sys import re NLF = 0x3A5C742E def bit(x, n): return (x >> n) & 1 def g5(x, a, b, c, d, e): return ( (bit(x, a) << 0) | (bit(x, b) << 1) | (bit(x, c) << 2) | (bit(x, d) << 3) | (bit(x, e) << 4) ) def nlf_bit(idx): return (NLF >> idx) & 1 solver.py def keeloq_decrypt(data, key): x = data & 0xFFFFFFFF key &= 0xFFFFFFFFFFFFFFFF for r in range(528): x = ( (x << 1) ^ bit(x, 31) ^ bit(x, 15) ^ bit(key, (15 - r) & 63) ^ nlf_bit(g5(x, 0, 8, 19, 25, 30)) ) & 0xFFFFFFFF return x def clean_hex(s): return re.sub(r"[^0-9a-fA-F]", "", s).upper() def derive_device_key(serial_hex, mfr_code_hex): serial = int(clean_hex(serial_hex), 16) & 0x0FFFFFFF mfr_code = int(clean_hex(mfr_code_hex), 16) & 0xFFFFFFFFFFFFFFFF source_h = 0x60000000 | serial source_l = 0x20000000 | serial key_h = keeloq_decrypt(source_h, mfr_code) key_l = keeloq_decrypt(source_l, mfr_code) device_key = ((key_h << 32) | key_l) & 0xFFFFFFFFFFFFFFFF return device_key, source_h, source_l, key_h, key_l def main(): if len(sys.argv) != 3: print("Usage: python3 solver.py <SerialHex> <MfrCodeHex>") print("Example: python3 solver.py 07A4C3D 89ABCDEF01234567") sys.exit(1) serial_hex = sys.argv[1] mfr_code_hex = sys.argv[2] device_key, source_h, source_l, key_h, key_l = derive_device_key(serial_hex, mfr_code_hex) print(f"Serial : {clean_hex(serial_hex)}") print(f"Mfr Code : {clean_hex(mfr_code_hex)}") print(f"SourceH : {source_h:08X}") print(f"SourceL : {source_l:08X}") print(f"KeyH : {key_h:08X}") print(f"KeyL : {key_l:08X}") print(f"DeviceKey : {device_key:016X}") print(f"flag{{{device_key:016X}}}") if __name__ == "__main__": main() $ python3 solver.py 07A4C3D 89ABCDEF01234567 Serial : 07A4C3D ... DeviceKey : BF61DA58FE545128 flag{BF61DA58FE545128}