CRC32 Parameters Reverse Engineering having access to multiple examples - reverse-engineering

I have to find out how to reproduce the CRC32 algorithm used on a proprietary database file, the file consists of many "chunks" of 128 bytes, each being a record. I know that for each record, bytes 1-4 are the CRC32 Checksum, and the next 35 bytes don't seem to matter, as I can change them easily without the application telling me the CRC Check has failed. Therefore, I am looking to find out what polynomial and other parameters are being used to calculate the latter. Below is an example.
Text version:
00 27 AE 3B 9F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 08 41 41 41 41 41 41 41 41
19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
If we take just the bytes we can't change, breaking the record, we get this:
41 08 41 41 41 41 41 41 41 41 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 42 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00
the CRC32 for the above is 27 AE 3B 9F
Real Record Example 1.1, differing only by one byte from the above (CRC is BC D4 84 FB):
41 08 41 41 41 41 41 41 41 41 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
Real Record Example 2 (Output CRC is 3B 6A D1 AF):
41 07 41 41 41 41 41 41 41 00 19 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
42 42 42 42 42 42 42 42 42 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
Real Record Example 3 (Output CRC is 0B 54 CC 09):
41 01 31 00 00 00 00 00 00 00 03 41 73 61 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
Real Record Example 4 (Output CRC is 12 91 EA 8E):
41 B4 A8 D0 02 46 00 B4 A8 00 03 52 4D 31 03 53 54 50 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00 00 00
00 00 A3 05 00 00 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64
00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Real Record Example 5 (Output CRC is 8A 68 00 3B):
41 B4 A8 D0 02 46 00 B4 A8 01 03 52 4D 31 03 53 54 50 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00 00 00
00 00 A3 05 00 00 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64
00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 64 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
The two last records differ on only one byte. By using the approach #rcgldr specified, I was able to get a final Xor value of 0x9902539d and I could successfully change data without the application complaining. I ran some code to find these final xor values for every entitity/file on the application and was successful on all of them, but being able to find a single crc parameter set would be a great addition.
EDIT: Added two more example records
EDIT 2: Added one more example that only differs from one byte comparing to the first one
EDIT 3: Added two more examples, with a different size, as their from another type of record within the application. Also deleted part of the question as it became irrelevant


xor'ing 1.0 and 1.1 results in:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
xor'ing the two crcs results in
9b 7a bf 64
Assuming "little endian" for the stored crc, the calculated crc is
0x64bf7a9b
By xor'ing two records, the initial value and final xor value are canceled out due to the xor, which allows the crc polynomial to be determined based on the data alone, assuming that initial value = 0 and that final xor value = 0. Taking advantage of this, I tried some common crc polynomials and determined that the crc polynomial is
0x104C11DB7 or ignoring the msb: 0x04C11DB7
Using this web site that you linked to in your comment:
http://www.sunshine2k.de/coding/javascript/crc/crc_js.html
The parameters are:
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0x0
final xor value: 0x0
If the data is always the same size, then either the initial value or the final xor value or a combination of both can be used to adjust the crc so that it matches the actual crc's shown in the examples, but it is simplest to use the final xor to match the examples, since it just requires calculating a crc with one of the examples, assuming initial value = 0 and final xor value = 0, then xor'ing the calculated crc with the actual crc from the example crc to calculate a final xor value for a specific length of data.
So for the data size in the first examples, a final xor value of 0x189B52BC will produce crc's that match the examples. These are the parameters for the crc calculator.
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0x0
final xor value: 0x189B52BC
These parameters match all of the first examples you posted. Again, note that the crc's are stored "little endian", most significant byte first.
If the data size is variable, then an initial value is needed (and it's possible both an initial value and final xor value are used). Once the polynomial is known, it's possible to do a "reverse" CRC to find the initial value, or a brute force search can be used. I did a brute force search for an initial value using a fast crc calculator (since I don't have a "reverse" CRC program yet), and it appears that it will work for any data size, at least based on the new examples you added. These parameters work with all of the examples above, include the new ones you added:
crc32
custom
input: not reflected
result: not reflected
polynomial: 0x04C11DB7
initial value: 0xc704dd7b
final xor value: 0x0
The initial value of 0xc704dd7b is the crc that is generated with a data pattern of {ff ff ff ff}, with initial value = 0 and final xor value = 0. It's the same as prefixing the data with {ff ff ff ff}.

Related

Binary format and bit format

how to you know what code format is..?
Is this below code is Binary or bit? and how to convert in any other format or number decimal format
01 00 00 00 04 00 00 00 00 00 00 00 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F 00 00 80 3F

Binary means that you have two possible states (base 2). 1 and 0.
Something that bears that atomic information is usually referred to as a bit.
What you see there are hexadecimal numbers. (base 16)
This notation is often used to display binary data in a more compact form.
The decimal number 255 can be written as 11111111 (binary) or FF (hex)
So each pair is one byte. What they mean depends on where you got those numbers from.

ollydbg change unicode string bulk method

I want to change many of parts of a unicode string in ollydbg.
Is there any plugin or trick that can be used to replace bulky of unicode string at once?
For example, if 100 unicode 'test' words exist in the string reference then I want to change all 'test' to 'test2'
00459FD0 5C 00 55 00 6C 00 74 00 72 00 61 00 4D 00 61 00 \test\.J.
00459FF0 5C 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 \Microso
0045A000 66 00 74 00 20 00 53 00 68 00 61 00 72 00 65 00 ft Share
0045A010 64 00 5C 00 54 00 72 00 69 00 45 00 64 00 69 00 d\TriEdi
0045A020 74 00 5C 00 44 00 68 00 74 00 6D 00 6C 00 45 00 t\DhtmlE
0045A030 64 00 2E 00 6F 00 63 00 78 00 00 00 0C 00 00 00 d.ocx...
0045A040 3F 00 6C 00 61 00 6E 00 67 00 3D 00 00 00 00 00 ?lang=..
0045A050 22 00 00 00 5C 00 55 00 6C 00 74 00 72 00 61 00 ".\test.︁ൃᇏ
0045A080 89 40 00 A0 C9 05 42 28 10 9D 0B 2A 87 4B D3 11 䂉ꀀ׉⡂鴐⨋䮇ᇓ
Until now I was trying to find a trick or plugin but I have been unsuccessful.
How can I accomplish this task?
Thank you.

I struggled few hours to figure this, so here is the way I replaced all my strings with Olly (it was ascii, but no difference).
First we can't do hardcoding, except if the string are at the same size. So go find a free space in your executable, and paste it your string (you have to put a zero byte right after).
Keep your string offset in mind, and in your CPU view, search for all referenced text strings.
Then select the string you want to replace, press enter then space to open the assemble window, then replace your offset with the one of your new string.
Cheerz! :)

How could I write "hello world" in binary?

Suppose I wanted to write a program to display "hello world", and I wanted to write it in binary. How could I do this?
I have some idea that:
I'd need to determine what chip architecture I'm using
I'd need to find out what kind of binary it uses
I'd need some reference for that flavor of binary
I might need to change a setting in my editor (Vim)
Can anybody walk me through this?

It's bit more complicated, because actually printing "Hello, world!" to stdout is a system call, thus you need to know the correct kernel syscall number. Which of course varies by operating system. Also you need to know the binary format, which also tend to vary, although ELF (Executable and Linkable Format) is universal across few flavors of Unix and Linux.
See Hello, world! in assembler.
This is Linux assembler code:
section .text
global _start ;must be declared for linker (ld)
_start: ;tell linker entry point
mov edx,len ;message length
mov ecx,msg ;message to write
mov ebx,1 ;file descriptor (stdout)
mov eax,4 ;system call number (sys_write)
int 0x80 ;call kernel
mov eax,1 ;system call number (sys_exit)
int 0x80 ;call kernel
section .data
msg db 'Hello, world!',0xa ;our dear string
len equ $ - msg ;length of our dear string
... which on 32-bit Linux, compilation results in binary of 360 bytes, although it's mostly zeros:
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 80 80 04 08 34 00 00 00 |............4...|
00000020 c8 00 00 00 00 00 00 00 34 00 20 00 02 00 28 00 |........4. ...(.|
00000030 04 00 03 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040 00 80 04 08 9d 00 00 00 9d 00 00 00 05 00 00 00 |................|
00000050 00 10 00 00 01 00 00 00 a0 00 00 00 a0 90 04 08 |................|
00000060 a0 90 04 08 0e 00 00 00 0e 00 00 00 06 00 00 00 |................|
00000070 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 ba 0e 00 00 00 b9 a0 90 04 08 bb 01 00 00 00 b8 |................|
00000090 04 00 00 00 cd 80 b8 01 00 00 00 cd 80 00 00 00 |................|
000000a0 48 65 6c 6c 6f 2c 20 77 6f 72 6c 64 21 0a 00 2e |Hello, world!...|
000000b0 73 68 73 74 72 74 61 62 00 2e 74 65 78 74 00 2e |shstrtab..text..|
000000c0 64 61 74 61 00 00 00 00 00 00 00 00 00 00 00 00 |data............|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000000f0 0b 00 00 00 01 00 00 00 06 00 00 00 80 80 04 08 |................|
00000100 80 00 00 00 1d 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 10 00 00 00 00 00 00 00 11 00 00 00 01 00 00 00 |................|
00000120 03 00 00 00 a0 90 04 08 a0 00 00 00 0e 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00000140 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 ae 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 01 00 00 00 00 00 00 00 |........|
Since you want to "compile by hand", this basically means translating assembler mnemonics above to their opcodes, and then wrapping the result in correct binary format (ELF in the example above)
UPDATE: As this answer shows by #adam-rosenfield, the ELF binary for "Hello, world!" can be handcrafted down to 116 bytes. Original answer is now deleted, but still visible to moderators, so here's a copy:
Here's a 32-byte version using Linux system calls:
.globl _start
_start:
movb $4, %al
xor %ebx, %ebx
inc %ebx
movl $hello, %ecx
xor %edx, %edx
movb $11, %dl
int $0x80 ;;; sys_write(1, $hello, 11)
xor %eax, %eax
inc %eax
int $0x80 ;;; sys_exit(something) hello:
.ascii "Hello world"
When compiled into a minimal ELF file, the full executable is 116
bytes:
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 54 80 04 08 34 00 00 00 |........T...4...|
00000020 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 |........4. .....|
00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040 00 80 04 08 74 00 00 00 74 00 00 00 05 00 00 00 |....t...t.......|
00000050 00 10 00 00 b0 04 31 db 43 b9 69 80 04 08 31 d2 |......1.C.i...1.|
00000060 b2 0b cd 80 31 c0 40 cd 80 48 65 6c 6c 6f 20 77 |....1.#..Hello w|
00000070 6f 72 6c 64 |orld|
00000074

Normally, you'd use a hex editor for this. Figure out the assembly code, hand-assemble it, use the hex editor to enter the binary values, then save them to a file. Once you have your file, drop into your machine monitor and load the file at an available address, then jump to the first instruction. This was pretty common practice on single-board computers and is still done on microcontrollers today, but it's not something you're going to do on a contemporary OS. If you really want to do this, I'd recommend running a low-level emulator (SIMH will work) or working with a microcontroller (you can pick up a TI MSP430 development kit for less than five bucks).

TCL script - Extracting only Hex values from Hexdump file and copying it to a new file

00000010- 00 11 50 44 00 00 00 00 00 00 00 00 00 11 58 44 [..PD..........XD]
00000011- 00 00 00 00 00 00 00 00 00 11 80 44 00 00 00 00 [...........D....]
00000012- 00 00 00 00 00 11 88 44 00 00 00 00 00 00 00 00 [.......D........]
00000013- 00 11 90 44 00 00 00 00 00 00 00 00 00 11 98 44 [...D...........D]
00000014- 00 00 00 00 00 00 00 00 00 11 C0 44 00 00 00 00 [...........D....]
Need to extract the hex values mentioned below and copy it to a new file -
00 11 50 44 00 00 00 00 00 00 00 00 00 11 58 44 00 00 00 00 00 00 00 00 00 11 80 44 00 00 00 00 00 00 00 00 00 11 88 44 00 00 00 00 00 00 00 00 00 11 90 44 00 00 00 00 00 00 00 00 00 11 98 44 00 00 00 00 00 00 00 00 00 11 C0 44 00 00 00 00

Assuming you've got all your hex data in a variable called $input, you can get a list of hex digits like this:
foreach line [split $input \n] {
foreach c [scan $line %*x-%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x] {
if {$c ne ""} {
lappend out [format %x $c]
}
}
}
After that, $out contains a list of hex digits. Use it wisely.

Here is another approach, which makes the following assumptions:
Each line starts with an offset, which we can discard
Also, each line ends with an ASCII presentation, which we also discard
That means, for each line, we only take items 1 .. end-1
That the variable $input holds many lines of hex dump
Without further ado:
set hexList {}
foreach line [split $input "\n"] {
set hexList [concat $hexList [lrange $line 1 16]]
}
puts $hexList; # hexList now contains all the hex digits

My TCL is a bit rusty but a very naive approach would be:
# Parse all hex numbers from your input variable into hexList
set hexList [regexp -all -inline -- {\d{2}(?:\s{1,2})} $input]
# Replace some spaces to get the expected output and store it into hexData
regsub -all -- {\s{3}} [join $hexList] { } hexData
# Write hexData into your file..

Find out CRC or CHECKSUM of RS232 data

I need to communicate with a RS232 device, I have no specs or information available.
I send a 16 byte command and get a 16 byte result back. The last byte looks like some kind of crc or checksum, I have tried using this http://miscel.dk/MiscEl/miscelCRCandChecksum.html with no luck.
Anyone can reverse engineer the crc/checksum algorithm? here is some data captured with an RS-232 monitor program:
01 80 42 00 00 00 00 00 00 00 00 00 00 00 01 B3
01 80 42 00 00 00 00 00 00 00 00 00 00 00 02 51
01 80 42 00 00 00 00 00 00 00 00 00 00 00 03 0F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 04 8C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 05 D2
01 80 42 00 00 00 00 00 00 00 00 00 00 00 06 30
01 80 42 00 00 00 00 00 00 00 00 00 00 00 07 6E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 08 2F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 09 71
01 80 42 00 00 00 00 00 00 00 00 00 00 00 0A 93
01 80 42 00 00 00 00 00 00 00 00 00 00 00 0B CD
01 80 42 00 00 00 00 00 00 00 00 00 00 00 0C 4E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 0D 10
01 80 42 00 00 00 00 00 00 00 00 00 00 00 0E F2
01 80 42 00 00 00 00 00 00 00 00 00 00 00 0F AC
01 80 42 00 00 00 00 00 00 00 00 00 00 00 10 70
01 80 42 00 00 00 00 00 00 00 00 00 00 00 11 2E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 12 CC
01 80 42 00 00 00 00 00 00 00 00 00 00 00 13 92
01 80 42 00 00 00 00 00 00 00 00 00 00 00 14 11
01 80 42 00 00 00 00 00 00 00 00 00 00 00 15 4F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 16 AD
01 80 42 00 00 00 00 00 00 00 00 00 00 00 17 F3
01 80 42 00 00 00 00 00 00 00 00 00 00 00 18 B2
01 80 42 00 00 00 00 00 00 00 00 00 00 00 19 EC
01 80 42 00 00 00 00 00 00 00 00 00 00 00 1A 0E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 1B 50
01 80 42 00 00 00 00 00 00 00 00 00 00 00 1C D3
01 80 42 00 00 00 00 00 00 00 00 00 00 00 1D 8D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 1E 6F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 1F 31
01 80 42 00 00 00 00 00 00 00 00 00 00 00 20 CE
01 80 42 00 00 00 00 00 00 00 00 00 00 00 21 90
01 80 42 00 00 00 00 00 00 00 00 00 00 00 22 72
01 80 42 00 00 00 00 00 00 00 00 00 00 00 23 2C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 24 AF
01 80 42 00 00 00 00 00 00 00 00 00 00 00 25 F1
01 80 42 00 00 00 00 00 00 00 00 00 00 00 26 13
01 80 42 00 00 00 00 00 00 00 00 00 00 00 27 4D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 28 0C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 29 52
01 80 42 00 00 00 00 00 00 00 00 00 00 00 2A B0
01 80 42 00 00 00 00 00 00 00 00 00 00 00 2B EE
01 80 42 00 00 00 00 00 00 00 00 00 00 00 2C 6D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 2D 33
01 80 42 00 00 00 00 00 00 00 00 00 00 00 2E D1
01 80 42 00 00 00 00 00 00 00 00 00 00 00 2F 8F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 30 53
01 80 42 00 00 00 00 00 00 00 00 00 00 00 31 0D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 32 EF
01 80 42 00 00 00 00 00 00 00 00 00 00 00 33 B1
01 80 42 00 00 00 00 00 00 00 00 00 00 00 34 32
01 80 42 00 00 00 00 00 00 00 00 00 00 00 35 6C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 36 8E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 37 D0
01 80 42 00 00 00 00 00 00 00 00 00 00 00 38 91
01 80 42 00 00 00 00 00 00 00 00 00 00 00 39 CF
01 80 42 00 00 00 00 00 00 00 00 00 00 00 3A 2D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 3B 73
01 80 42 00 00 00 00 00 00 00 00 00 00 00 3C F0
01 80 42 00 00 00 00 00 00 00 00 00 00 00 3D AE
01 80 42 00 00 00 00 00 00 00 00 00 00 00 3E 4C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 3F 12
01 80 42 00 00 00 00 00 00 00 00 00 00 00 40 AB
01 80 42 00 00 00 00 00 00 00 00 00 00 00 41 F5
01 80 42 00 00 00 00 00 00 00 00 00 00 00 42 17
01 80 42 00 00 00 00 00 00 00 00 00 00 00 43 49
01 80 42 00 00 00 00 00 00 00 00 00 00 00 44 CA
01 80 42 00 00 00 00 00 00 00 00 00 00 00 45 94
01 80 42 00 00 00 00 00 00 00 00 00 00 00 46 76
01 80 42 00 00 00 00 00 00 00 00 00 00 00 47 28
01 80 42 00 00 00 00 00 00 00 00 00 00 00 48 69
01 80 42 00 00 00 00 00 00 00 00 00 00 00 49 37
01 80 42 00 00 00 00 00 00 00 00 00 00 00 4A D5
01 80 42 00 00 00 00 00 00 00 00 00 00 00 4B 8B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 4C 08
01 80 42 00 00 00 00 00 00 00 00 00 00 00 4D 56
01 80 42 00 00 00 00 00 00 00 00 00 00 00 4E B4
01 80 42 00 00 00 00 00 00 00 00 00 00 00 4F EA
01 80 42 00 00 00 00 00 00 00 00 00 00 00 50 36
01 80 42 00 00 00 00 00 00 00 00 00 00 00 51 68
01 80 42 00 00 00 00 00 00 00 00 00 00 00 52 8A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 53 D4
01 80 42 00 00 00 00 00 00 00 00 00 00 00 54 57
01 80 42 00 00 00 00 00 00 00 00 00 00 00 55 09
01 80 42 00 00 00 00 00 00 00 00 00 00 00 56 EB
01 80 42 00 00 00 00 00 00 00 00 00 00 00 57 B5
01 80 42 00 00 00 00 00 00 00 00 00 00 00 58 F4
01 80 42 00 00 00 00 00 00 00 00 00 00 00 59 AA
01 80 42 00 00 00 00 00 00 00 00 00 00 00 5A 48
01 80 42 00 00 00 00 00 00 00 00 00 00 00 5B 16
01 80 42 00 00 00 00 00 00 00 00 00 00 00 5C 95
01 80 42 00 00 00 00 00 00 00 00 00 00 00 5D CB
01 80 42 00 00 00 00 00 00 00 00 00 00 00 5E 29
01 80 42 00 00 00 00 00 00 00 00 00 00 00 5F 77
01 80 42 00 00 00 00 00 00 00 00 00 00 00 60 88
01 80 42 00 00 00 00 00 00 00 00 00 00 00 61 D6
01 80 42 00 00 00 00 00 00 00 00 00 00 00 62 34
01 80 42 00 00 00 00 00 00 00 00 00 00 00 63 6A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 64 E9
01 80 42 00 00 00 00 00 00 00 00 00 00 00 65 B7
01 80 42 00 00 00 00 00 00 00 00 00 00 00 66 55
01 80 42 00 00 00 00 00 00 00 00 00 00 00 67 0B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 68 4A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 69 14
01 80 42 00 00 00 00 00 00 00 00 00 00 00 6A F6
01 80 42 00 00 00 00 00 00 00 00 00 00 00 6B A8
01 80 42 00 00 00 00 00 00 00 00 00 00 00 6C 2B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 6D 75
01 80 42 00 00 00 00 00 00 00 00 00 00 00 6E 97
01 80 42 00 00 00 00 00 00 00 00 00 00 00 6F C9
01 80 42 00 00 00 00 00 00 00 00 00 00 00 70 15
01 80 42 00 00 00 00 00 00 00 00 00 00 00 71 4B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 72 A9
01 80 42 00 00 00 00 00 00 00 00 00 00 00 73 F7
01 80 42 00 00 00 00 00 00 00 00 00 00 00 74 74
01 80 42 00 00 00 00 00 00 00 00 00 00 00 75 2A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 76 C8
01 80 42 00 00 00 00 00 00 00 00 00 00 00 77 96
01 80 42 00 00 00 00 00 00 00 00 00 00 00 78 D7
01 80 42 00 00 00 00 00 00 00 00 00 00 00 79 89
01 80 42 00 00 00 00 00 00 00 00 00 00 00 7A 6B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 7B 35
01 80 42 00 00 00 00 00 00 00 00 00 00 00 7C B6
01 80 42 00 00 00 00 00 00 00 00 00 00 00 7D E8
01 80 42 00 00 00 00 00 00 00 00 00 00 00 7E 0A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 7F 54
01 80 42 00 00 00 00 00 00 00 00 00 00 00 80 61
01 80 42 00 00 00 00 00 00 00 00 00 00 00 81 3F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 82 DD
01 80 42 00 00 00 00 00 00 00 00 00 00 00 83 83
01 80 42 00 00 00 00 00 00 00 00 00 00 00 84 00
01 80 42 00 00 00 00 00 00 00 00 00 00 00 85 5E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 86 BC
01 80 42 00 00 00 00 00 00 00 00 00 00 00 87 E2
01 80 42 00 00 00 00 00 00 00 00 00 00 00 88 A3
01 80 42 00 00 00 00 00 00 00 00 00 00 00 89 FD
01 80 42 00 00 00 00 00 00 00 00 00 00 00 8A 1F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 8B 41
01 80 42 00 00 00 00 00 00 00 00 00 00 00 8C C2
01 80 42 00 00 00 00 00 00 00 00 00 00 00 8D 9C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 8E 7E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 8F 20
01 80 42 00 00 00 00 00 00 00 00 00 00 00 90 FC
01 80 42 00 00 00 00 00 00 00 00 00 00 00 91 A2
01 80 42 00 00 00 00 00 00 00 00 00 00 00 92 40
01 80 42 00 00 00 00 00 00 00 00 00 00 00 93 1E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 94 9D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 95 C3
01 80 42 00 00 00 00 00 00 00 00 00 00 00 96 21
01 80 42 00 00 00 00 00 00 00 00 00 00 00 97 7F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 98 3E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 99 60
01 80 42 00 00 00 00 00 00 00 00 00 00 00 9A 82
01 80 42 00 00 00 00 00 00 00 00 00 00 00 9B DC
01 80 42 00 00 00 00 00 00 00 00 00 00 00 9C 5F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 9D 01
01 80 42 00 00 00 00 00 00 00 00 00 00 00 9E E3
01 80 42 00 00 00 00 00 00 00 00 00 00 00 9F BD
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A0 42
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A1 1C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A2 FE
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A3 A0
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A4 23
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A5 7D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A6 9F
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A7 C1
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A8 80
01 80 42 00 00 00 00 00 00 00 00 00 00 00 A9 DE
01 80 42 00 00 00 00 00 00 00 00 00 00 00 AA 3C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 AB 62
01 80 42 00 00 00 00 00 00 00 00 00 00 00 AC E1
01 80 42 00 00 00 00 00 00 00 00 00 00 00 AD BF
01 80 42 00 00 00 00 00 00 00 00 00 00 00 AE 5D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 AF 03
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B0 DF
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B1 81
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B2 63
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B3 3D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B4 BE
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B5 E0
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B6 02
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B7 5C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B8 1D
01 80 42 00 00 00 00 00 00 00 00 00 00 00 B9 43
01 80 42 00 00 00 00 00 00 00 00 00 00 00 BA A1
01 80 42 00 00 00 00 00 00 00 00 00 00 00 BB FF
01 80 42 00 00 00 00 00 00 00 00 00 00 00 BC 7C
01 80 42 00 00 00 00 00 00 00 00 00 00 00 BD 22
01 80 42 00 00 00 00 00 00 00 00 00 00 00 BE C0
01 80 42 00 00 00 00 00 00 00 00 00 00 00 BF 9E
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C0 27
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C1 79
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C2 9B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C3 C5
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C4 46
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C5 18
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C6 FA
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C7 A4
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C8 E5
01 80 42 00 00 00 00 00 00 00 00 00 00 00 C9 BB
01 80 42 00 00 00 00 00 00 00 00 00 00 00 CA 59
01 80 42 00 00 00 00 00 00 00 00 00 00 00 CB 07
01 80 42 00 00 00 00 00 00 00 00 00 00 00 CC 84
01 80 42 00 00 00 00 00 00 00 00 00 00 00 CD DA
01 80 42 00 00 00 00 00 00 00 00 00 00 00 CE 38
01 80 42 00 00 00 00 00 00 00 00 00 00 00 CF 66
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D0 BA
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D1 E4
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D2 06
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D3 58
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D4 DB
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D5 85
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D6 67
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D7 39
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D8 78
01 80 42 00 00 00 00 00 00 00 00 00 00 00 D9 26
01 80 42 00 00 00 00 00 00 00 00 00 00 00 DA C4
01 80 42 00 00 00 00 00 00 00 00 00 00 00 DB 9A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 DC 19
01 80 42 00 00 00 00 00 00 00 00 00 00 00 DD 47
01 80 42 00 00 00 00 00 00 00 00 00 00 00 DE A5
01 80 42 00 00 00 00 00 00 00 00 00 00 00 DF FB
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E0 04
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E1 5A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E2 B8
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E3 E6
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E4 65
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E5 3B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E6 D9
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E7 87
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E8 C6
01 80 42 00 00 00 00 00 00 00 00 00 00 00 E9 98
01 80 42 00 00 00 00 00 00 00 00 00 00 00 EA 7A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 EB 24
01 80 42 00 00 00 00 00 00 00 00 00 00 00 EC A7
01 80 42 00 00 00 00 00 00 00 00 00 00 00 ED F9
01 80 42 00 00 00 00 00 00 00 00 00 00 00 EE 1B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 EF 45
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F0 99
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F1 C7
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F2 25
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F3 7B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F4 F8
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F5 A6
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F6 44
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F7 1A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F8 5B
01 80 42 00 00 00 00 00 00 00 00 00 00 00 F9 05
01 80 42 00 00 00 00 00 00 00 00 00 00 00 FA E7
01 80 42 00 00 00 00 00 00 00 00 00 00 00 FB B9
01 80 42 00 00 00 00 00 00 00 00 00 00 00 FC 3A
01 80 42 00 00 00 00 00 00 00 00 00 00 00 FD 64
01 80 42 00 00 00 00 00 00 00 00 00 00 00 FE 86
01 80 42 00 00 00 00 00 00 00 00 00 00 00 FF D8
The second to last byte seems to be a sequential number that starts over at 00 when it reaches FF. I have included the whole range from 00 to FF to make it easier to guess the crc/checksum method.
Cant add a comment, so I will add info here:
The last byte is the same when all the preceding 15 bytes are equal.
This is the device: http://www.intelektron.com/productos/tya_rei4000.htm
CORRECTION
(And I think I found a bug in the software) The device itself starts over at 00 after reaching FF in the second to last byte, but the software that sends commands to the device starts over at 01 when it reaches FF. Anyway I think this second to last sequence byte is not relevant to the crc/checksum problem.
CLARIFICATION
The listed data are commands sent by the software, the replies by the device are not listed. The device responds to each of the above commands sending one row of stored data like:
80 01 C2 80 85 01 25 65 57 37 19 32 01 04 76 17
This line contains a 4 byte card number, a time and date, etc, not relevant I think to the crc/checksum problem.
ADDITIONAL INFO:
I have been poking around the VB6 ocxs of the software and got this:
Object: clsCRC8
Object: basComunicaciones2
Private sub Proc_1_0_30305330
loc_30305352: var_8 = 30301198h
loc_30305373: call basComunicaciones2.SetPropA(edi, arg_8, ebx)
loc_30305376: var_4 = 0
End Sub
Private sub Proc_1_1_303053A0
loc_303053C2: var_8 = 303011A0h
loc_303053E2: call MSVBVM60.DLL.__vbaBoolVarNull(basComunicaciones2.Caption = %x1, arg_8, ebx)
loc_303053EB: If MSVBVM60.DLL.__vbaBoolVarNull(basComunicaciones2.Caption <> %x1 <> arg_8 Then GoTo loc_303054B8
loc_303053F7: var_24 = FFFFFFFFh
loc_303053FE: var_2C = 11
loc_30305405: ecx = True
loc_3030540D: call MSVBVM60.DLL.__vbaUI1I2
loc_3030541C: edx = edx - 0001h
loc_30305429: If edx-0001h < 0 Then GoTo loc_30305499
loc_3030542B:
loc_30305443: di = di - basComunicaciones2.%x1 = GetIDsOfNames(%x2) 'Ignore this
loc_30305447: If di < Me.GetTypeInfo Then GoTo loc_3030544F
loc_30305449: Err.Raise
loc_3030544F:
loc_30305451: GoTo loc_30305459
loc_30305453: Err.Raise
loc_30305459:
loc_3030546B: eax = "" And 000000FFh
loc_30305478: If ecx+eax xor eax < 257 Then GoTo loc_30305480
loc_3030547A: Err.Raise
loc_30305480:
loc_30305492: var_18 = Var_Ret_1
loc_30305495: If edi <= Me = %x1 Then GoTo loc_3030542B
loc_30305499:
loc_3030549F: not al
loc_303054A1: var_18 = Var_Ret_1
loc_303054A4: var_24 = 0
loc_303054AB: var_2C = 11
loc_303054B2: ecx =
loc_303054B8:
loc_303054DC: Exit Sub
End Sub
Private sub Proc_1_2_30306410
loc_30306432: var_8 = 303011A8h
loc_3030644F: var_38 = &H4011
loc_30306489: If Len(Hex()) >= 2 Then GoTo loc_303064A1
loc_3030649F: var_18 = 808463756 & var_18
loc_303064A1:
loc_303064A6: GoTo loc_303064C1
loc_303064C0: Exit Sub
loc_303064C1:
End Sub
I am pretty shure this calculates the CRC8 of the data:
Method Calcular(Paquete As , CantidadDeBytes As Integer) As Unsigned Small Integer
Member of vbpComunicaciones2 (cached).clsCRC8
Defined in interface _clsCRC8
Anyone can get some sense out of this? sadly, I can´t.

The answer was here: http://blog.sina.com.cn/s/blog_5a1d5bca0100bjvx.html
0xff - result from algorithm from above link and everything matches up. Took me 2 afternoons and the help I got here, but finally nailed it.
Of course I more or less understand what that code is doing thanks to the link posted by Gerhard. Thank you.

It is not a checksum or data XOR.
There are a few CRC options that you can try. The data you give does not give a positive result on any easy crc solutions.
Commmon 8 bit CRC are:
Name : poly : normal / reversed / reverse of reciprocal
CRC-8-CCITT : 0x8 + x2 + x + 1 : 0x07 / 0xE0 / 0x83
CRC-8-Dallas/Maxim (1-Wire bus) : x8 + x5 + x4 + 1 : 0x31 / 0x8C / 0x98
CRC-8 : x8 + x7 + x6 + x4 + x2 + 1 : 0xD5 / 0xAB / 0xEA
CRC-8-SAE : x8 + x4 + x3 + x2 + 1 : 0x1D / 0xB8 / 0x8E
CRC-8-WCDMA : x8 + x7 + x4 + x3 + x + 1 0x9B / 0xD9 / 0xCD
Implementation options to mix it up would be:
Normal or reverse data bytes, Initial value(0xff or 0x00), Final XOR on not and reverse CRC result before Final XOR.
For a CRC it must be on of these option unless they rolled their own.
To learn more A Painless Guide to CRC Error Detection Algorithms.

#Define CRCTBL1 0h005EBCE2613FDD83C29C7E20A3FD1F419DC3217FFCA2401E5F01E3BD3E6082DC
#Define CRCTBL2 0h237D9FC1421CFEA0E1BF5D0380DE3C62BEE0025CDF81633D7C22C09E1D43A1FF
#Define CRCTBL3 0h4618FAA427799BC584DA3866E5BB5907DB856739BAE406581947A5FB7826C49A
#Define CRCTBL4 0h653BD987045AB8E6A7F91B45C6987A24F8A6441A99C7257B3A6486D85B05E7B9
#Define CRCTBL5 0h8CD2306EEDB3510F4E10F2AC2F7193CD114FADF3702ECC92D38D6F31B2EC0E50
#Define CRCTBL6 0hAFF1134DCE90722C6D33D18F0C52B0EE326C8ED0530DEFB1F0AE4C1291CF2D73
#Define CRCTBL7 0hCA947628ABF517490856B4EA6937D58B5709EBB536688AD495CB2977F4AA4816
#Define CRCTBL8 0hE9B7550B88D6346A2B7597C94A14F6A8742AC896154BA9F7B6E80A54D7896B35
#Define CRCTBL0 CRCTBL1+CRCTBL2+CRCTBL3+CRCTBL4+CRCTBL5+CRCTBL6+CRCTBL7+CRCTBL8
Lparameters pcString
Local ;
lnCRC8, ;
lnIndex, ;
lnx, ;
lnByte
m.lnCRC8 = 0
For lnx = 1 To Len(m.pcString)
m.lnByte = Asc(Substr(m.pcString, m.lnx, 1))
m.lnIndex = Bitxor(m.lnCRC8, m.lnByte)
m.lnCRC8 = Asc(Substr(CRCTBL0, m.lnIndex + 1, 1))
Endfor
m.lnCRC8 = 0xff - m.lnCRC8
Return m.pcString + Chr(m.lnCRC8)