How does GadgetToJScript bypass the .NET 4.8+ blocking of Assembly.Load?

It uses a `_DisableTypeCheckGadgetGenerator` that performs an initial deserialization to disable the ActivitySurrogateSelector type check, which is the mechanism .NET 4.8+ uses to block `Assembly.Load`. After that, a second deserialization loads the .NET program. This technique is explained in the GadgetToJScript Exploitation Analysis and is based on research from Silent Break Security.