As of version 5.1.2 WHMCS added an extra salt bit to the UPW hash and also uses sha1 for the hash. The salt is taken from the CC encryption hash.

<?php

// WHMCS configuration file
require_once('path/to/whmcs/configuration.php');

// DB connection
$dbh = mysql_connect($db_host,$db_username,$db_password) or die('MySQL connection failed');
mysql_select_db($db_name, $dbh) or die('Failed to select whmcs_dbname database');

// Get user info (in this case user id 1)
$query = sprintf("SELECT * FROM `tblclients` WHERE userid = %d", 1);
$result = mysql_query($query, $dbh);
if($result === FALSE) die("Query Failed: " . mysql_error());
$userRow = mysql_fetch_assoc($result);

// Start a session if one hasnt already been started
if(!session_id()) session_start();

// Set Session data
$_SESSION['uid'] = $userRow['id'];
$_SESSION['upw'] = sha1($userRow['id'] . $userRow['password'] . $_SERVER['REMOTE_ADDR'] . substr(sha1($cc_encryption_hash),0,20));

?>

Below is code showing how the upw session variable is generated on a WHMCS install

<?php

// DB connection
$dbh = mysql_connect('localhost','user','pass') or die('MySQL connection failed');
mysql_select_db('whmcs_dbname', $dbh) or die('Failed to select whmcs_dbname database');

// Get user info (in this case user id 1)
$query = sprintf("SELECT * FROM `tblclients` WHERE userid = %d", 1);
$result = mysql_query($query, $dbh);
if($result === FALSE) die("Query Failed: " . mysql_error());
$userRow = mysql_fetch_assoc($result);

// Start a session if one hasnt already been started
if(!session_id()) session_start();

// Set Session data
$_SESSION['uid'] = $userRow['id'];
$_SESSION['upw'] = md5($userRow['id'] . $userRow['password'] . $_SERVER['REMOTE_ADDR']);

?>