FlexLM: Finding LM_SEED1-3 or ENCRYPTION_SEED3-4

[atomix]

Some time ago I had the feeling that SentinelLM is more difficult to crack than FlexLM - however I had no practical experience with none of them.

Recently I have reversed some targets protected by SLM and thank to the many tutorials and tools available I was able to succesfully crack them in a relatively short time. Bottom line is that if you know the VendorID than SLM tools become a nice keygen.

Now I moved on to FlexLM and tried to crack a target protected by FlexLM 9. I studied many tutorials available (including topics on this forum) and learned about this security by obscurity protection. To me FlexLM seems quite messy and it is not that nice as SLM.
Anyway, I was able to find the encryption seeds 1-2 and generate the vendor codes using the available tools (many thanks to those making and sharing them). Now all you need to create a keygen for FlexLM apps is SDK and the LM_SEED1-3 values. Alternatively you can go on using the ENCRYPTIONSEED1-2 and ENCRYPTIONSEED3-4 (optional sometimes).

I kinda know the answer to my next question but I do have to ask it to get some feedback from you so I can get some clear answers and the peace of my mind.

While many tutorials describe the way to find encseed 1-2, it seems very difficult or impossible to find encseeds3-4 or/and lm_seed1-3. Is there any way to recover these values? Can you share some info?

Additional question: Is it possible to get the encryptionseed1-2 from the encrypted strings in the license.dat files (providing that you have one)?
What I mean is something similar to SLM, where you can find the VendorID from an encrypted string taken from existing valid license files (see the nice tool posted by souz).