and gets the account info, it won't help them.
Only downside is it relies on the time on the client being correct, but I'm willing to live with that.
I can post the source of the captive portal login page if anyone is interested.