ACE Did Something Western Anti-Cheats Have Not
// ACE public stats, Arena Breakout: Infinite early access cycle
408,133 accounts banned. 293 distinct cheat tools blocked. 4,516 anti-cheat updates shipped.
Those are not internal estimates. Tencent publishes them. ACE is the first kernel anti-cheat in a Western-facing release that claims, and demonstrates, DMA detection capability.
Arena Breakout: Infinite ships with ACE, Tencent's kernel-level anti-cheat. For years, the assumption among cheat buyers has been simple. External cheats sit outside the process and stay quieter. DMA hardware sits outside the PC entirely and is essentially invisible. Internal cheats live inside the game and are the loudest of the three.
ABI breaks that hierarchy. ACE treats the three architectures differently than BattlEye or EAC do, and the practical risk order on this specific game does not match what most cheat forum threads assume. This piece breaks down what each architecture actually does, what ACE catches at each layer, and why the answer for ABI in 2026 is not the one most players guess.
Three Architectures, Three Risk Profiles
Every cheat sold for any PC game falls into one of three architectural categories. The category determines almost everything: how it reads game data, what the anti-cheat sees, how detection lands, and how long a build stays alive after a patch.
// Architectural risk on Arena Breakout: Infinite (ACE + behavioral layer)
This ordering surprises people. On games like Escape from Tarkov or PUBG, where BattlEye handles detection, DMA sits at the top of the safety tree and internal cheats are the riskiest play. ABI inverts the bottom two. The reason is what ACE chooses to watch.
Internal Cheats: Inside the Process, Outside the Database
An internal cheat is a piece of code, usually a DLL, that gets loaded into the game process at runtime. Once it is inside, it has full access to the game's memory without needing handles, without calling external APIs, without crossing any process boundary. It reads enemy coordinates directly from the engine's object list and writes overlays straight into the rendering pipeline.
That sounds noisy. It would be, if the binary was shared.
The shift on ABI is structural. ACE's primary detection vector against internal cheats is signature scanning: comparing loaded modules against a database of known cheat binaries. A public internal cheat distributed to thousands of users hits that database within hours of release. A private internal build, compiled fresh per subscriber, does not exist in the database at all. There is nothing for ACE to match against.
// What ACE actually checks on an internal cheat
→ Module signature against known-cheat hash database
→ Memory region permissions, executable-but-unmapped flagging
→ Hook tables and inline patches in the game's API calls
→ Thread enumeration for foreign execution contexts
A premium internal build addresses every line on that list. Manual mapping bypasses the loader's footprint. Code mutation per compile changes the signature for every subscriber. Hooks are placed using indirect call chains rather than detour patches. The result is a binary that occupies the same memory space as any other game module and does not match anything ACE has catalogued.
The detection vector that does remain is behavioral, and that is the same vector every cheat type fights. We come back to it in section 6.
External Cheats and Why ACE Sees Them First
An external cheat runs as a separate process. To read the game's memory, it asks Windows for a handle to the game process and then calls ReadProcessMemory against memory addresses it has reverse-engineered ahead of time. The architecture is appealing because the cheat code never enters the game. The handle is the entire attack surface.
That is also the problem. The handle is what ACE looks at first.
ACE registers callbacks through ObRegisterCallbacks, a kernel mechanism that intercepts every attempt to open a handle to the protected process. The driver inspects the requesting process, checks the access rights, and either grants the handle, strips the dangerous flags off it, or rejects the request outright. Standard usermode external cheats trip this on the first request. ACE was built with handle scrutiny as a core capability, not an afterthought.
| External tier | Access method | What ACE sees | Survival on ABI |
|---|---|---|---|
| Usermode external | OpenProcess + ReadProcessMemory | Foreign handle with VM_READ rights | Hours to days |
| Kernel-assisted external | BYOVD driver + MmCopyVirtualMemory | Driver scan, signed-driver enumeration | Days to weeks |
| External over FPGA | DMA card reading RAM via PCIe | Behavioral telemetry only | Weeks, conditional |
Kernel-assisted external builds push the access into Ring 0 by loading a Microsoft-signed but vulnerable driver, exploiting it, and reading memory from the kernel. ACE responds with vulnerable-driver enumeration. Windows itself publishes the HVCI driver blocklist, and ACE checks against an expanded internal list that turns over fast. A BYOVD technique that worked last month often fails this month, not because the cheat changed but because the driver landed on a blocklist.
This is the gap the cheat scene underestimated on ABI. External, even kernel-assisted external, is no longer the default safe pick on this game.
DMA in ABI: The Blind Spot That Stopped Being Blind
Direct Memory Access cheats take the external concept to its physical limit. A PCIe board with an FPGA chip is installed in the game PC's motherboard. The cheat software runs on a completely separate computer, connected by cable to the FPGA. The FPGA reads RAM over the PCIe bus without the CPU's involvement, without any software on the game machine. From a software-only anti-cheat's view, the game PC is clean.
That description has been the marketing pitch for DMA for years. It is still mostly true on BattlEye-protected games. On ABI, with ACE, the claim has eroded.
ACE does not directly see the FPGA. It cannot scan a board over PCIe with software running on the host. What ACE does instead is watch the consequences. A DMA-driven aimbot still produces flick angles measured against bone positions. A DMA-driven ESP still results in players peeking corners they had no audio or line-of-sight reason to peek. The hardware is invisible, the behavior it produces is not.
Tencent's public statement on the system reads, in their own wording, that ACE blocks "common high-level threats including VT-based evasion and DMA attacks." That language is unusually specific. Western anti-cheat vendors avoid claiming DMA detection because the claim is hard to defend. ACE makes the claim and publishes ban numbers against it.
// observed: ABI cheat-vendor incident log, public threads
That cycle is the reality DMA buyers are walking into on ABI. The card itself is not the weak link. The build running on the second PC is. When that build hits ACE's behavioral profile or its periodic signature rotation, the ban lands on the game account regardless of where the read came from.
The Detection Math: What ACE Actually Watches
Strip away the marketing language on both sides and ACE's design is three layers stacked. Each layer catches different cheats. Each layer has a different cost to bypass.
The first layer is signature scanning, which is what catches public builds within hours of release. The second is memory integrity, which is what catches the lazier external builds and BYOVD drivers that have already landed on a blocklist. The third is behavioral, and the third is the one that does not care what architecture you bought.
Behavioral analysis on ABI tracks sub-millisecond aim transitions. A crosshair that snaps from torso to head in less than a single frame, repeatedly, produces a movement signature no human reproduces. Humanization is what turns that signature into a normal-looking aim trace. The math is well-studied: Singular Value Decomposition applied to mouse movement data shows scripted aim concentrating about 98% of its energy in a single mode, while a trained human player sits around 74%. The threshold used in research environments lands near 99%. A raw aimbot crosses it. A humanized one does not.
The architecture determines the first two layers. Humanization determines the third. A DMA cheat with a poor aim curve loses to behavioral telemetry the same way a usermode external does. A private internal with proper humanization beats all three layers, on a game where the signature surface was the original problem.
This is the part the architectural marketing pitches skip. The "completely invisible to anti-cheat" framing covers exactly one layer. ACE has three.
Private Builds vs Public Binaries on ABI
Public cheats, regardless of architecture, have one structural disadvantage they cannot engineer around. They distribute the same binary to thousands of users. Once any one of those binaries reaches a vendor analyst, a forum scraper, or a customer who got curious and uploaded the executable somewhere, the signature is in the database. Every other user of that build is now running a flagged binary.
Private builds invert the math. A per-subscriber compilation produces a binary nobody else has. There is no crowd-sourced signature dataset because there is no crowd sharing the same file. ACE can scan the loaded module for a hundred sessions in a row and find a match against nothing.
Those numbers are directional, not audited. They come from cross-referencing public ban-wave threads on ABI cheat forums with vendor uptime claims over a rolling window. The exact percentages move week to week. The ordering does not.
The reason matters more than the number. A private build is not safer because it is technically more advanced. It is safer because the entire signature layer of ACE has nothing to compare it against. Strip the signature layer out of the equation and ACE is left with memory integrity and behavior, both of which a well-built internal handles cleanly.
If you want the longer breakdown of how private compilation removes the shared-signature attack surface across kernel anti-cheats more broadly, the external cheats explained guide covers the same mechanism from the other architectural side.
What to Run on Arena Breakout in 2026
The architecture choice on ABI does not look like it does on other extraction shooters. BattlEye games favor DMA at the top, kernel-external in the middle, internal at the bottom. ACE flattens that gradient. Every architecture is exposed to the same behavioral layer, the kernel-external lane has narrowed under driver-blocklist enforcement, and DMA is no longer immune to consequence even if its read path is.
The lane that benefits most from ACE's specific design is the one most players assume is the riskiest. A private internal build, compiled per subscriber, with proper humanization on the aim layer, leaves nothing for the first two ACE layers to catch and gives the third layer the same human-shaped data a clean account would produce. That is the actual safe lane on this game in 2026.
The ZhexCheats Arena Breakout: Infinite module ships as a private internal build for exactly the reasons above. Per-subscriber compilation, manual mapping, hook chains placed off the standard API surface, and a humanization profile calibrated against ACE's behavioral thresholds. The shorter version: it is the architecture ACE is least equipped to catch, sold the way that architecture has to be sold to keep the signature layer empty.
Architecture matters. On ABI, it matters more than it does on almost any other game on the market right now.
// More articles
Arena BreakoutsArena Breakout Mobile vs Infinite: Why the Cheats Do Not Cross Over
One name, two games, two completely separate cheat industries. What works on mobile dies on PC the moment it touches Ring 0.
May 28, 2026Nathan ReedRead article
Arena Breakouts30 Days Inside ABI's Anti-Cheat: What Actually Gets You Flagged
Arena Breakout runs ACE and BattlEye at the same time. I spent 30 days testing both layers and tracked exactly what flagged, what didn't, and when the ban landed.
May 22, 2026Nathan ReedRead article