What is the exploitation chain used by GadgetToJScript to execute .NET assemblies?

The chain maps a byte array to class instantiation: `byte[] -> Assembly.Load -> Assembly -> Assembly.GetType -> Type[] -> Activator.CreateInstance`. The `_ASurrogateGadgetGenerator.cs` reads compiled assembly from memory (via `TestAssemblyLoader.cs`), and then the `_SurrogateSelector.cs` acts as a wrapper. This chain also bypasses AMSI by avoiding a direct `DynamicInvoke` call, as detailed in the GadgetToJScript Exploitation Analysis.