ok, well it appears that I did miss something fairly obvious...
this string (which is being passed from another system as a session id) was not URL encoded BEFORE being
delivered to my site. So param is decoding it properly and returning what is essentially junk. So if I
passed them anywhere else, the session id is mucked up.
so the calling system needs to URL encode this first, so it looks like:
sid=%2532%252D%259F%25A5%2554%2512%2523%25AF%25CE%25C7%25D6%25D0%2591%
+25AB
which then (properly) produces from the same program above:
sid is: %32%2D%9F%A5%54%12%23%AF%CE%C7%D6%D0%91%AB