fix(DenuvoAuth): always scan the main executable, not just modules ≥80MB

[xingcheng1423-cmyk]

Fixes the detection miss described in #120 (and the root cause of the 8850000A symptom in #117).

Problem

ProtectionScan::EnumerateModules applies kMinPackedModuleBytes (80 MB) to every module, including the main game executable. Denuvo packs the .exe itself, so a title whose main executable is smaller than 80 MB is skipped before any PE scan, denuvo stays false, and the whole authorization path never engages.

Concrete case — Sniper Elite 4 (appid 312660), SniperElite4_DX11.exe = 70.97 MB:

DenuvoAuth: module skipped below packed size floor path=...\SniperElite4_DX11.exe size=74420224 (70.97 MB) min=83886080 (80.00 MB)
DenuvoAuth: pid=... enumerated 0 candidate module(s)
DenuvoAuth: pid=... no Denuvo match scanned=0

Change

Exempt the main executable from the size floor; keep the floor for DLLs (the original optimization to skip small runtime DLLs is preserved). One line + comment, in EnumerateModules:

if (!executable && module.size < kMinPackedModuleBytes) {

After this change the executable is scanned (verified via trace logs: enumerated 1 candidate module(s) → the .exe is now a candidate).

Notes / scope

• This only fixes the size-floor miss. As detailed in Denuvo auth fails on titles missed by ProtectionScan (e.g. Sniper Elite 4 / appid 312660) — root cause + fix #120, this particular build also slips both signature heuristics (the OEP section resolves to .edata and the legacy .srdata section has no literal DENUVO string) — those are separate and left out of this PR.
• No behavior change for titles already detected, and DLL scanning is unchanged.

Happy to adjust the comment/threshold wording if you'd prefer a different style.

[xingcheng1423-cmyk]

Pushed a 2nd commit: a fallback in EnsureScanned — if ScanProtection misses but an EncryptedAppTicket was injected for the app (setETicket, which per the README is only used for Denuvo titles), treat it as Denuvo so the auth path still engages. Full rationale + caveats in #120.

Scope notes:

• It's a fallback after signature detection fails — no behavior change for already-detected titles or for apps with no injected eticket.
• The auth-window change discussed in Denuvo auth fails on titles missed by ProtectionScan (e.g. Sniper Elite 4 / appid 312660) — root cause + fix #120 (the 2-handshake / single-pipe window) is not included here — separate design question. Our end-to-end SE4 test did use a widened window, so detection alone may not be sufficient for every title until that's looked at.
• Glad to split into two PRs, or drop the 2nd commit, if you prefer the minimal size-floor fix only.