# Princess Locker decryptor **[hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/](https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/)** View all posts by hasherezade → November 17, 2016 **[UPDATE: 19th March 2018] – I keep getting e-mails from people asking me why my** **_decryptor doesn’t work. Please understand, this is an obsolete tool, it was written in_** **_2016 for the FIRST VERSION of Princess Locker. The current version is improved and_** **_no longer decryptable._** **[UPDATE: 28th Nov 2016] – unfortunately, recently a new variant appeared, that fixed** **_the bug which allowed me crack this ransomware. If generating the key takes more_** **_than few minutes, it probably means that you has been infected by the new version of_** **_Princess. I am sorry, but I am not capable of helping in such case._** _If you are a researcher curious how I cracked it, you can see the decryptor’s source code:_ _[https://github.com/hasherezade/decryptors_archive/tree/master/princesslocker_decrypt](https://github.com/hasherezade/decryptors_archive/tree/master/princesslocker_decrypt)_ The presented decryptor works ONLY for the first version of [Princess Locker ransomware](https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/) (tested on sample: [14c32fd132942a0f3cc579adbd8a51ed):](https://virustotal.com/en/file/b4824678b0b388260cdf7f1d70b868cc041b9865a295cb12fbdb868dd83ebc17/analysis/) Ransom note example: ----- In this thread you will find all the information and updates about the progress. Currently I prepared a set of two EXPERIMENTAL tools: keygen and decryptor. [You can download the full package from here.](https://drive.google.com/open?id=0Bzb5kQFOXkiSakM4NnB2WTUzLVk) See it in action on YouTube: [https://www.youtube.com/watch?v=Ted84CoOPvg](https://www.youtube.com/watch?v=Ted84CoOPvg) Use the keygen first in order to find your key. If this operation went successful, you can use decryptor to decrypt your other files. _[The tools are protected with PE-Lock (special thanks to Bartosz Wójcik).](https://www.pelock.com/)_ ## HOW TO USE In order to use the keygen you must find one file, that you can provide in both forms: unencrypted and encrypted. You also need to supply the added extension. It is beneficial (but not required) to supply the unique ID from your ransom note. Usage: ``` PrincessKeygen.exe [encrypted file] [original file] [added extension] [*unique id] ``` - – optional parameter **Example:** ----- Read the data from your ransom note: And supply them to the keygen: ``` PrincessKeygen.exe "square1.bmp.xauwk" "square1.bmp" xauwk ujivtjf25pwt ``` **What if you don’t have any original file?** In case if you don’t have the original copy of any of your encrypted files, you can use an encrypted file of one of the following formats: doc, png, gif, pdf, docx, xlsx, ppt, xls [Then, instead of the original file, supply the preprepared header – you can find the set here.](https://drive.google.com/open?id=0Bzb5kQFOXkiSR1RoVzBFdUstazg) However, this method may, in some rare cases, produce invalid results – so, supplying the original file is recommended. Example: **What if you don’t have the ransom note?** It’s OK. Just supply the extension – but be warned that cracking may take a bit longer. ----- Check if your output file is valid. If so, save the key and use it to decrypt rest of your files, with the help of PrincessDecryptor. Usage: ``` PrincessDecryptor.exe [key] [ransom extension] [*file/directory] ``` - – optional parameter – default is current directory -----