Decryption can easily be identified by inspecting code that runs in a loop:

  mov ecx, 0x10
  mov esi, 0x00402000
loc_00401000:
  mov al, [esi]
  sub al, 0x20
  mov [esi], al
  inc esi
  dec ecx
  jnz loc_00401000

This loop code is controlled by a conditional jump. To identify a decryption or an encryption code, it should have a source and a destination. In this code, the source starts at address 0x00402000, with the destination also at the same address. Each byte in the data is modified by an algorithm. In this case, the algorithm is a simple subtraction of 0x20 from the byte being changed. The loop ends only when 0x10 bytes of data have been modified. 0x20 is identified as the encryption/decryption key.

The algorithm can vary, using standard and binary or just standard arithmetic. As long as a source data is modified and written to a destination within a loop, we can say that we have identified a cryptographic routine.