What technique does the execute-assembly approach use to avoid static detection of the Seatbelt binary?

The execute-assembly method XORs every byte of Seatbelt.exe with a key (e.g., 0x01) before storing it in a C++ array. At runtime, the loader reverses the XOR operation to restore the original binary in memory before loading the .NET assembly via `Load_3(...)`. This obfuscation hides the Seatbelt signature from static analysis. The full implementation, including XOR handling and parameter passing, is detailed in the Implementation of In-Memory Loading for Seatbelt article.