It's now raw SHA.  It could be some form of salted SHA, but I tried hashing it a few different ways (salt in front, salt in back, etc) and it didn't match up for me. 

The solution is to either get the code or to spend some time exhausting the possibilities. 

I wouldn't say its secure; it's just obscure.  I only spent about 5 or 10 minutes on it.  Someone who is willing to put in more time may figure it out.  And if someone gets a hold of the source code, they won't have to figure it out.

Your friend should just use scrypt, bcrypt, or PBKDF2 and not try to roll his own crypto implementation.

The site you just linked is pretty awesome.

If it's his site, can't you look at the code?

I didn't take it as rude.  The guy who designed the site is an ass.  I found a way to bypass the login to the database a month ago, and it took him a month to fix it!  So he's not really good about getting back to my friend or me.  In his defense, he probably realizes once he gives us all this stuff, he's going to get fired!

So right now the plan is just to make a list of all the problems and things we need and hopefully get it eventually so someone else can handle the site.

I'm on it, that's why I'm doing this test.  Figuring out what works and what doesn't, what we can reuse and what we need to get rid of.  Once that's done, then we'll have a better understanding of what we need the new admin to be able to do.