YOU ARE USING THIS TOOL AT YOUR OWN RISK.

I recommend to backup all your encrypted files before using this tool.
How to use this tool:
1. Execute TeslaDecoder.exe (You need to exetute it as Administrator if you want
to access all folders)
2. This tool will check presence of Tesla's data files and registry entries (old
versions of TeslaCrypt)
3a. You can specify location of data file by clicking on "Load data file" button
3b. You can obtain decryption/private key from captured encrypted Tesla's reques
t sent to server by clicking on "Decode request"
4. If decryption key was found you can choose what to decrypt (folder/all) and t
hen choose if you want to delete original encrypted files
4a. Decrypt Folder - Pick a folder and try to decrypt encrypted files inside (I
recommend to use this option to test decryption)
4b. Decrypt All - Search encrypted files on all FIXED and ROMOTE drives and try
to decrypt files
5. See log for more inforamtion (path to log file will be shown in dialog)
If decryption key was found in windows registry and you don't have data file, yo
u can save this data file by clicking on "Save data file" button. (This option i
s not available if decryption key was obtained from network request of TeslaCryp
t v2+, because these variants don't use data files) This file can be used to dec
rpyt files from another computer, etc., but encrypted files have to match with d
ecryption key.
Decoding Tesla's request and custom keys
========================================
Tesla/Alpha Crypt sends 2 requests to their servers. The first request with "sub
ject=Ping" in parameters contains decryption/private key ("key=" parameter). The
second request with "subject=Crypted" has always "key=--", so only the first re
quest can be used to decrypt your files.
Decoding request can be used to load custom key. If you want to load your custom
key you can paste string in the following format as input string for decoding r
equest:
key=<key_in_hex>&addr=<Bitcoin_address>&version=<real_Tesla_version_number>
example:
addr=1L55vdCjbQtcYYrrUzmx4NLJWFaMTPMrzb&key=B4B1ABEFC066AF7500A27C573B801D8F4871
61A7D9484439C25F61C1B07971D4&version=2.2.0
Key - is hexadecimal representation of 256 bit long number. (it can be PrivateKe
yBC, PrivateKEySHA256BC or PrivateKeyFile)
Bitcoin_address - starts with 1 and can be 26-35 character long (can be found in
ransom note) and must match with key parameter.*
real_Tesla_version_number - must be set, because it depends on version if key pa
rameter represents decryption key or private bitcoin address key. Table is locat
ed below.
*Note for v2.1.0+:
Because of the change that was made in v2.1.0 and above the entered key paramete
r in custom input can be loaded even if it doesn't match with entered bitcoin ad
dress. This is only true for custom input in request decoding function. (so encr
ypted request of these versions will not be laoded if key parameter doesn't matc
h bitcoin address) TeslaDecoder then tries to verify entered private key with pu
blic keys located in the header encrypted files. If match is found the file is d

ecrypted with that key.

List of known versions of Tesla/AlphaCrypt: (my internel version numbering based

on data file changes)
================================================================================
======================
Version 1:
---------File extension: .ecc
Location of data file on disk: %appdata%\key.dat [648 bytes]
Location of data file in registry: not used
Location of log file: %appdata%\log.html
Data file protected: No
Decryption key offset: 0x177
Partial key offset: 0x136
Info: If decryption key was zeroed out, but partial key was found in key.dat, Te
slaDecoder can recover original decryption key. This process can take several ho
urs on slow computers. Encrypted files are not paired with data file. Decryption
key can be also obtained from Tesla's request that was sent to server.
Version 2:
---------File extension: .ecc
Location of data file on disk: %appdata%\key.dat [656 bytes]
Location of data file in registry: not used
Location of log file: %appdata%\log.html
Data file protected: No
Decryption key offset: 0x177
Partial key offset: 0x136
Info: If decryption key was zeroed out, but partial key was found in key.dat, Te
sladecoder can recover original decryption key. This process can take several ho
urs on slow computers. Encrypted files are not paired with data file. Decryption
key can be also obtained from Tesla's request that was sent to server.
Version 3:
---------File extension: .ecc/.ezz
Location of data file on disk: %appdata%\key.dat [752 bytes]
Location of data file in registry: [HKCU\Software\Microsoft\Windows\CurrentVersi
on\SET] [752 bytes]
Location of log file: %appdata%\log.html
Data file protected: No
Decryption key offset: 0x1DB
Info: If decryption key was zeroed out, there is no way how to recover original
decryption key without private key of TeslaCrypt's authors. Encrypted files are
not paired with data file. Decryption key can be also obtained from Tesla's requ
est that was sent to server.
Version 4:
---------File extension: .ezz/.exx
Location of data file on disk: %localappdata%\storage.bin [752 bytes]
Location of data file in registry: [HKCU\Software\Microsoft\Windows\CurrentVersi
on\Settings\storage] [752 bytes]
Location of log file: %localappdata%\log.html
Data file protected: AES 256 can be used
Decryption key offset: between 0x19A and 0x2C0

Info: If decryption key was zeroed out, there is no way how to recover original
decryption key without private key of TeslaCrypt's authors. Encrypted .exx files
are paired with data file. Decryption key can be also obtained from Tesla's req
uest that was sent to server.
Version 5/5+:
------------File extension: .xyz/.zzz/.aaa/.abc/.ccc/.vvv
Location of data file on disk: not used
Location of data file in registry: [HKCU\Software\%random%] (data stored here ca
nnot be used for decryption)
Location of log file: not used
Data file protected: N/A
Decryption key offset: N/A
Info: This version doesn't use any data files and decryption key is not stored o
n computer. Decryption key can be obtained from Tesla's request that was sent to
server. (Not possible since TeslaCrypt v2.1.0)
Version 6: (v2.1.1)
---------File extension: original
Location of data file on disk: not
Location of data file in registry:
Location of log file: not used
Data file protected: N/A
Decryption key offset: N/A
Info: This version doesn't use any
n computer. There is not known way
key or bought decryption key.

used
not used

data files and decryption key is not stored o

how to decrypt files without Tesla's private

List of known versions of Tesla/AlphaCrypt: (Their version numbering)

=====================================================================
.ecc 0.2.5 - 0.3.6b
.ezz 0.3.7 - 0.3.7b
.exx 0.4.0 - 0.4.1a
.xyz 1.0.0, 1.0.1
.zzz 2.0.0 - 2.0.4a
.aaa 2.0.4b - 2.0.5a
.abc 2.0.5a, 2.0.5b, 2.1.0
as original 2.1.1 (probably only test version, because they went back to version
2.1.0)
.ccc 2.1.0a, 2.1.0b, 2.1.0c, 2.1.0d, 2.2.0
.vvv 2.2.0
TeslaDecoder can decrypt all versions of encrypted files by TeslaCrypt if YOU HA
VE valid private key. So it can be used instead of their rubbish decoder after p
aying the ransom.