Flexlm: Recover LM_SEEDS based on encryption seeds

Hi folks,

really nice forum here... much information...
Well I'm working on a simple attack on flexlm's CRO feature.
I know how to recover encryption seed 1 and 2 and that
the encryption seeds 1-4 are generated from LM_SEED1-3.

On CrackZ site there is an essay about a weakness in the early implementation
of generating the encryption seeds.

Well my Flexlm version is 11.4 and what i discovered so far is that
they changed the generation algo using the FIP186-2 RNG so there is no
known way to recover the LM_SEEDs from the encryption seeds.

My question is, does anyone of you tried a birthday attack on the generation
of the encryption seeds? Or any other attack?
It could really take a while recovering the correct LM_SEEDs because you
need around 2^48 different LM_SEED tries to find the the correct encryption seed.
I coded a small app which does exactly this, but I haven't had luck until now.

regards
tr1stan