Princess Locker decryptor

[UPDATE: 19th March 2018] – I keep getting e-mails from people asking me why my decryptor doesn’t work. Please understand, this is an obsolete tool, it was written in 2016 for the FIRST VERSION of  Princess Locker. The current version is improved and no longer decryptable.

[UPDATE: 28th Nov 2016] – unfortunately, recently a new variant appeared, that fixed the bug which allowed me crack this ransomware. If generating the key takes more than few minutes,  it probably means that you has been infected by the new version of Princess. I am sorry, but I am not capable of helping in such case.

If you are a researcher curious how I cracked it, you can see the decryptor’s source code:

The presented decryptor works ONLY for the first version of Princess Locker ransomware (tested on sample: 14c32fd132942a0f3cc579adbd8a51ed):


Ransom note example:


In this thread you will find all the information and updates about the progress.

Currently I prepared a set of two EXPERIMENTAL tools: keygen and decryptor.

download-icon-png-5.png  You can download the full package from here.

youtube-512   See it in action on YouTube:

Use the keygen first in order to find your key. If this operation went successful, you can use decryptor to decrypt your other files.

The tools are protected with PE-Lock (special thanks to Bartosz Wójcik).


In order to use the keygen you must find one file, that you can provide in both forms: unencrypted and encrypted. You also need to supply the added extension. It is beneficial (but not required) to supply the unique ID from your ransom note.

PrincessKeygen.exe [encrypted file] [original file] [added extension] [*unique id]

* – optional parameter


Read the data from your ransom note:


And supply them to the keygen:

PrincessKeygen.exe "square1.bmp.xauwk" "square1.bmp" xauwk ujivtjf25pwt

What if you don’t have any original file?

In case if you don’t have the original copy of any of your encrypted files, you can use an encrypted file of one of the following formats:

doc, png, gif, pdf, docx, xlsx, ppt, xls

Then, instead of the original file, supply the preprepared header – you can find the set here. However, this method may, in some rare cases, produce invalid results – so, supplying the original file is recommended.



What if you don’t have the ransom note?

It’s OK. Just supply the extension – but be warned that cracking may take a bit longer.


Check if your output file is valid. If so, save the key and use it to decrypt rest of your files, with the help of PrincessDecryptor.


PrincessDecryptor.exe [key] [ransom extension] [*file/directory] 

* – optional parameter – default is current directory

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Malware, Malware Decryptor. Bookmark the permalink.

12 Responses to Princess Locker decryptor

  1. Janus Corso says:

    Thanks for your tools, but…why are you protecting them? It is useless (as you know). Another thing, Princess is easy to find if you reverse the algo key generation from a malware sample, trust me, if you protect your tools people will be angry.
    I understand you that you dont want another people or company use your work, but a company that uses your work without gives you credit…;)

    • hasherezade says:

      Don’t worry, I will make it open source after some time – as I always do. For now I just don’t want to make things way too straight-forward for the skids that wrote it 😉

    • demonslay335 says:

      It isn’t about protecting from other companies, it’s to protect against the malware authors seeing their mistakes. We try to delay them fixing it as long as possible when we can.

  2. Pingback: The Week in Ransomware – November 18th 2016 – Crysis, CryptoLuck, CHIP, and More – Computer Repair Plymouth

  3. Arthur Hollande says:

    Where can I get this PE-Lock thing for free? 😀

  4. Pingback: The Week in Ransomware – November 18th 2016 – Crysis, CryptoLuck, CHIP, and More – Wayzata Computer Repair

  5. Pingback: Week 47 – 2016 – This Week In 4n6

  6. poxyran says:

    Can you share a hash for the newest variants?.

  7. Jon S says:

    Have you had a chance to decrypt the 2.0 princess locker ? It’s on my wife’s computer

  8. dev maruboyina says:

    Hello All,

    All my files have been encrypted both on the laptop and on the back drive (External hard drive). Does anyone have a solution for Princess Locker 2.0 and the extension(.zHyR). Any help appreciated.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s