Despite my admiration for their SEO,...
That's unusually generous and tolerant!
When the 404 comes up the wrong url still shows up.
Yes, in the address bar, I see what you mean.
The other part of it is that if it is a rewrite, then the pages aren't "error pages" and we can (in theory) put ads like adsense on them.
I'd strongly advise against that. By the duck test, "If it looks like an error page and quacks like an error page..." Based on posts in other forums, AdSense is pretty strict, and once you're banned, you might not have much of a shot at getting back in unless your site is big enough that it's worth their time to negotiate with you. I think they also have a requirement that AdSense can only go on content pages, so unless you put articles on your error pages, they'd still fail that test. Splitting hairs with the terminology isn't worth the risk because you'll never get the opportunity to argue your point with them.
One thing you could do, as long as the pages the hackers created didn't have obvious porn page names, is create your own pages of those same names, with whatever content you want to put on them. Not sure I'd try that myself, but it's a devilish idea.
How are the error pages constructed through cpanel served?
For example, are they url-rewrites?
I'm sorry I don't know the definitive answer to this question. I believe the error pages are served as .shtml, with the name of the originally requested page inserted into the text. Come to think of it, I think the important concept is that the result CODE of the returned packet is 404. Regardless of what text is on the page, that code is a formal HTTP notification that the page does not exist, and is an error code. So I guess that really does answer the question. It is an error page regardless of how it's rendered. The Apache documentation might have more info. http://httpd.apache.org/docs/1.3/