Protectors add a protective layer that executes before the real application.
But, when the application gets the control, the cpu registers need to be the same as if the OS invoked it directly!

The general layout is:
<save all registers>
execute protection code
<restore all registers>
go to application

Usually, this is implemented as:
pushad
<protection code>
popad
<go to application>

The basic idea, is that if you set the breakpoint on ESP (and you can't bpm esp at any time); it will break at the "restore all registers" stage (when they are poped back from the stack), which is normally very close to the point where the protection goes to the Original Entry Point (OEP)

This assumes that once the registers are saved on the stack they aren't used until the time where they are poped back. It's fairly easy for a protection to fool this method or to generate so many hits that it becomes useless.