In some cases, keeping the encrypted code inside the obfuscated assembly may be preferred rather than storing it in external files. In this case, access to the encrypted code is protected by a password, which significantly reduces the amount of information needed to reconstruct the method while maintaining the same level of security. Without the password, the Babel Virtual Machine (BVM) cannot reconstruct the original method, rendering the encrypted code useless. This approach provides a balance between security and performance, as the encrypted code is stored within the assembly and can be accessed quickly when needed.

To define which code will be encrypted with a password, we need an XML rule specifying the method or type to be encrypted, the source name, and the password used. Here's an example of such a rule:

<Rule name="encrypt algorithms" feature="msil encryption" exclude="false">
  <Target>Methods</Target>
  <Pattern>ACME.Algorithms::*</Pattern>
  <Properties>
     <Source>algorithms</Source>
     <Password>mySecretPassword</Password>
     <Internal>true</Internal>
  </Properties>
  <Description>Encrypt code in the Algorithms class using a password.</Description>
</Rule>

Note that the rules contain the property Internal set to true to instruct Babel to store the encrypted code inside the obfuscated assembly rather than in an external file.

As the encrypted code is stored inside the obfuscated assembly, there is no need to define the GetSourceStream method to retrieve the encrypted stream. Instead, we need to declare another method that will be called by the BVM to retrieve the password needed to decrypt and execute the method.

[Obfuscation(Feature="msil encryption get password")]
internal static string GetSourcePassword(string source) 

At runtime, the BVM will call the GetSourcePassword with the name of the encrypted data source associated with the encrypted methods (in this case, "algorithms"). The GetSourcePassword method should return the password to decrypt the bytecode for the requested data source. The BVM can then execute the requested method.