Correct me if I'm wrong, but I think both you and duks made the same mistake in your respective writeups: the cipher is not (2⋅r²+flag[i])^e but (2^(1+flag[i])⋅r²)^e. This is because (padding << 1 + m % 2) is really (padding << (1 + m % 2)) and not ((padding << 1) + m % 2)
But thank you very much for your writeup anyway, it was very useful and everything else is still valid.