According to Hex-Rays IDA plugin, you should change following 5 bytes. Adress numbers are taken from there, so i highly recommend you to use the same software to avoid mistakes.
(look for "
// CHANGE VALUE" pattern)
Code:
int __cdecl CGuild__AdvanceLevel(int a1, int a2)
{
int result; // eax@1
result = *(_BYTE *)(a1 + 12);
if ( result != a2 )
{
result = MIN(20, a2); // CHANGE VALUE (14h) HERE, ADRESS 0808FC5E
*(_BYTE *)(a1 + 12) = result;
}
return result;
}
Code:
int __cdecl CGuild__GuildPointChange(int a1, unsigned __int8 a2, int a3, char a4)
{
int result; // eax@1
int v5; // edx@4
int v6; // eax@4
unsigned int v7; // edx@10
unsigned __int8 v8; // al@11
int v9; // eax@16
int v10; // edx@16
int v11; // edx@19
int v12; // edx@21
int v13; // edi@23
int v14; // ebx@24
int v15; // eax@24
int v16; // [sp+28h] [bp-410h]@21
int v17; // [sp+2Ch] [bp-40Ch]@21
char v18; // [sp+30h] [bp-408h]@21
signed int (__cdecl *v19)(int, signed int); // [sp+40h] [bp-3F8h]@19
int v20; // [sp+44h] [bp-3F4h]@19
int v21; // [sp+48h] [bp-3F0h]@19
char v22; // [sp+50h] [bp-3E8h]@19
char v23; // [sp+60h] [bp-3D8h]@7
signed int (__cdecl *v24)(int, signed int); // [sp+1A0h] [bp-298h]@7
int v25; // [sp+1A4h] [bp-294h]@7
char v26; // [sp+1A8h] [bp-290h]@7
char v27; // [sp+2E0h] [bp-158h]@7
char v28; // [sp+2E8h] [bp-150h]@7
result = a2;
if ( a2 != 3 )
{
if ( a2 == 7 )
{
v6 = a3 + *(_DWORD *)(a1 + 192);
*(_DWORD *)(a1 + 192) = v6;
v5 = *(_DWORD *)(a1 + 196);
if ( v6 > v5 )
*(_DWORD *)(a1 + 192) = v5;
if ( a4 )
CGuild__SaveSkill(a1);
CGuild__CGuild((int)&v23, a1);
v24 = CGuild__SendSkillInfoPacket;
v25 = 0;
CGuild__CGuild((int)&v26, (int)&v23);
CGuild___CGuild((int)&v23);
std__for_each_std___Rb_tree_iterator_CHARACTER___CHARACTER___const__CHARACTER___const___std__binder1st_std__const_mem_fun1_ref_t_void_CGuild_CHARACTER_____(
(int)&v27,
*(_DWORD *)(*(_DWORD *)(a1 + 240) + 8),
*(_DWORD *)(a1 + 240),
(int)&v24);
CGuild___CGuild((int)&v28);
result = CGuild___CGuild((int)&v26);
}
return result;
}
if ( a3 >= 0 )
{
v7 = *(_DWORD *)(a1 + 8);
goto LABEL_11;
}
v7 = *(_DWORD *)(a1 + 8);
if ( v7 >= -a3 )
{
LABEL_11:
*(_DWORD *)(a1 + 8) = a3 + v7;
v8 = *(_BYTE *)(a1 + 12);
while ( *(_DWORD *)(a1 + 8) >= (unsigned int)__guild_levelup_exp(v8) )
{
v8 = *(_BYTE *)(a1 + 12);
if ( v8 <= 0x13u ) // CHANGE VALUE (13h) HERE, ADRESS 0808F2BE
{
v9 = __guild_levelup_exp(v8);
v10 = a1;
*(_DWORD *)(v10 + 8) -= v9;
LOBYTE(v9) = *(_BYTE *)(a1 + 12);
++*(_BYTE *)(v10 + 176);
LOBYTE(v9) = v9 + 1;
*(_BYTE *)(a1 + 12) = v9;
if ( (_BYTE)v9 > 0x14u ) // CHANGE VALUE (14h) HERE, ADRESS 0808F2EF
*(_BYTE *)(a1 + 12) = 20; // CHANGE VALUE (14h) HERE, ADRESS 0808F2F6
CGuild__ComputeGuildPoints(a1);
CGuild__GuildPointChange(a1, 7u, *(_DWORD *)(a1 + 196) - *(_DWORD *)(a1 + 192), 0);
if ( a4 )
CGuild__ChangeLadderPoint((int *)a1, 1000);
v19 = CGuild__SendGuildInfoPacket;
v20 = 0;
v11 = *(_DWORD *)(a1 + 240);
v21 = a1;
std__for_each_std___Rb_tree_iterator_CHARACTER___CHARACTER___const__CHARACTER___const___std__binder1st_std__mem_fun1_t_void_CGuild_CHARACTER_____(
(int)&v22,
*(_DWORD *)(v11 + 8),
v11,
CGuild__SendGuildInfoPacket,
0,
a1);
v8 = *(_BYTE *)(a1 + 12);
}
if ( v8 == 20 ) // CHANGE VALUE (14h) HERE, ADRESS 0808F2C2
*(_DWORD *)(a1 + 8) = 0;
}
goto LABEL_21;
}
*(_DWORD *)(a1 + 8) = 0;
LABEL_21:
v17 = v17 & 0xFFFFFF00 | 0x4B;
*(_WORD *)((char *)&v17 + 1) = 9;
BYTE3(v17) = 10;
TEMP_BUFFER__TEMP_BUFFER((int)&v18);
TEMP_BUFFER__write((int *)&v18, (int)&v17, 4);
TEMP_BUFFER__write((int *)&v18, a1 + 12, 1);
TEMP_BUFFER__write((int *)&v18, a1 + 8, 4);
v12 = *(_DWORD *)(a1 + 240);
v16 = *(_DWORD *)(v12 + 8);
while ( v16 != v12 )
{
v13 = *(_DWORD *)(*(_DWORD *)(v16 + 16) + 24);
if ( v13 )
{
v14 = TEMP_BUFFER__size((int *)&v18);
v15 = TEMP_BUFFER__read_peek((int *)&v18);
DESC__Packet(v13, v15, v14);
}
std___Rb_tree_base_iterator___M_increment((int)&v16);
v12 = *(_DWORD *)(a1 + 240);
}
if ( a4 )
CGuild__SaveLevel(a1);
return TEMP_BUFFER___TEMP_BUFFER((int *)&v18);
}
EXP Array:
Code:
.rodata:0821AD20 guild_exp_table2 db 4 dup(0), 70h, 17h, 2 dup(0), 50h, 46h, 2 dup(0), 0A0h
.rodata:0821AD20 db 8Ch, 3 dup(0), 0FAh, 2 dup(0), 30h, 6Fh, 1, 0, 0D0h
.rodata:0821AD20 db 0FBh, 1, 0, 0E0h, 9Fh, 2, 0, 60h, 5Bh, 3, 0, 50h, 2Eh
.rodata:0821AD20 db 4, 0, 0B0h, 18h, 5, 0, 80h, 1Ah, 6, 0, 0C0h, 27h, 9
.rodata:0821AD20 db 0, 40h, 0D1h, 0Ch, 2 dup(0), 17h, 11h, 2 dup(0), 0F9h
.rodata:0821AD20 db 15h, 0, 40h, 77h, 1Bh, 0, 40h, 0ACh, 27h, 2 dup(0)
.rodata:0821AD20 db 0D4h, 30h, 2 dup(0), 9, 3Dh, 2 dup(0), 59h, 0, 1
EXP count for each level is stored in 4 bytes in reverse order (same way as the exp for player). For example level 1 EXP amount is: 70h, 17h, 2 dup(0) => 001770h =>
6000, level 2: 50h, 46h, 2 dup(0) => 004650h =>
18000 and so on. So you just need to add apropriate values to the end of this array (in your case 15x4 bytes). Hope it helps a little :).
EDIT: Sorry for previous bad information, you should edit array guild_exp_table
2 (guild_exp_table is for korean locale).