Hello!
I don't understand the final step of mac construction.
I need to change two plaintext blocks, right?

payload: adminxxxxxxxxxxx xxxxxxxxxxxxxxxx xxxxxxxxxxxxxxx[\x2b]
hash:    xxxxxhhhhhhhhhhh hhhhhhhhhhhhhhhh hhhhhxxxxxxxxxx[\x0b]
iv:      aaaaabbbbbbbbbbb

x means don't care. We can change plaintext by changing iv, but iv is shared between payload and hash. We can only change part b of iv. Fortunately, it only compares last 252 bits (31.5 bytes), so garbage at the front of hash will be stripped off.