Okay, so I'm curious, so the first thing I did was run base64_decode (twice), which leaves me with a much more complex message that looks to use mcrypt or something similar.
Am I on the right track thus far? If you are using mcrypt, it is just likely a matter of brute forcing until I get the right combination of CIPHER type and mode used (assuming yyy.com is the key).
As an aside, I am assuming your product is installed on remote hosts, so there would be some source code available to see how the key is being utilized. It would be nice to see some of that so I can properly identify how easy it is to infer some of the remaining components