The trick consists in noticing it's an XOR with the 4 next characters, and you know the first 4 characters of the flag are CSR{
See complete write-up: https://cryptax.github.io/2020/10/31/hashfun.html